Automated Device Enrollment (ADE) allows you to perform zero-touch deployment for Apple devices by integrating with Apple Business Manager (ABM).
What is Apple Business Manager (ABM)?
Apple Business Manager is Apple’s web-based portal that organizations use to purchase devices, manage device ownership, and assign devices to an MDM server. It also manages app licenses through Apple’s Volume Purchase Program (VPP). When integrated with SuperOps, ABM allows devices purchased through Apple to be automatically assigned to your MDM server and enrolled during first setup.
Note: SuperOps uses a hybrid approach to manage Mac devices. As part of this model, both Apple MDM and the SuperOps RMM agent work together to provide management and control. Once a Mac is enrolled through MDM, the SuperOps RMM agent is automatically installed on the device.
Before you begin managing Mac devices, refer to this article on how Mac devices in SuperOps are managed using the hybrid RMM and MDM approach.
Prerequisites
Ensure the Apple Push Notification (APNs) certificate is configured before starting the enrollment process.
You must have access to Apple Business Manager to complete the setup.
Step 1: Create or select an ADE profile
Before we start with the enrollment process, you can define the ADE profile for the devices you're looking to enroll. You can configure this under Settings->Policy Management-> Mac Workstation policy / Mac Server policy and create your ADE profile
Step 2 : ADE enrollment
Now, let's begin the process of setting up zero-touch, automated enrollment for devices managed through Apple Business Manager.
To configure ADE, navigate to the Settings-> MDM Configurations.
Under the Automated Device Enrollment section, click Setup ADE to begin the integration process.
The first step in the 'Setup ADE' window is to download the public key. Click Download public key to save the file to your computer. You will need this file for the next steps in the Apple Business Manager portal.
Step 3: Configuring Apple Business Manager (ABM)
Next, you'll need to log in to your ABM account to create an MDM server and link it to SuperOps.
In your Apple Business Manager account, click on the profile name in the bottom-left corner and select Preferences.
Next to 'Device Management Services', click Add to create a new MDM server.
Enter a name for your new MDM server, such as 'SuperOps MDM'. Then, click to upload the public key file you downloaded from SuperOps.
4. After uploading the key, click Save. Your new MDM server is now created. Download the token provided on the top. This needs to be uploaded into SuperOps's ADE configuration page
Step 4 : Finalizing ADE Setup in SuperOps
Return to SuperOps to complete the connection using the token from ABM.
In the SuperOps 'Setup ADE' window, upload the server token file (.p7m) you just downloaded from Apple Business Manager.
Fill in the required contact details. The email address and phone number you enter here will appear on users’ devices during enrollment, so they can reach out if they need assistance.
Step 5 : Assigning devices to Device Management Services
Log in to your Apple Business Manager account to configure device sync with SuperOps. Devices assigned to the MDM server will automatically sync to SuperOps.
To automatically assign new devices to this MDM server, navigate to Management Assignment in the left-hand menu.
Here, you can set the default assignment for Mac devices. Select your newly created 'SuperOps MDM' server for "Mac"
If you would like to sync specific existing devices, you can manually assign them. Navigate to the Devices tab, select the required device, open the actions menu and choose Assign device management.
In the assignment window, select 'SuperOps MDM' from the dropdown list and click Continue.
Managing Enrolled Devices
Once the setup is complete, you can view and manage your devices synced from ABM under 'Map Devices'. Devices from your ABM get synced every 24 hours. Alternatively, you can also manually click Sync Devices to fetch the latest list of devices from your Apple Business Manager account.
Device Enrollment States in SuperOps
When devices are synced from Apple Business Manager (ABM), they appear in one of the following enrollment states within SuperOps:
All Devices
Displays a complete list of all devices that have been synced from Apple Business Manager, regardless of their enrollment status.
Yet to Enroll
Devices that have been synced but are not yet ready for enrollment. You will need to fill in the required details to ensure the device is associated with the correct parameters once it is enrolled. The ADE profile will be assigned to the devices based on the policy associated
Ready for Enrollment
Devices in this state have been assigned an ADE profile and a policy set and are awaiting completion of the enrollment process. Admins can review this list to track which devices are pending final activation.
Enrolled
Devices that have successfully completed enrollment and are now connected to SuperOps. These devices are fully managed and ready for monitoring and policy enforcement.
Moving devices to "Ready for enrollment
To prepare a device for enrollment, filter by Yet to Enroll. This displays devices that have been synced from Apple Business Manager but are not yet fully configured for enrollment in SuperOps. Fill in the required columns.
Select the checkbox next to one or more devices and click Mark as ready for enrollment.
To view devices that are now configured and waiting for the user to unbox and activate them, filter the list by Ready for Enrollment.
To see devices that have successfully completed the enrollment process and are now managed by SuperOps, filter the list by Enrolled.
Renewing your ABM token.
To ensure uninterrupted communication with enrolled Mac devices, your ABM token must be renewed before it expires.
This link provides a detailed instructions on how you can renew your token.
Next Steps
Now that your Apple devices are enrolled via ADE, they are ready for management. You can begin applying policies to enforce security settings, deploy software, and monitor device health.