White shape | Hexiosec Logo

Managing Apple Devices in Microsoft 365 With Intune

Scott Lester
24 April 2024
|
4 min Read
|
Scott Lester

Whilst it might occasionally make you shout and swear, it is possible to manage Apple devices from Microsoft 365 and Intune. This blog covers a crucial part of doing so - managing the connections between Apple and Intune.

We’ve previously written a two-part guide on getting started with Intune (part 1, part 2). Part 1 details the pre-requisites for managing Apple devices, and this blog expands on that by focussing on two connectors that you need to keep on top off.

Both are certificates that last for a year, which is why you need to keep on top of them. They provide the link between Intune and Apple devices, and how apps can be added in Apple Business Manager (ABM) and deployed to managed devices.

APNs Certificate

Also called an Apple MDM Push certificate, this one is used for the communication between Intune/Apple and your devices. Without it, devices can’t communicate to Intune, and therefore can’t enrol.

If you do try and enrol a device without a valid APNs in place, you’ll get an error that says “Couldn’t add your device. Contact your IT admin for assistance with this issue. APNSCertificateNotValid”.

To view your certificate, go to the macOS enrollment Intune page, and it’s at the top there:

APNs

It has to be generated with an Apple ID, which makes that particular ID crucial, as you need continuing access to generate new certificates. For that reason, it might be sensible to use a shared mailbox or alias to hold the primary Apple ID for a tenant.

To create a new certificate you need to follow the process on Intune; this involves downloading a Certificate Signing Request from Intune, uploading that to Apple and downloading a corresponding certificate, which finally needs to be uploaded to Intune.

For more information on the APNs certificate, there’s more on this Microsoft blog, and various useful threads on the Intune Subreddit.

What to do if your APNs certificate has expired

This is something you really, really want to avoid. Put the expiry date in the calendar!

Worst case, replacing the APNs certificate with a new certificate means re-enrolling all your Apple devices, which isn’t fun.

The best case is that it’s under 30 days since the certificate expired, in which case Apple can help. We had this with a customer, and thankfully it was within the 30 day grace period.

You need to speak to Apple Business support. In our case, the first person said they couldn’t help, but mentioning it was within the grace period got a referral to (I’m guessing) second-line support, where we got great help from a man called Fintan.

Given a expired certificate serial number and another admin Apple ID they can do something at the backend to move all your devices onto a new certificate. You can then upload a CSR to identity.apple.com and download a new certificate (e.g. MDM_ Microsoft Corporation_Certificate-APNS.pem), which can be uploaded to Intune.

VPP Token

If, like many organisations, you’re using device management to also control software applications, then you’ll likely have blocked the Apple App store and put restrictions around the use of iCloud accounts. Which means your mechanisms for pushing apps are either:

  1. Pushing them via a PKG application in Intune, or,
  2. adding them to Apple Business Manager and using a Volume Purchase Programme (VPP) token to sync those apps to Intune.

The former method works if the app isn’t licensed via the App Store, and where you can find a PKG installer file (it doesn’t work for DMG files). Most enterprise apps release PKG installers for exactly this purpose: common examples include Zoom and Chrome Enterprise.

Where the app is only available from the App Store then you have to buy or add it in Apple Business Manager, and use the VPP token to sync those licenses with Intune so they can be assigned to users. To set it up, you can download your token from Apple Business Manager: click your username in the bottom left, and then go to Payments and Billing:

VPP Token Download

In Intune, the token is in Tenant administration > Connectors and tokens > Apple VPP Tokens.

It looks like ABM syncs daily, but if you want to hurry it along there’s a (fairly well hidden) manual sync option on the three dots to the right of the token in Intune:

VPP Sync

What to do if your VPP certificate has expired

This one isn’t so bad. Don’t upload a new certificate, as that will break the link to previously added and assigned licenses.

Instead, go to the token in Intune, click on it, and edit the Basics. That lets you upload a new token:

VPP Upload

The new token should replace the old one.

About Scott Lester
Scott is a technical Cyber Security professional with over fifteen years' experience across a broad range of roles within the public and private sectors. With a deep understanding of cyber security, he has in his career focussed on applied cryptography, network technologies, digital forensics and security research. At Hexiosec he leads the delivery of all of our cyber security services.
Scott Lester