14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Hexnode Integrations
  3. Apple Business Manager

Category filter

How to assign ADE devices to Hexnode?

Jump To

There are many ways to enroll an Apple device in a UEM. One of the ways is to register the Apple device via the Automated Device Enrollment (ADE) method and then assign the device to the MDM server. For that, you should first enroll your organization in ABM.

To add devices to Apple ABM, make sure that you have:

  1. A device bought directly from Apple or an authorized dealer after 1 March 2011 and running at least iOS 7.0.4, iPadOS 13.1, macOS 10.9 or tvOS 10.2.
  2. An iOS 11+ device can be directly enrolled in ABM via DEP using Apple Configurator regardless of where and when the device is purchased.
  3. An APNs certificate setup for the MDM server to communicate with the device.

Steps to Enroll devices via ADE

Add Devices to Apple Business Manager

Step 1: Add devices to Apple Business Manager

You will need the Apple Customer Number, or the Reseller ID associated with the purchased devices to add them to ABM. To add the purchased device to the ABM portal, associate the number or ID obtained from the device suppliers to ABM.

  1. Log in to your Apple Business Manager account.
  2. Click your name at the bottom of the sidebar and go to Preferences > MDM server assignment.
  3. Click on Edit next to Customer Number.
  4. Enter your Apple Customer Number or Reseller Number and click Add.
  5. Click on Done.

If you have purchased devices from more than one entity, you have to add all the numbers and ID via this method.

Apple Customer Number

If the devices were directly purchased from Apple, Apple would assign your organization an Apple Customer Number. Contact your finance department or Apple Sales for your Apple Customer Number. If the devices were purchased from Apple Store, contact the Business Team for the Customer Number.

Reseller ID

If the devices were purchased from Apple Authorized Reseller or a wireless carrier, you would need to enter their Reseller ID in your ABM portal. Also, you should provide your Organization ID to the reseller or carrier.

To find your Organization ID,

  1. Log in to your Apple Business Manager account.
  2. Click on your name at the bottom of the sidebar and go to Preferences > Organization Information.
  3. Your Organization ID will be displayed under Organization Information.

To get the Reseller ID, contact the Apple Authorized Reseller or carrier via which the devices were purchased. The devices can be enrolled in the MDM only if the reseller or the carrier supports the device enrollment feature in Apple Business Manager.

Configure ADE Enrollment Profile

Step 2: Configure Enrollment Profile

The enrollment profile can be configured from the Hexnode console. Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Enrollment Profiles. Click on Create Enrollment Profile to create a new enrollment profile or edit existing enrollment profiles by clicking on them.

List of ADE Enrollment Profiles.

Add a new profile

  1. Navigate to Enroll > Platform-Specific > iOS/macOS/tvOS > Apple Business/School Manager.
  2. Go to Enrollment Profiles.
  3. Click on Create Enrollment Profile.
  4. Fill out all the necessary fields and click on Save.

Configuring Enrollment Profile settings.

The following parameters are available to configure in Enrollment profiles:

  • General Settings

    By adjusting the general settings of an enrollment profile, you can configure device settings, choose the authentication mode for enrollment, manage activation lock settings, and set a custom EULA, among other options.

    The following fields lets you fill in the basic details related to the enrollment profile,

    • Display name – A display name of the enrollment profile.
    • Department – Name of the department to which the devices are assigned.
    • Support Phone Number – A contact number for users to reach out to if they need help during setup.
    • Support Email Address – An email address for the users to request support during setup.
    Device Settings
    • Edit device name: Select this setting to edit the device name for the devices to be enrolled. Enter the name for the device in the field provided.
      Note:


      The use of wildcards is allowed.

    • Append number: Select this setting to append numbers to the device name specified under the Edit device name setting. Enter the name for the device in the field provided.
      Note:


      This setting is useful when you want to assign a common name to all associated devices. By appending numbers to the device name specified under Edit device name, you can easily differentiate between the devices (e.g., Devicename-1, Devicename-2, etc.).

