Connecting Ivanti EPMM to Apple Business Manager

This section covers enabling User Enrollment for Apple Business Manager:

  1. Manage MDM Settings
  2. Add the Server Token
  3. Create users to enable User Enrollment for local users and LDAP users
  4. Configure LDAP group members to inherit Apple User Enrollment Roles
  5. Match the Location and the Account
  6. Distribute apps to Apple Business Manager devices
  7. Configuration settings for Apple Business Manager User Enrollment
  8. Wi-Fi Policy for user-enrolled devices

Once you have completed the above steps, then you can proceed to:

For instructions on using Federated authentication, see the Apple Business Manager User Guide on the Apple website. A login is required.

Before you begin 

Manage MDM Settings

You will need to make some settings on the MDM page.

Procedure 

  1. In the Admin Portal, select Settings > iOS > MDM.
  2. Select the Enable User Enrollment check box and then select Save.
  3. Check that your certificate is valid. If not valid, on the MDM page, select the Install MDM Certificate button.

    The MDM Certificate Generation dialog box opens.

  4. Select Download Certificate Signing Request.

  5. Select Upload MDM Certificate.

    The Upload MDM Certificate dialog box opens.

  6. Browse to the certificate, select it and then select Upload Certificate.

Add the Server Token

Download the server token from Apple Business Manager.

Procedure 

  1. Login to Apple Business Manager.
  2. Select Settings > Apps and Books.
  3. Download the server token for your location.

Create users to enable User Enrollment for local users and LDAP users

This section covers creating local and LDAP users and setting the User Enrollment for unsupervised Apple devices. User Enrollment will not work on supervised devices or devices enrolled in Apple's Device Enrollment Program.

Procedure 

  1. In the Admin Portal, go to Devices & Users > Users.

  2. SelectAdd > Local New User.

    Enter the new user information. For more information on how to create a user, see "Add New User window" in the Getting Started with Ivanti EPMM.

  3. Select a user and select Actions > Assign Roles.  

    The Assign Roles dialog box opens.

  4. Select Use Apple User Enrollment (For Apple unsupervised device only).

    A text field displays.

  5. Enter the Managed Apple ID for the user.

  6. Select Save.

Configure LDAP group members to inherit Apple User Enrollment Roles

You can configure LDAP group members to inherit Apple User Enrollment roles. This gives all the users in that group the Apple User Enrollment setting.

Before you begin 

Create your LDAP groups. For instructions, see "Configuring the set of LDAP groups" in Getting Started with Ivanti EPMM.

Procedure 

  1. In the Devices & Users > Users page, set the search criteria in the To field to: LDAP Entries and the Category field to: Authorized LDAP Groups. You can also choose different categories in your search.

    The search results display in the Users page.

  2. Select a group and select Actions > Assign Role(s).

    The Assign Roles dialog box opens.

  3. Select Use Apple User Enrollment (For Apple unsupervised device only) and add the email address for User Enrollment and Managed Apple ID. You can also use standard substitution variables, for example: [email protected] See the table below, Supported Substitution Variables for User Enrollment, for accepted options.

    Substitution variables are allowed for use with LDAP Groups only and not for LDAP Users.

  1. Select Save.
Table 16.  Supported substitution variables for User Enrollment

Substitution variable

More information

Sample of substituted value

$USERID$

Login ID (email address format)

[email protected]

$EMAIL$

Email address

[email protected]

$EMAIL_DOMAIN$

The domain part of the email address (part after the ‘@’)

myCompany.com

$EMAIL_LOCAL$

The local part of the email address (part before the ‘@’)

jdoe

$FIRST_NAME$

First name

Jane

$LAST_NAME$

Last name

Doe

$DISPLAY_NAME$

Display name

Jane Doe, CEO

$USER_DN$

Distinguished Name

CN=Jane Doe,

OU=NA,OU=Users,

OU=XY,

DC=myCompany,

DC=com

$USER_UPN$

The Microsoft userPrincipalName attribute

[email protected]

$USER_LOCALE$

Locale

en_US

$USER_CUSTOM1$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM2$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM3$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM4$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$CN$

Common Name (CN) attribute extracted from the distinguished name

Jane Doe

$OU$

Organizational Unit (OU) attribute extracted from the distinquished name

XY

$SAM_ACCOUNT_NAME$

The Microsoft sAMAccountName attribute

jdoe

$REALM$

The domain component of an LDAP entry

mycompany.com

Managing users that belong to multiple groups

If a device user belongs to multiple groups (or nested groups) and is assigned a managed Apple ID substitution variable for various groups, this means there are more than one option available for each user. Ivanti EPMM cannot determine which option to use. This results in Ivanti EPMM creating an audit log entry (Logs > Audit Logs > filter by Managed Apple ID) with the error message: “More than one LDAP Group managed Apple ID option.”

