Set up iOS device management

Before you can manage or assign iOS devices to students and teachers, you must set up iOS device management in Intune for Education. Setup connects your Intune for Education account with Apple School Manager. You need to add an MDM Push Certificate and configure at least one enrollment program token (also known as an MDM server token or DEP token). When you complete the setup, you can manage apps and settings on your iOS devices, run reports, troubleshoot conflicts, and give students and teachers secure access to school resources.

iOS Device Management setup cards for MDM push certificate, enrollment token, and VPP configuration.

This article describes how to:

  • Add an Apple MDM push certificate.

  • Configure and sync an enrollment program token.

  • Configure an Apple Volume Purchase Program (VPP) token.

Requirements

Before you begin, make sure you have:

  • An internet connection.

  • Your Apple School Manager account credentials.

  • Intune for Education device licenses. For more information about device licenses, see Microsoft Intune licensing.

Important

Intune for Education only supports iOS device enrollment for devices set up for Apple automated device enrollment. For more information about how to set up Apple automated device enrollment and Apple School Manager, see Use automated device enrollment (opens Apple Support).

Add an MDM push certificate

An Apple MDM push certificate sets up a secure connection between your Intune and Apple School Manager account. When connected, Intune can continually sync and manage your Apple devices and apps.

  1. Sign in to Intune for Education.

  2. Go to Tenant settings.

  3. Expand iOS Device Management, and then select MDM push certificate.

  4. Select Create certificate.

  5. Follow the onscreen instructions:

    1. Select Download to save the certificate signing request file from Intune.

    2. Sign in to Apple Push Certificates Portal to create and download the push certificate file. This step is where you upload the certificate signing request you just downloaded. Use your school's Apple ID to sign in to the portal, not your personal one.

    3. After you download your new push certificate, return to Intune for Education. Next to STEP 3, enter the Apple ID you used to sign in to Apple School Manager.

    4. Upload the Apple push certificate file (.pem).

  6. Select Save to create the certificate in Intune for Education.

The push certificate expires every 365 days. The certificate is needed to connect Intune for Education to your Apple School Manager account, so you must renew it yearly. For more information, see Renew iOS certificate and tokens.

Configure enrollment program token

The enrollment program token, sometimes referred to as a mobile device management (MDM) server token, lets Intune sync device details from Apple School Manager. These details inform Intune of the devices it needs to manage and populates your inventory in Intune for Education.

Before you begin

Before you add a token, decide whether you want to enable Shared iPad. With Shared iPad, students and teachers sign in with their unique managed Apple ID, and their apps and data follow them from device to device. Without it, students can still share devices but user data doesn't move between them. You make this choice during token setup and can't change it afterward.

For more information about Shared iPad and managed Apple IDs, see:

Note

Shared iPad isn't compatible with the Classroom and Schoolwork apps. All other Shared iPad features become available after you set up the enrollment program token.

Add enrollment program token

  1. Go to Tenant Settings.

  2. Expand iOS Device Management, and then select Enrollment program tokens.

  3. Select Add token.

  4. Select how you want to enroll the devices associated with your new server token. Your options:

    • Users will log in to devices with their Managed Apple IDs: Select this option to configure this token for Shared iPad scenarios. All devices assigned to this token are set up so that users must sign in to them by using a managed Apple ID.

    • Anyone can unlock these devices. You can set a passcode for each device if you want: Select this option if your school isn't using managed Apple IDs. Students can still share devices but the devices are accessed directly, without the need to sign in. Devices might require a device passcode if you set one.

    You can't change this option after you create the token. If you want to change how devices enroll, you must create a new server token.