    • Enroll devices in MDM: Enabling this option prevents users from bypassing “Remote Management” during initial device setup screen.
    • Enable Supervision: Check this option to make the device supervised upon enrollment.
    • Allow MDM Profile Removal: Check this to make the profile removable after device enrollment. If disabled, users will be blocked from manually removing the MDM profile from the device.
    • Allow iTunes pairing: Check this option to allow users to sync their devices with iTunes. Disabling this option will prevent every iTunes related action. To re-enable it, the device will have to be wiped and re-enrolled.
      Note:


      Supported only on iOS 13 and below.

    Authentication

    Choose the authentication method to be used for enrollment. The following options are available,

    • No authentication: When selected, the admin must choose the Domain and a Default user (available within the chosen domain) to assign the device.
    • Enforce Authentication: When selected, admins must choose the type of user account that will authenticate during enrollment (AD/Microsoft Entra ID/Local/OKTA/Google user). Users will be required to enter their directory or local credentials while authenticating the device.
    Activation Lock
    • Device-based Activation Lock: Enable this option to enforce device-based activation lock on the enrolled devices. The device-based Activation Lock is enabled by Hexnode and is associated with the Managed Apple Account of the user that created the MDM server token in ABM.
    • User-based Activation Lock: Enable this option to enforce User-based Activation Lock on the enrolled devices. Users can enable activation lock on their devices using the credentials of their personal Apple Accounts.

    Note:


    For Device-based Activation Lock, the activation lock cannot be disabled from the device itself. It can only be deactivated through the admin’s ABM portal.

    Custom EULA
    • Choose EULA: Select the necessary EULA. The available options are None, Custom T&C, and Terms of Use.

  • Account Creation

    Configuring Account Creation settings.

    Managed Admin Account

    Using the settings given below you can configure and set up a managed admin account on the devices during the enrollment procedure.

    • Create managed admin account: Enable this option to automatically create the managed admin account on the device during enrollment.
      Note:


      Supported only on devices running macOS 10.11 or later.

    • Choose admin account: Choose an admin account to set up on the device. You can select an admin account from the drop-down if one was already set up during the configuration of previous enrollment profiles. You can also create a new admin account on the device by clicking on +Create new Account and fill in the details in the fields described below.
      • Full name : Enter the full name of the admin account.
      • Password : Enter the password for the admin account.
      • Account name : Enter the account name for the admin account.

      Note:
      • The Account name will be used as the name for the user’s home folder on the device.
      • To log in to the device, the user can use the Full name or Account name.
      • The use of wildcards is supported for the fields above.

    • Hide account from Login Window and Users & Groups: If this option is enabled, the account will be hidden from System Preferences > Users & Groups on the user’s Mac. Enabling this option will also hide the account name and only display the password prompt on the login window.
    Local User Account Creation

    Configure this setting to enforce users to create a local account during the device setup process. The following settings are available:

    • Account type: Choose the account type for local account creation. The available options are Administrator, Standard or you can choose Skip account creation.
      Note:
      • The option Create managed admin account must be enabled to enforce Standard account creation or Skip account creation.
      • The account creation step can be bypassed by selecting the Skip account creation option.

    • Autofill user’s full name: Enable this option to auto-populate Full name and Account Name for the local user account with the admin credentials specified under Managed Admin Account.
      Note:


      Supported on macOS 10.15+.

    • Lock user’s full name: If enabled, Full name and Account name of the user cannot be edited during account creation.

  • Setup Assistant

    Configuring Setup assistant settings.

    Hexnode UEM allows you to configure which panes are shown to the user in the Setup Assistant screen. You can also choose to skip the screen entirely.

