To sync Apple OS devices to Intune you need a token created by Apple and uploaded to Intune. There are at least 3 seperate tokens that you might use and each of these expires one year after creation and needs renewing before they expire.
The three (plus) tokens you need are:
- Apple MDM Push certificate
- Apple Business Manager enrolment program token (previously known as DEP tokens)
- Apple VPP Tokens (or Apps and Books token for Apples new name for them), one token per location.
Apple MDM Push Certificate
There will be only one of these and if you do not renew this certificate before it expires them you will loose connectivity for all your devices and need to reenrol them all.
Therefore, this one must be renewed before the year expires.
You can renew this certificate with the same Apple ID or a different Apple ID when it comes to renewal – changing Apple ID has no impact. As mentioned above, the only issue here is not renewing before the expiry date.
To do this, go to the Intune Management Portal (https://intune.microsoft.com) > Devices > iOS/iPadOS > iOS/iPadOS Enrollment > Apple MDM Push Certificate
Apple Business Manager Enrolment Program Token (DEP)
This is only used if you purchase your Apple devices via the Apple Business Manager (ABM) or Apple Schools Manager (ASM) program. This used to be known as DEP.
This token is only obtainable in Apple Business/Schools Manager if you have an Administrator role, and you can only have a maximum of four users with this role.
It needs renewing before it expires and there is no impact in changing the name of the Apple ID used when renewing.
To renew you download the token from the MDM page in ABM and upload it to Intune. On upload, Intune will resync all devices from ABM (or ASM) and this resync will happen automatically.
You can have more than one ABM instance (for example due to mergers or different corporate regions) and therefore can have more than one token to renew each year.
To do this, go to the Intune Management Portal (https://intune.microsoft.com) > Devices > iOS/iPadOS > iOS/iPadOS Enrollment > Enrollment Program Tokens > Click your existing token(s) and Renew Token.
In Apple Business Manager you will find the token under your MDM Servers. This is found if you are an Administrator or Device Enrolment Manger at https://business.apple.com (or https://school.apple.com) > Click your name bottom left > Preferences > Click your Intune instance under “Your MDM Servers” and then click “Download Token” from the top of the page:
Apple VPP Token
This is used to sync apps from Apple Business/School Manager into Intune. You will have one token per ABM instance, and as you can have more than one ABM instance you could have more than one token to renew each year. Each app appears against a single token.
Failure to renew will result in apps not being updated, and renewing late (token already expired) will result in all the apps appearing again (a second time) in Intune and will need assigning to each group again and the old apps (from the expired token) removing. Devices will not see any impact as they should be reassigned the same apps as before.
Failing to renew the VPP token will result in all apps appearing twice – one will be assigned (and exists due to the old, expired token) and one will not be assigned. Each app that is not assigned will need to be configured to match the assigned one, and the assigned one will disappear when the expired token is removed from the Intune Tenant administration > Connectors and Tokens > Apple VPP tokens page.
To do this in Intune go to the Intune Management Portal (https://intune.microsoft.com) > Tenant Administration > Connectors and Tokens > Apple VPP Tokens. Here you can create a new token, and sync (download software to Intune) for an existing token.
And the matching location in Apple Business Manager is Preferences (click your name bottom left) > Payments and Billing > Download the correct Content Token for the location that matches your MDM. If you are migrating from one MDM to another you can use the same token, otherwise you need to create a location (shown in box below) per language and MDM Server:
Leave a Reply