  5. Select Set up enrollment program token.

  6. Follow the onscreen instructions:

    1. Select a device name prefix. Intune for Education names devices by serial number by default. Example: GWRWDDWFWK8J

    In this step, you can add a prefix to device names to help you identify and organize enrolled devices. For example, with the prefix your device name looks like: iPad-GWRWDDWFWK8J

    1. Select Download to save the Intune public key. Later, you upload this key in Apple School Manager.

    2. Select Go to my MDM servers in Apple School Manager to sign in to Apple School Manager. Sign in by using your school or department's Apple ID, not your personal one. If you don't have the MDM server information to complete this step, contact your school's Intune administrator.

    3. Create an MDM server and upload the Intune public key. For more information, see Link to an external device management service in the Apple help documentation.

      Note

      The server name is for your reference to identify the MDM server. It isn't the name or URL of the Microsoft Intune server.

    4. Generate and download the new server token. This token is the enrollment program token you upload later in Intune.

    5. In Apple School Manager, assign devices to the MDM server. For more information, see the Apple School Manager User Guide.

    Your assignment options are:

    • Enter the serial number for each device.
    • Paste a list of serial numbers from a CSV file.
    • Enter the order number for your entire device purchase.

    1. Return to Intune for Education and enter the Apple ID you used to sign in to Apple School Manager.

    2. Upload the enrollment program token.

    3. Select Save to add the token to Intune.

Enrollment program tokens expire every 365 days. You need the token to view and manage your devices in the Intune for Education portal. You must renew it yearly to keep it active.

Device enrollment profile

Intune for Education creates and assigns a default enrollment profile to each enrollment program token you configure.

All iOS devices added to Intune for Education are set to supervised mode. As an admin, supervised mode gives you more control over your school's devices. For example, you can push new apps or app updates silently to a device. For a complete list of supervised-only settings, see Configurations requiring supervision.

Intune for Education applies a naming scheme to devices that you enroll with an enrollment program token. The name helps you identify and group individual devices. By default, devices are named with their device serial number. You can also add a custom device name when you set up your enrollment program token.

For more details about enrollment profiles, see the list of settings configured during enrollment.

Sync managed devices

Now that Intune for Education has permission to manage your iOS devices, sync with Apple to view a list of your managed devices.

  1. Go to Enrollment program tokens.

  2. Find the token you created, and then select the link under the Devices ready to enroll column in the same row.

  3. Select Sync device list.

Devices that appear in the list are ready for enrollment. Power them on to start the enrollment process.

Configure VPP tokens

A VPP token links your Intune for Education account to your Apple VPP or Apple School Manager account. You can create a single VPP token to manage apps across the entire organization, or you can create multiple VPP tokens to spread management across different locations or admins.

Intune needs VPP tokens to:

  • Sync app details in the Intune for Education portal.
  • Assign VPP-purchased apps to groups.
  • Silently install VPP-purchased apps on school devices, with no need for device user's Apple ID.

Without a VPP token, you can still search and get free iOS apps through the App Store. However, to install the app on the device, the device user must sign in with an Apple ID.

  1. Go to Tenant Settings.

  2. Expand iOS Device Management and select VPP Tokens.

  3. Select Add token.

  4. Name the VPP token.

  5. From step 1 to step 4, follow the onscreen instructions to create the token:

    1. Select Go to Apple School Manager Settings to create and download an Apps and Books server token in Apple School Manager.

      1. Sign in to Apple School Manager. Sign in with your school or department's Apple ID, not your personal one.

      2. Configure a new location. For more information, see the Apple School Manager guide from Apple Support.

      3. Download the server token for the location in Apple School Manager.

    2. Return to Intune for Education, and enter the Apple ID you used to sign in to Apple School Manager.

    3. Upload the VPP token file you downloaded in Apple School Manager, then select the region where your devices are.

    4. Enable or disable automatic app updates.

  6. Select Save to add the token to Intune.

Tokens expire every 365 days. Tokens are needed to manage VPP-purchased apps, so you must renew them yearly to keep them active.

Next steps

Purchase free apps from the App Store, or add your VPP-purchased apps to Intune for Education.

  • Last updated on