To resolve this, assign the concrete Managed Apple ID for the specific LDAP user by using the following instructions.

Procedure 

  1. Go to Devices & Users > Users page, set the following parameters:

    • To: LDAP Entities
    • Category: LDAP users
    • search for: your LDAP user
  2. Select a user, select Actions > Assign Role(s).

    The Assign Roles dialog box opens.

  3. Select Use Apple User Enrollment (For Apple unsupervised device only) and add a unique email address for User Enrollment and Managed Apple ID.  

    Apple ID substitution variables are not valid for individual users or local users. Use a valid, managed Apple ID, for example, [email protected]

  4. Select Save.

Match the Location and the Account

In order for the User Enrollment to work in Ivanti EPMM, the Apple App License Account needs to be part of the same Apple Business Manager account. Within Apple Business Manager, if you have an account listed in Locations, you need to have an Apps and Books matched to the same location. You may need to add a new location (EXAMPLE: West Coast.)

Apple may change their Apple Business Manager software without notice.

Procedure 

If you have an Apple license account (VPP from Apple Business Manager) that is in the same Apple Business Manager account as the Managed Apple IDs that you will be using, you can skip steps 2 and 3.

  1. Go to Apple Business Manager and log in.

  2. In Apple Business Manager, go to Settings > Apps and Books
  3. Add a New Location, enter in the information and then select Save

    It may take several minutes for the new location to display.

  4. Go to Accounts and search for the user name. 
  5. Select the user and select Edit.
  6. Give the user Content Manager permissions for the (new) location, for example, West Coast.) 
  7. Sign out of Apple Business Manager to allow the permissions to take effect. It is recommended you wait several minutes before going to the next step. 
  8. Log into Apple Business Manager. 
  9. Go to Locations and confirm the new location is displaying.

Distribute apps to Apple Business Manager devices

You can search for iOS apps on the Apple App Store and add them to the App Catalog for distribution to Apple Business Manager devices. You can also add your own in-house apps for iOS and macOS.

For more information, see "Importing licensed apps from Apple Licenses account" in the Ivanti EPMM [email protected] Guide.

Apple User Enrolled devices will not report unmanaged apps and are unable to convert an unmanaged app to a managed app. Please adjust compliance actions accordingly.

Before you begin 

Purchase your apps in Apple Business Manager.

Procedure 

Now you need to import the apps you just purchased into Ivanti EPMM.

  1. In the Admin Portal, go to Apps > Apple Licenses.
  2. Select the account name and then select Actions > Update licenses.

    The Update licenses dialog box opens.

  3. Select the applications you wish to import into Ivanti EPMM and then select Import. It may take a few minutes to import into Ivanti EPMM.
  4. Go to Apps > App Catalog and import the apps.
  5. Select a newly-imported app, for example, [email protected], and then select Actions > Manage Licenses.

    The License Summary page displays.

  6. Select on the link of the license.

    The detailed license page displays.

  7. In the License Label management section, select Apply To labels.

    The Apply to Labels dialog box opens.

  8. Select the desired label and select Apply.

    For License Type, it does not matter which option you select (user-based or device-based), it will always be a user-based license when the device was registered with Apple User Enrollment. If this app is shared with other types of enrollment, device-based would be the suggested setting so that your device user will not need to enter their iTunes/Apple credentials before installing the app.

From here, you can take optional actions:

  • Install apps - see "Using the wizard to import iOS apps from the Apple App Store" in the Ivanti EPMM [email protected] Guide.
  • Apply labels - see "Managing Labels" in Getting Started with Ivanti EPMM.

Configuration settings for Apple Business Manager User Enrollment

This section covers additional configuration settings required for Apple Business Manager User Enrollment: VPN and Wi-Fi.

VPN for User-enrolled devices

User Enrolled devices can only have Per-App VPNs and can no longer have VPNs configured for the whole device. It is recommended that you create one or more VPN configurations specifically for User Enrollment. Now whenever the app is installed, the appropriate VPN configuration will also be installed automatically.

