Apple’s often underutilised and underappreciated service deserves a lot more credit than it gets. I would wager a coffee that anyone can learn to appreciate it in the same amount of time it takes to drink a cup!
What is it?
Apple Business Manager (ABM) is a service provided for administrators to enable rapid, consistent, and simple deployment of Apple products. It combines the previously successful Device Enrollment Program (DEP) and Volume Purchase Program (VPP) and then layers some great features on top. I’m a big fan of ABM and the relatively short amount of time required to set up and learn its features make it an essential add-on to any Apple estate.
Why do I need it?
Ever suffered this inevitable issue? A user leaves an organisation, their devices are handed back, their user account is disabled. Come the next morning IT begin the process or re-provisioning those devices, only the user had been signed in with a personal Apple ID and the “Find my” feature is enabled. Ah! We are stuck. As far as the device is concerned it belongs to the departed user and not you and IT are unable to re-provision the device. There are only two options here, take the device to an Apple Store with the original purchase receipt and ask them nicely to remove the lock, a real time burner with more than one device to wait around for, or, you can hope that you are able to contact that now ex-employee and they can release the device. Wouldn’t it be better if there was a way to prevent this from the outset? Well, say hello to Apple Business Manager because with this and an MDM you are able to avoid this exact scenario. There is more to it than just this use case but it is the one that comes up most often and is usually the motivator behind an opening discussion on how best this scenario is avoided in the future and what else Apple Business Manager can offer.
What do I need to set it up?
Short and sweet, you will need to sign up to the service at https://business.apple.com and you’ll need an MDM, almost every MDM on the market supports this feature, but it should still be on your checklist when evaluating either a new or existing environment.
What does this give me?
The service is neatly split across four main headings each with a sub-heading or two, here is a quick whistle stop tour of what they do and what they offer:
A quick at a glance screen enabling quick access to actions performed within Apple Business Manager. A handy filter is available to ensure you can find what you are looking for.
Locations allows a business to break up its App and Book Licensing in a logical way, such as by business function, department, or ….. location! Each location is issued a “Server Token” enabling accurate licensing assignment across the business and are a key part of Role Based Access.
Manage and create all accounts here, update them, delete them, this is your one stop shop for all things accounts.
One of the key features in Accounts is something called Managed Apple IDs. I want to dig a little here as the term quickly creates confusion. Some key highlights for Managed Apple IDs:
Managed Apple IDs CAN:
- Be used for BYOD enrollment
- Be used on shared devices
- Access Apple Business Manager
Managed Apple IDs CANNOT:
- Setup Apple Pay
- Access certain iCloud features such as Mail or Keychain
- Be used to download paid for or free apps from the App Store
There is also a rather nice little feature allowing you to link Managed Apple ID creation to Azure AD.
Every Account has one or more roles assigned to it; we manage those here.
- Administrators are in overarching control. They are Top Cat (see what I did there?) able to access all the features available in Apple Business Manager.
- People Managers are able to edit the user details, roles and locations of users within Apple Business Manager with the exception of Administrators.
- Device Enrolment Managers are able to administer devices assigned to the business and perform actions such as adding MDM servers or moving a device from one MDM to another.
- Content Managers are able to access all that Apps and Books has to offer and perform actions such as assigning licenses to specific locations.
- Staff is used for the user role; it allows access to shared iPad and other services.
The artist formally known as Device Enrollment Program and it was recently subject to an update in ABM. It sounds like such a simple thing and the functions were never tricky before, but the updated interface now offers the polished experience we have come to expect from Apple. Admins can now update, assign and release devices either individually or in bulk to or from an MDM with ease.
“Does what it says on the tin!” follow device assignment at a glance!
Apps and Books
Formerly Volume Purchase Program or VPP for short. Simply search out the Application or Book you are looking for, chose the number of licenses you require, select the required location and click “Get”. We are able to acquire iOS and MacOS applications here for free or paid for apps.
Now it is time to link your MDM, setup your Accounts, grab your Apps and start ordering your Apple devices.
Can I use my existing devices?
Yes absolutely, but there are some caveats. Without going into too much detail you’ll either need Apple Configurator 2 or to contact your sales team.
Is that really it?
Well…. Sort of! I have deliberately left “Settings” out of this coffee time roundup as it contains the nuts and bolts for ABM that are a bit out of scope for this post.
So hopefully you are now at the end of your cup of coffee staring longingly at its emptiness, or is that just me? Ok then, but hopefully you’ll now feel up to speed with what you can achieve and if you feel I have missed something out, or you would like to know more, then please reach out to one of our team.