Set up a macOS ADE token

Applies to macOS

An enrollment program token (sometimes called an automated device enrollment token) is a required component of Apple automated device enrollment (ADE) for macOS. It creates the trust relationship between Microsoft Intune and Apple Business Manager or Apple School Manager, and allows Intune to:

• Sync device information from your Apple enrollment program account.
• Upload enrollment profiles to Apple.
• Assign devices to enrollment profiles.

This article describes how to create, renew, and delete enrollment program tokens for macOS.

Create an enrollment program token

Step 1: Download the Intune public key certificate

The public key certificate is needed to request a trust-relationship certificate from Apple Business Manager.

1. In the Microsoft Intune admin center, go to Devices > Enrollment.

2. Select the Apple tab.

3. Under Bulk Enrollment Methods, select Enrollment program tokens.

4. Select Add.

5. Select I agree to grant permission to Microsoft to send user and device information to Apple.

6. Select Download your public key and save the key as a PEM file locally. The key is used to get the MDM server token in the next step.

   Important

   Keep this browser tab open. If you close the tab, the certificate you downloaded is invalidated and you'll need to start over.

Step 2: Add an MDM server in Apple Business Manager and download the server token

Add Intune as a mobile device management (MDM) server in Apple Business Manager, and then download the server token.

1. In the admin center, select the link that corresponds with the Apple portal you use:

   • Create a token via Apple Business Manager
   • Create a token via Apple School Manager

   The selected portal opens in a new browser tab. Switch to the new tab, but keep the Intune tab open.

2. Sign in to the Apple portal with your company Apple ID.

   Important

   Use your organization's Apple ID, not a personal one. You and your organization will need this Apple ID to renew and manage the token going forward.

3. Go to your account profile > Preferences.

4. Go to your MDM server assignments.

5. Select the option to add an MDM server.

6. Name the MDM server. The name is for identification purposes in Apple Business Manager and doesn't have to match the actual Microsoft Intune server name or URL.

7. Upload your public key (.pem) file, and then save your changes.

8. Download the server token (.p7m file).

Step 3: Assign devices to the MDM server

After you create the MDM server in Apple Business Manager, assign devices to it. You can do this now or come back later.

We recommend assigning devices now since you're already in Apple Business Manager. You can use available features like filters and bulk assignment to simplify selection. For more information and steps, see Assign, reassign, or unassign devices in Apple Business Manager.

Step 4: Save the Apple ID

1. Return to the Intune admin center tab.

2. In the Apple ID field, enter the Apple ID used to download the server token.

   This ID is the Apple ID you'll need to renew the token each year. Make sure future Intune admins know which Apple ID was used, in case you leave your organization and need to transition token management.

   

Step 5: Upload the server token and finish

1. In the Apple token field, browse to the server token (.p7m file) you downloaded from Apple Business Manager.
2. Select Open, and then select Create.

Intune automatically connects with Apple Business Manager to sync device information from your enrollment program account.

Renew an enrollment program token

Renew your enrollment program token yearly. The Intune admin center shows the token expiration date. Also renew the token in these situations:

• The Apple ID password changes for the user who set up the token in Apple Business Manager.
• The user who set up the token in Apple Business Manager leaves the organization.

1. Sign in to Apple Business Manager with an account that has an Administrator or Device Enrollment Manager role.

2. Select Settings. Under MDM Servers, select the MDM server associated with the token file you want to renew.

3. Select Download Token.

   Note

   Don't select Download Server Token unless you intend to renew the token. Doing so invalidates the token currently in use by Intune. If you already downloaded the token, complete the remaining steps to finish the renewal.

4. After downloading the token, go to the Microsoft Intune admin center.

5. Go to Devices > Enrollment.

6. Select the Apple tab.

7. Under Bulk Enrollment Methods, select Enrollment program tokens.

8. Select the token you want to renew.

9. Select Renew token. Enter the Apple ID used to create the original token.

10. Upload the newly downloaded token.

11. Select Next. Assign scope tags if needed.

12. Select Create to save your changes.

Delete an enrollment program token

You can delete an enrollment program token from Intune as long as:

• No devices are assigned to the token.
• No devices are assigned to the default profile.
• There are no enrollment profiles under that token.

To delete an enrollment program token:

1. In the Microsoft Intune admin center, go to Devices > Enrollment.
2. Select the Apple tab.
3. Under Bulk Enrollment Methods, select Enrollment program tokens.
4. Select the token, and then select Devices.
5. Delete all devices assigned to the token.
6. Return to Enrollment program tokens. Select the token, and then select Profiles.
7. Delete all enrollment profiles listed, including any default profile.
8. Return to Enrollment program tokens. Select the token, and then select Delete.

Next steps

• Set up an enrollment profile for macOS
• Manage macOS ADE devices and tokens