Set up iOS device management
Before you can manage or assign iOS devices to students and teachers, you must set up iOS device management in Intune for Education. Setup requires you to add an MDM Push Certificate and configure at least one enrollment program token (also known as an MDM server token or DEP token).
During setup, you must connect your Intune for Education account with your Apple School Manager account. The connection makes sure that Intune for Education always has the most current details about your purchased iOS devices.
This article describes how to:
Add an Apple MDM push certificate.
Configure and sync an enrollment program token.
Configure an Apple volume purchase plan (VPP) token.
What happens after I set up device management?
After you set up iOS device management, you can use Intune for Education to manage apps and settings on your iOS devices. You also get access to reports and actions so you can troubleshoot conflicts anywhere. Students and teachers in your school can securely access school websites and email.
Requirements
Before beginning, make sure you have:
An internet connection.
Your Apple School Manager account credentials.
Intune for Education device licenses. For more information about device licenses, see Microsoft Intune licensing.
Important
Intune for Education only supports iOS device enrollment for devices set up for Apple automated device enrollment. For more information about how to set up Apple automated device enrollment and Apple School Manager, see Use automated device enrollment (opens Apple Support).
Add an MDM push certificate
An Apple MDM push certificate sets up a secure connection between your Intune and Apple School Manager account. When connected, Intune can continually sync and manage your Apple devices and apps.
Sign in to Intune for Education.
Go to Tenant settings.
Expand iOS Device Management, and then select MDM push certificate.
Select Create certificate.
Follow the onscreen instructions:
Select Download to save the certificate signing request file from Intune.
Sign in to Apple Push Certificates Portal to create and download the push certificate file. Use your school's Apple ID to sign in, not your personal one.
Return to the Intune for Education portal. Next to STEP 3, enter the Apple ID you used to sign in to Apple School Manager.
Upload the Apple push certificate file.
Select Save to create the certificate in Intune for Education.
The push certificate expires every 365 days. The certificate is needed to connect Intune for Education to your Apple School Manager account, so you must renew it yearly. For more information, see Renew iOS certificate token.
Configure enrollment program token
The enrollment program token, sometimes referred to as a mobile device management (MDM) server token, lets Intune sync device details from Apple School Manager. These details inform Intune of the devices it needs to manage, and populates your inventory in Intune for Education.
Shared iPad configuration
You can configure your iOS devices to enroll as Shared iPad devices. With Shared iPad, students and teachers sign in to your school's devices with their unique managed Apple ID. As they move from device to device, their apps and data move with them. A student can use one device to begin writing a paper, and then sign in to a different device later to finish the paper. To learn more about shared iPad and managed Apple IDs, see:
Students can share classroom devices without using shared iPad. However, user data doesn't move between devices. Before you configure your server token, you must choose if you want to enable Shared iPad.
Note
If you set up a device with Shared iPad, you get all of the features that come with Shared iPad, except for the Classroom and Schoolwork apps. These apps aren't supported by Intune for Education. Shared iPad features become available after you set up the enrollment program token.
Add enrollment program token
The following steps describe how to add an enrollment program token to Intune for Education.
Go to Tenant Settings.
Expand iOS Device Management, and then select Enrollment program tokens.
Select Add token.
Choose how you want to enroll the devices associated with your new server token. Your options:
Users will log in to devices with their Managed Apple IDs: Choose this option to configure this token for Shared iPad scenarios. All devices assigned to this token are set up so that users must sign in to them with a managed Apple ID.
Anyone can unlock these devices. You can set a passcode for each device if you want: Choose this option if your school isn't using managed Apple IDs. Students can still share devices but the devices are accessed directly, without the need to sign in. Devices might require a device passcode if you set one.
This option can't be changed after you create the token. If you want to change how devices enroll lat that point, you must create a new server token.
Select Set up enrollment program token.
Follow the onscreen instructions:
- Choose a device name prefix. Intune for Education names devices by serial number by default. Example: GWRWDDWFWK8J
In this step, you can add a prefix to device names, to help you identify and organize enrolled devices. For example, with the prefix your device name looks like: iPad-GWRWDDWFWK8J
Select Download to save the Intune public key. Later, you upload this key in Apple School Manager.
Select Go to my MDM servers in Apple School Manager to sign in to Apple School Manager. Sign in with your school or department's Apple ID, not your personal one. If you don't have the MDM server information to complete this step, contact your school's Intune administrator.
Create an MDM server and upload the Intune public key. For more information, see Link to a third party MDM server in the Apple help documentation.
Note
The server name is for your reference to identify the MDM server. It is not the name or URL of the Microsoft Intune server.
Generate and download the new server token. This token is the enrollment program token you upload later in Intune.
In Apple School Manager, assign devices to the MDM server. Your assignment options:
- Enter the serial number for each device.
- Paste a list of serial numbers from a CSV file.
- Enter the order number for your entire device purchase.
For more information, see the Apple School Manager User Guide.
Return to Intune for Education and enter the Apple ID you used to sign in to Apple School Manager.
Upload the enrollment program token.
Select Save to add the token to Intune.
Enrollment program tokens expire every 365 days. The token is needed to view and manage your devices in the Intune for Education portal. You must renew it yearly to keep it active.
Device enrollment profile
Intune for Education creates and applies an iOS enrollment profile to each enrollment profile you configure.
All iOS devices added to Intune for Education are set to supervised mode. As an admin, supervised mode allows you more control over your school's devices. For example, you can push new apps or app updates silently to a device. For a complete list of supervised-only settings, see the article, Configurations requiring supervision.
Intune for Education applies a naming scheme to devices that you enroll with an enrollment program token. The name helps you identify and group individual devices. By default, devices are named with their device serial number. You can also add on a custom device name when you set up your enrollment program token.
For more details about enrollment profiles, view the list of settings configured during enrollment.
Sync managed devices
Now that Intune for Education has permission to manage your iOS devices, sync with Apple to view a list of your managed devices.
Go to Enrollment program tokens.
Find the token you created, and then select the link that's under the Devices ready to enroll column in the same row.
Select Sync device list.
Devices that appear in the list are ready for enrollment. Power them on to start the enrollment process.
Configure VPP tokens
A VPP token links your Intune for Education account to your Apple VPP or Apple School Manager account. You can create a single VPP token to manage apps across the entire organization; or you can create multiple VPP tokens to spread management across different locations or admins.
VPP tokens are necessary for Intune to:
- Sync app details in the Intune for Education portal.
- Assign VPP-purchased apps to groups.
- Silently install VPP-purchased apps on school devices, with no need for device user's Apple ID.
Without a VPP token, you can still search and get free iOS apps through the App Store. However, to install the app on the device, the device user must sign in with an Apple ID.
Go to Tenant Settings.
Expand iOS Device Management and select VPP Tokens.
Select Add token.
Name the VPP token.
From step 1 to step 4, follow the onscreen instructions to create the token:
Select Go to Apple School Manager Settings to create and download an Apps and Books server token in Apple School Manager.
Sign in to Apple School Manager. Sign in with your school or department's Apple ID, not your personal one.
Configure a new location. For more information, see the Apple School Manager guide from Apple Support.
Download the server token for the location in Apple School Manager.
Return to Intune for Education, and enter the Apple ID you used to sign in to Apple School Manager.
Upload the VPP token file you downloaded in Apple School Manager. Then select the region where your devices are.
Enable or disable automatic app updates.
Select Save to add the token to Intune.
Tokens expire every 365 days. Tokens are needed to manage VPP-purchased apps, so you must renew them yearly to keep them active.
Next steps
Purchase free apps from the App Store, or add your VPP-purchased apps to Intune for Education.