Configure iOS device management - Intune for Education (2023)

Table of Contents
In this article What happens after I configure device management? Requirements Add an MDM push certificate Configure the Enrollment Program Token Add Enrollment Program Token Device registration profile Sync Managed Devices Configure VPP token What is a managed device? Next steps Videos
  • Article
  • 7 minutes to read

Before you can manage or assign iOS devices to students and teachers, you must set up iOS device management in Intune for Education. Installation requires that you add an MDM push certificate and configure at least one enrollment program token (also known as an MDM server token or DEP token).

During setup, you connect your Intune for Education account to your Apple School Manager account. The connection ensures that Intune for Education always has the most up-to-date details about the iOS devices you purchase.

This article describes how to:

  • Add an Apple MDM push certificate.
  • Configure and synchronize an enrollment program token.
  • Set up an Apple VPP token.

What happens after I configure device management?

After you set up iOS device management, you can use Intune for Education to manage apps and settings on your iOS devices. You also have access to reports and actions to resolve conflicts on the go.

Students and teachers at your school can securely access school websites and email.

(Video) iOS Device Settings in Intune EDU

Requirements

Before starting, make sure you have the following:

  • An internet connection.
  • Your Apple School Manager account credentials.
  • Intune for Education device licenses. For more information about device licenses, seeMicrosoft Intune Licenses.

Important

Intune for Education supports iOS device enrollment only for devices purchased through Apple's Automated Device Enrollment. For more information about automatic device enrollment and Apple School Manager, seeApple device auto-enrollment support site.

Add an MDM push certificate

An Apple MDM push certificate establishes a secure connection between your Intune accounts and Apple School Manager. When you're signed in, Intune can seamlessly sync and manage your Apple devices and apps.

  1. Sign in to Intune for Education.
  2. Ortenant settings>MDM push certificate.
  3. To choosecreate certificate.
  4. Follow the instructions on the screen:
    1. To chooseTo go downto save the Intune certificate signing request file.
    2. Sign in to the Apple Push Certificate portal to create and download the push certificate. Use your school's Apple ID to sign in, not your personal one.
    3. Return to the Intune for Education portal and enter the Apple ID you used to sign in to Apple School Manager.
    4. Upload the push certificate file from Apple.
  5. To choosesave not computerto create the certificate in Intune for Education.

The push certificate expires every 365 days. The certificate is required to connect Intune for Education to your Apple School Manager account i.e.You must renew it annually..

Configure the Enrollment Program Token

The enrollment program token, sometimes called the DEP token or MDM server token, allows Intune to sync device details from Apple School Manager. These details tell Intune which devices to manage and populate your inventory in the Intune for Education portal.

You can configure your iOS devices to register as shared iPad devices. With the shared iPad, students and teachers sign in to school devices with their unique Managed Apple ID. As they move from device to device, their apps and data move with them. A student can use one device to start writing an assignment, then log in to another device to complete the assignment. learn more about itshared iPadYManaged Apple IDs, visite aApple Educational WebsiteYdocumentation.

(Video) How to set up ALL classroom devices using Intune for Education

Students can still share classroom devices, even without a shared iPad. However, user data does not move between devices. Before configuring the server token, choose whether to enable iPad Sharing.

to use

When you set up a shared iPad device, you get all the features that come with the shared iPad, except for the Classroom and Schoolwork apps. Intune for Education doesn't support these apps. iPad shared features will be available after Enrollment Program token setup.

Add Enrollment Program Token

The following steps describe how to add an enrollment program token to Intune for Education.

  1. Ortenant settings>Registry program file.

  2. To chooseadd characters.

  3. Choose how you want to enroll devices associated with your new server token. This option cannot be changed after creating the token. If you later want to change how devices are registered, you must create a new server token.

    (Video) Intune for Education Walk-Through

    • To configure this token for shared iPad, selectUsers sign in to devices with their Managed Apple IDs. All devices associated with this token are configured to require users to sign in with a Managed Apple ID.
    • If your school doesn't use Managed Apple IDs, select "Anyone can unlock these devices...Devices can still be shared by students, but they can directly access them without having to sign in. You may need a Device Password when setting one up.

