Whilst it might occasionally make you shout and swear, it is possible to manage Apple devices from Microsoft 365 and Intune. This blog covers a crucial part of doing so - managing the connections between Apple and Intune.
We’ve previously written a two-part guide on getting started with Intune (part 1, part 2). Part 1 details the pre-requisites for managing Apple devices, and this blog expands on that by focussing on two connectors that you need to keep on top off.
Both are certificates that last for a year, which is why you need to keep on top of them. They provide the link between Intune and Apple devices, and how apps can be added in Apple Business Manager (ABM) and deployed to managed devices.
APNs Certificate
Also called an Apple MDM Push certificate, this one is used for the communication between Intune/Apple and your devices. Without it, devices can’t communicate to Intune, and therefore can’t enrol.
If you do try and enrol a device without a valid APNs in place, you’ll get an error that says “Couldn’t add your device. Contact your IT admin for assistance with this issue. APNSCertificateNotValid”.
To view your certificate, go to the macOS enrollment Intune page, and it’s at the top there:
It has to be generated with an Apple ID, which makes that particular ID crucial, as you need continuing access to generate new certificates. For that reason, it might be sensible to use a shared mailbox or alias to hold the primary Apple ID for a tenant.
To create a new certificate you need to follow the process on Intune; this involves downloading a Certificate Signing Request from Intune, uploading that to Apple and downloading a corresponding certificate, which finally needs to be uploaded to Intune.
For more information on the APNs certificate, there’s more on this Microsoft blog, and various useful threads on the Intune Subreddit.
What to do if your APNs certificate has expired
This is something you really, really want to avoid. Put the expiry date in the calendar!
Worst case, replacing the APNs certificate with a new certificate means re-enrolling all your Apple devices, which isn’t fun.
The best case is that it’s under 30 days since the certificate expired, in which case Apple can help. We had this with a customer, and thankfully it was within the 30 day grace period.
You need to speak to Apple Business support. In our case, the first person said they couldn’t help, but mentioning it was within the grace period got a referral to (I’m guessing) second-line support, where we got great help from a man called Fintan.
Given a expired certificate serial number and another admin Apple ID they can do something at the backend to move all your devices onto a new certificate. You can then upload a CSR to identity.apple.com and download a new certificate (e.g. MDM_ Microsoft Corporation_Certificate-APNS.pem), which can be uploaded to Intune.
VPP Token
If, like many organisations, you’re using device management to also control software applications, then you’ll likely have blocked the Apple App store and put restrictions around the use of iCloud accounts. Which means your mechanisms for pushing apps are either:
- Pushing them via a PKG application in Intune, or,
- adding them to Apple Business Manager and using a Volume Purchase Programme (VPP) token to sync those apps to Intune.
The former method works if the app isn’t licensed via the App Store, and where you can find a PKG installer file (it doesn’t work for DMG files). Most enterprise apps release PKG installers for exactly this purpose: common examples include Zoom and Chrome Enterprise.
Where the app is only available from the App Store then you have to buy or add it in Apple Business Manager, and use the VPP token to sync those licenses with Intune so they can be assigned to users. To set it up, you can download your token from Apple Business Manager: click your username in the bottom left, and then go to Payments and Billing:
In Intune, the token is in Tenant administration > Connectors and tokens > Apple VPP Tokens.
It looks like ABM syncs daily, but if you want to hurry it along there’s a (fairly well hidden) manual sync option on the three dots to the right of the token in Intune:
What to do if your VPP certificate has expired
This one isn’t so bad. Don’t upload a new certificate, as that will break the link to previously added and assigned licenses.
Instead, go to the token in Intune, click on it, and edit the Basics. That lets you upload a new token:
The new token should replace the old one.
Related Posts