    • Automatically advance through Setup Assistant: If enabled, the Setup Assistant screen will be skipped during enrollment.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Default Language: Set the default language for the device.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Default region: Set the default region.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Don’t show the selected steps: With Hexnode you can have a customized setup experience for your ABM enrolled devices. Check the boxes corresponding to steps that you want to avoid during Apple devices’ setup.
      1. All ADE Devices
      2. iOS Only
      3. macOS Only
      4. tvOS Only

  • App Packages

    Configuring app packages in enrollment profile.

    To install required app packages on the device during the enrollment procedure,

    1. Click on Configure.
    2. Click on +Add to either add an app or a group of apps from the app inventory.
    3. Select the necessary apps and click on Done.

  • Shared Device Settings

    Configuring Shared Device settings.

    Note:


    Shared Device Settings is only supported on iPads running iPadOS 13.3 and later and added to Apple Business Manager or Apple School Manager organizations that are using X-Server-Protocol-Version 2 and later.



    You can configure the settings for shared iPads using the options below,

      • Enable shared device: Select this option to enable the shared device mode.
      • Configuration mode: Configure whether the device allows multiple users or allows temporary sessions only. There are two modes available:
        • User mode
        • Guest mode

    Note:


    Guest mode is available only on devices running iOS 14.5, iPadOS 14.5 and later.

    The settings available to configure under User mode are the following,

    • Allocate storage based on: Select the method by which the storage allocation per user will be decided. There are two options available:
      • Number of users
      • Per-user quota
    • Expected number of users (for Number of users): Set the expected number of users. The available storage will be equally distributed amongst the specified number of users.
      If any additional space is needed for a new user, the local data for the oldest user is removed.
    • Per-user quota (for Per-user quota): Specify the storage quota allocated to each user. If any additional space is needed for a new user, the local data for the oldest user is removed.
    • Domains: Specify the domains to be displayed on the iPad login screen.
      Note:


      Supported only on iOS 16 and later versions

    • Skip Language and Locale: If enabled, the Language and Locale will be picked by the system for a new user.
      Note:


      Supported only on iOS 16.2 and later versions

    • Auto-Lock: Set the period of inactivity after which the device will be locked automatically.
      Note:


      Supported only on iOS 14.5 and later versions.

    • User timeout: Set the period of inactivity after which the user is logged out.
      Note:


      Supported only on iOS 14.5 and later versions.

    • Guest timeout: Set the period of inactivity after which the guest is logged out.
      Note:


      Supported only on iOS 14.5 and later versions.

    • Require Authentication: Specify the period after which a user is required to complete an online authentication (against Apple’s identity server).
      Note:


      Supported only on iOS 16 and later versions.

    • Passcode grace period: Specify the period up to which a user can unlock their account without using passcode.

    The settings available to configure under Guest mode are the following,

    • Auto-Lock: Set the period of inactivity after which the device will be locked automatically.
    • Guest timeout: Set the period of inactivity after which the guest is logged out.

  • Associate Policy

    Associating policy through Enrollment Profile.

    You can configure the devices by associating policies during the device enrollment procedure.

    1. Click Configure.
    2. Next, click on +Associate Policy.
    3. Select the required policies and click on Done.

You can also edit the profile on this page and save it again.

Create an ADE Account in Hexnode

Step 3: Create an ADE Account in Hexnode

To add devices in the ABM program, you need to obtain a server token from Apple.

  1. In the Hexnode UEM portal, go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Devices.
  2. Then, click on Add ADE Account.
  3. Provide an Account Name and download the certificate file Hexnode_Apple_DEP_cert.pem.
  4. Sign in to Apple Business Manager account.
  5. Click your name at the bottom of the sidebar. Then, go to Preferences, and click on the Add button next to Your MDM Servers.
  6. Name the MDM server and upload the public key (the certificate file previously obtained in Step 4) and click Save.
  7. Click on Download MDM Server Token.
  8. Go back to your Hexnode UEM console and upload the server token in the field Upload ADE server token file.
  9. Check the box Add as a Pre-approved device if you want to pre-approve the devices that you are planning to enroll using Hexnode.
  10. Choose a Default Configuration Profile. By default, the Default ADE profile will be selected. If you want to attach a different configuration profile with the ADE Account, choose it from the drop-down.
  11. Click on Next.