  4. To chooseSetup Enrollment Program Token.

  5. Follow the instructions on the screen:

    1. Select a prefix for the device name.
    2. To chooseTo go downto save the Intune public key so you can load it later.
    3. Sign in to Apple School Manager to create and download a token. Use your school's Apple ID to sign in, not your personal one. If you don't have the MDM server information to complete this step, contact your school's Intune administrator.
    4. Stay in Apple School Manager and go todevice assignments. Enter the serial number for each device, the complete purchase order number for your device, or a list of your devices in a CSV file. Select from the dropdown menuassign servers. Then select the MDM server you just created.
    5. Return to Intune for Education and enter the Apple ID you used to sign in to Apple School Manager.
    6. Load the enrollment program token.

  6. To choosesave not computerto add the token to Intune.

Subscription Program tokens expire every 365 days. The token is required to view and manage your devices in the Intune for Education portal. You needrenew annually.

Device registration profile

Intune for Education creates an iOS enrollment profile and applies it to each enrollment profile that you configure.

All iOS devices added to Intune for Education are placed in supervised mode. As an administrator, you have more control over your school's devices in supervised mode. For example, you can push new apps or app updates to a device without the device noticing. See the article for a complete list of audit-only configurationsSettings that require monitoring.

Intune for Education applies a naming scheme to devices that you enroll with an enrollment program token. The name helps to identify and group individual devices. By default, devices are named with the device serial number. You can also add a custom device name when setting up your enrollment program token.

For more details on enrollment profiles, seeList of configured settingsduring registration.

(Video) Enrolling Ios Devices To Microsoft Intune Administration Console

Sync Managed Devices

Now that Intune for Education has permission to manage your iOS devices, sync with Apple to see a list of your managed devices.

  1. OrRegistry program fileto find the token you created. Select the link below thatEnrollment-ready devicescolumn on the same line.
  2. To chooseSynchronize device list.

Devices displayed in the list can be registered. Activate it to start the registration process.

Configure VPP token

A VPP token links your Intune for Education account to your Apple VPP or Apple School Manager account. You can create a single VPP token to manage applications in your organization; Or, you can create multiple VPP tokens to distribute management across different sites or administrators.

VPP tokens are required for Intune:

  • Sync app details to the Intune for Education portal.
  • Assign applications purchased through VPP to groups.
  • Silently install VPP-purchased apps on school devices without requiring the device user's Apple ID.

Without a VPP token, you can still search and getfree iOS apps via the App Store. However, to install the app on the device, the device user must sign in with an Apple ID.

  1. Ortenant settings>Token VPP.
  2. To chooseadd characters.
  3. Give the VPP token a name and follow the on-screen instructions to create the token:
    1. Sign in to Apple School Manager to create and download a token. Use your school's Apple ID to sign in, not your personal one.
    2. Return to the Intune for Education portal and enter the Apple ID you used to sign in to Apple School Manager.
    3. Upload the VPP token file and select the region where your devices are located.
    4. Enable or disable automatic app updates.
  4. To choosesave not computerto add the token to Intune.

Tokens expire every 365 days. Therefore, tokens are needed to manage VPP purchased applicationsYou must renew them annually..

What is a managed device?

To help you understand the difference between a managed and an unmanaged device, let's look at the following scenario.

A teacher brings a personal iOS device to school. During school hours, the teacher uses the device to schedule parent meetings and keep track of class assignments.

(Video) Module 3 - Intune for Education Setup and Configuration

The school did not purchase the device through Apple's DEP program. Not registered in the Intune for Education tenant. As a result, Intune cannot communicate with the teacher's device. The device is considered unmanaged, so the IT administrator has no control over how the teacher uses the device during school hours.

Also, since it is not a known managed device, the teacher cannot access protected school resources such as email.

Next steps

Kaufenfree apps from the App Store, oAdd your apps purchased via VPPzum Intune for Education-Portal.

Videos

1. Apple Automated Device Enrollment with Microsoft Intune MDM Set Up (for MacOS & iOS Devices)
(T-Minus365)
2. Module 3 - Intune for Education Setup and Configuration
(Intune for Education Customer Acceleration Team)
3. Ask the Experts: iOS in Intune for Education
(Intune With Education)
4. Enabling Microsoft Intune for Apple iOS/iPad and MacOS Devices
(Intune Expert)
5. Adding iPads to Apple School Manager or an MDM
(Master Of None)
6. Managing Apple devices with Microsoft Endpoint Manager
(Microsoft 365)
Top Articles
Latest Posts
Article information

Author: Prof. An Powlowski

Last Updated: 03/29/2023

Views: 6344

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.