It is recommended that when assigning labels to VPN configurations, the labels should not include devices that are User Enrolled. Using a filter label, you can filter out user enrolled devices by setting in the filter:

"ios.apple_user_enrolled_device"= false

Procedure 

The below steps ensure when the app is installed on the user device, the appropriate VPN configuration will also be automatically installed.

  1. Follow the instructions in Managing VPN Settings to setup a new VPN. Be sure to select Per App VPN as part of your configuration.
  2. Go to Apps > App Catalog.
  3. Select the link of an app and then select Edit.
  4. In the Per-App VPN Settings section, select the newly-created VPN and move it to the panel on the right.
  5. Select Save.

From here, you can optionally apply a label to your Apple license. See "Applying an Apple license label to an app" in the Ivanti EPMM [email protected] Guide.

Ivanti recommends that administrators modify labels for VPN configurations to exclude User Enrolled Devices if the VPN is not supported on User Enrollment. This can be done using the device detail "ios.apple_user_enrolled_device" and including it in the label definition, e.g.: AND "ios.apple_user_enrolled_device" = true

Wi-Fi Policy for user-enrolled devices

You need a Wi-Fi policy specifically for user-enrolled devices.

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select Add New > Wi-Fi.

    The New Wi-Fi Setting dialog box opens.

  3. Enter the information. In the Proxy Type field, select Auto. This is the only proxy type that can be used for user-enrolled devices.

    For more information about Wi-Fi, see Wi-Fi settings.

Device user instructions for registering using User Enrollment

This section addresses the actions the device user needs to take for registering Apple User Enrollment. The below steps will work with any app your company purchased - the example app used is the client app, [email protected]

Procedure 

  1. On the iOS device, open Safari (never Chrome) and type in the URL for [email protected]: registrations.company.com/go.
  2. The [email protected] login displays. The device user is to log in using their local user or LDAP credentials.

    The registration page displays with a message saying the profile was downloaded.

    You must complete registration within 10 minutes or you will have to start registration process over.

  3. Tap Settings. The Settings page displays.
  4. Tap Enroll in [Your Company Name].

  5. The User Enrollment page displays.

  6. Tap Enroll My iPhone.

    If you tap Cancel and Delete Profile, you will have to start the registration process all over again.

  7. You will be presented with a login for either Apple or your Federated account. Enter the password for your Managed Apple ID. (The Managed Apple ID will be listed at the top of your login page.) 
  8. You may be presented with the option to stay signed in, make a selection.

  9. A page displays stating the "Enrollment is Successful.”

Using Logs for Troubleshooting

To troubleshoot errors or issues for a User Enrolled device, start by reviewing the device MDM logs.

Procedure 

  1. In the Admin Portal, go to Devices & Users > Devices.

  2. Select the device to open up the Device Details page.

  3. Select the Logs tab.

    A list of available logs display.

  4. Select the MDM Activity link to display the list of MDM actions performed on the device.
  5. From the MDM Activity page, you can filter the actions based on a date range, the state of the action (for example, Error) or the action itself (for example, Install Managed Application.)

    If the action is in the Error state, a View Error link displays. Select this link to see more details about the error.

View reports on devices

You can see a report on devices by selecting the device , selecting the Log tab and then selecting the MDM Activity link.

Activation Error

Errors occur when the device is supervised. Users cannot use a supervised device for User Enrollment. There is no remedy for this as supervised devices cannot be used with User Enrollment.

App fails to install (AppAlreadyInstalled)

The most common Install Managed Application error is AppAlreadyInstalled. This error occurs when the device has the app installed in the private space. Since the MDM service is unable to see private apps and is unable to convert the app to managed, an Install Managed Application command sent for an already-installed app will get this error message.

Procedure 

  1. Instruct the device user to remove the app from the device.
  2. Instruct the device user to tap “Install” for the app within [email protected]

Procedure (Alternate)

Alternatively, you can send a new installation request to the device for that application.

  1. Navigate to Apps > App Catalog.
  2. Select the check box next to the app.
  3. Select Actions and select Send Installation Request.
  4. Select the option to Send request for new installations.
  5. Under Actions, choose Select devices to send message and then select Apply.
  6. Search for the device, select the check box and then select Send.