Assign Devices to the MDM server

Step 4: Assign devices to the MDM server

You can either assign Apple devices individually to the respective device management server or bulk assign devices to the same management server.

Note:


You can automatically assign newly purchased devices added to the ABM by designating an MDM server as the default. To set a default MDM server, click the name at the bottom sidebar and navigate to Preferences > MDM Server Assignment in the ABM portal.

Individual Device Assignment

  1. From the Devices page, select the required device.
  2. On the top-right portion of the screen, click on the horizontal ellipsis button. Then, click on Edit MDM Server.
    Assigning devices in ABM.
  3. Tap Assign to the following MDM. Now select the server from the drop-down. Tap Continue.

    Assigning MDM Server

  4. Click on Confirm to assign the device to the management server.

Bulk Device Assignment

  1. From the Devices page, either
      • Manually select the devices that you require. On Mac, press Command key in the keyboard and click on the device names to make the selection. On Windows, use the control CTRL key.
        Assigning devices to MDM Server in bulk.

    Or

    • Apply the device filters to streamline the device list. The available filters are Device Management, Source, Order number, Device type, Storage size. To add a filter criterion, click Filter below the Search bar and check in the relevant boxes corresponding to each filter option. Then, click on Search to sort out devices according to the criterion. From the filtered device list, you can either select All devices or click on the device name for a specific device.

      Applying device filters.

      List of all devices in ABM.

  2. Click on Edit corresponding to the Edit MDM server option.

    Option to edit MDM Server.

  3. Select Assign to the following MDM option. From the drop-down, select the MDM server. Click on Continue.
    Assigning devices to an MDM server.
  4. Click on Confirm to assign the device to the management server.

The details of assigned devices can be seen in the device Assignment History, including the order number, the MDM server to which the device is assigned, assignment date and the device type.

Sync Devices to Hexnode

Step 5: Sync devices with Hexnode

The devices added under the MDM server created for Hexnode in the Apple Business Manager portal have to be synced with Hexnode. This synchronization will import the details of the added devices to the corresponding ADE Account in Hexnode. To sync devices to Hexnode,

  1. On your Hexnode UEM console, go to Enroll > All Enrollments > No Touch > Apple Business/School Manager > Accounts.
  2. Click on Sync all ADE accounts.

Navigate to Devices to view all devices synced from the MDM server in the ABM portal.
Change the device filter from Show all devices to the required ADE Account to list the devices assigned to that particular ADE Account.

Associate the Enrollment Profile with Individual Devices (Optional)

Step 6: Associate the Enrollment Profile with individual devices

ADE Enrollment Profile assists the MDM in streamlining the device enrollment and set up on ABM added devices. If you want to attach a different Enrollment Profile (other than the one attached with the ADE Account) with an individual device,

  1. On your Hexnode UEM console, navigate to Enroll > All Enrollments > No Touch > Apple Business/School Manager > Devices.
  2. Select the device and click on Associate Enrollment Profile.
  3. Select the profile and click Assign.

All ADE Devices


All ADE Devices
SetUp Assistant Options Supported versions Description
Apple ID
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
 Skip Apple ID setup.
Biometric
  • iOS 8.1+
  • macOS 10.12.4+
 Skip biometric setup.
True Tone Display
  • iOS 9.3.2+
  • macOS 10.13.6+
 Skip True Tone Display pane.
Apple Pay
  • iOS 8.1+
  • macOS 10.12.4+
 Skip Apple Pay setup.
Restore
  • iOS 7.0+
  • macOS 10.9+
 Disable restoring from backup.
Screen Time
  • iOS 12.0+
  • macOS 10.15+
 Skip the Screen Time pane.
Appearance
  • iOS 13.0+
  • macOS 10.14+
 Skip the Choose Your Look window.
Diagnostics
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
 Skip sending diagnostic information to Apple.
Location Services
  • iOS 7.0+
  • macOS 10.11+
 Skip setting up Location Services.
Privacy
  • iOS 11.3+
  • tvOS 11.3+
  • macOS 10.13.4+
 Skips the privacy pane.
Siri
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.12+
 Disable users from configuring Siri.
Terms and Conditions
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
 Hide terms and conditions from the user.

iOS Devices Only


iOS only
SetUp Assistant Options Supported versions Description
Move from Android iOS 9.0+ Remove Move from Android option from the Restore pane.
Keyboard iOS 11.0+ Skip the Keyboard pane.
Watch Migration iOS 11.0+ Skip the screen for watch migration.
iMessage and Face Time iOS 12.0+ Skip the iMessage and FaceTime screen.
Passcode iOS 7.0+ Hides and disables the passcode pane.
SIM Setup iOS 12.0+ Skip the add cellular plan pane.
Onboarding iOS 11.0+ Skip on-boarding informational screens.
Software Update iOS 12.0+ Skip the mandatory software update screen.
Home Button Sensitivity iOS 10.0+ Skip the Home Button screen.
Device to Device Migration iOS 13.0+ Skip Device to Device Migration pane.
Zoom iOS 8.3+ Skip the Zoom pane which shows larger text and controls.
Welcome/Get Started iOS 13.0+ Skip the Get Started pane.

macOS Devices Only


macOS Only
SetUp Assistant Options Supported versions Description
FileVault macOS 10.10+ Disable FileVault Setup Assistant screen.
iCloud Storage macOS 10.13.4+ Skip iCloud Documents and Desktop screen.
iCloud Analytics macOS 10.12.4+ Skip the iCloud Analytics screen.
Registration macOS 10.9+ Prevent users from filling out the registration form and sending it to Apple.

tvOS Only


tvOS only
SetUp Assistant Options Supported versions Description
Screen Saver tvOS 10.2+ Skip setting up screen saver.
TV Home Screen Sync tvOS 11.0+ Skip TV home screen layout sync screen.
Where is this Apple TV? tvOS 11.4+ Prevent user from selecting the room for the Apple TV.
Set up your Apple TV tvOS 10.2+ Prevent users from configuring their Apple TV.
Sign In to your TV provider tvOS 11.0+ Skip the TV provider sign in screen.

What happens at the device end?

If you have a device that is not yet activated, switch on the device and connect it to the internet. The Apple server will push the Enrollment Profile previously attached to the devices via the MDM server on the ABM. This will enroll the device in the MDM. However, if you have an already activated device, reset it to its factory settings to get it enrolled in the MDM.

If no enrollment authentication is enforced via the MDM, the device will get directly enrolled in the MDM. However, if enrollment authentication was turned on, the device will get enrolled only after user authentication.

Warning:

  • The organization can choose to release a device from the ABM portal via which it was purchased. If the device is released from the ABM portal before the enrollment, it cannot be enrolled via the Automated Device Enrollment Program. If the device is released from ABM after the enrollment, it will get removed from the ABM portal as well as from the Hexnode UEM portal.
  • Only devices running macOS 12.0.1 or above with Apple Silicon or T2 Security chip can be added back to ABM using Apple Configurator on iPhone.
  • iOS and Apple TV devices released from ABM can be added back via Apple Configurator. Devices released from ABM running iOS 11.0+ and tvOS can be enrolled in Hexnode via ‘ADE using Apple Configurator’. However, such devices will not act like a normal ADE enrolled device during the initial 30 days of deployment. That is, during the 30-day provisional period, the user can remove the MDM management either from the Settings app (General > Device Management > Remove Management) or by wiping the device. To remove MDM management on wiping, click on Leave Remote Management on the Remote Management setup wizard.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Hexnode Integrations