Brian Reid – Microsoft 365 Subject Matter Expert

Renewing Apple Tokens in Intune

To sync Apple OS devices to Intune you need a token created by Apple and uploaded to Intune. There are at least 3 seperate tokens that you might use and each of these expires one year after creation and needs renewing before they expire.

The three (plus) tokens you need are:

  1. Apple MDM Push certificate
  2. Apple Business Manager enrolment program token (previously known as DEP tokens)
  3. Apple VPP Tokens (or Apps and Books token for Apples new name for them), one token per location.

Apple MDM Push Certificate

There will be only one of these and if you do not renew this certificate before it expires them you will loose connectivity for all your devices and need to reenrol them all.

Therefore, this one must be renewed before the year expires.

You can renew this certificate with the same Apple ID or a different Apple ID when it comes to renewal – changing Apple ID has no impact. As mentioned above, the only issue here is not renewing before the expiry date.

Don’t let this token expire

To do this, go to the Intune Management Portal (https://intune.microsoft.com) > Devices > iOS/iPadOS > iOS/iPadOS Enrollment > Apple MDM Push Certificate

Apple Business Manager Enrolment Program Token (DEP)

This is only used if you purchase your Apple devices via the Apple Business Manager (ABM) or Apple Schools Manager (ASM) program. This used to be known as DEP.

This token is only obtainable in Apple Business/Schools Manager if you have an Administrator role, and you can only have a maximum of four users with this role.

It needs renewing before it expires and there is no impact in changing the name of the Apple ID used when renewing.

To renew you download the token from the MDM page in ABM and upload it to Intune. On upload, Intune will resync all devices from ABM (or ASM) and this resync will happen automatically.

You can have more than one ABM instance (for example due to mergers or different corporate regions) and therefore can have more than one token to renew each year.

Ensure you renew this before it expires

To do this, go to the Intune Management Portal (https://intune.microsoft.com) > Devices > iOS/iPadOS > iOS/iPadOS Enrollment > Enrollment Program Tokens > Click your existing token(s) and Renew Token.

In Apple Business Manager you will find the token under your MDM Servers. This is found if you are an Administrator or Device Enrolment Manger at https://business.apple.com (or https://school.apple.com) > Click your name bottom left > Preferences > Click your Intune instance under “Your MDM Servers” and then click “Download Token” from the top of the page:

Apple VPP Token

This is used to sync apps from Apple Business/School Manager into Intune. You will have one token per ABM instance, and as you can have more than one ABM instance you could have more than one token to renew each year. Each app appears against a single token.

Failure to renew will result in apps not being updated, and renewing late (token already expired) will result in all the apps appearing again (a second time) in Intune and will need assigning to each group again and the old apps (from the expired token) removing. Devices will not see any impact as they should be reassigned the same apps as before.

Failing to renew the VPP token will result in all apps appearing twice

Failing to renew the VPP token will result in all apps appearing twice – one will be assigned (and exists due to the old, expired token) and one will not be assigned. Each app that is not assigned will need to be configured to match the assigned one, and the assigned one will disappear when the expired token is removed from the Intune Tenant administration > Connectors and Tokens > Apple VPP tokens page.

To do this in Intune go to the Intune Management Portal (https://intune.microsoft.com) > Tenant Administration > Connectors and Tokens > Apple VPP Tokens. Here you can create a new token, and sync (download software to Intune) for an existing token.

And the matching location in Apple Business Manager is Preferences (click your name bottom left) > Payments and Billing > Download the correct Content Token for the location that matches your MDM. If you are migrating from one MDM to another you can use the same token, otherwise you need to create a location (shown in box below) per language and MDM Server:

Getting the Content Token in Apple Business Manager

Posted

in

, , ,

by

Brian Reid

Tags:

Comments

6 responses to “Renewing Apple Tokens in Intune”

  1. Norman avatar
    Norman

    Hi Brian,

    There’s been differing views on a few forums on whether the changing the Apple ID for Apple MDM Push Certificate will cause all devices to need re-enrolling. Has this been tested on your end or confirmed by MS?

    Regards
    Norman

    Reply
    1. Brian Reid avatar
      Brian Reid

      Changing the Apple ID for the token does not require the devices to reenrol.

      Reply
  2. Robert Warner avatar
    Robert Warner

    Thanks for this article, it’s a really good overview.

    What happens if you’ve renewed the APN certificate, the VPP token and the SCIM token on time, but somehow you missed the DEP token?

    Unfortunately we find ourselves in this position as our DEP token expired three weeks ago. I renewed it last night, and everything now shows up with green ticks on the 365 side, but not sure what the impact of this is going to be. Really hoping we won’t need to re-enrol devices.

    Possibly unrelated, but a new optional app assigned to the iPhones is not showing up under Managed Apps either.

    Reply
    1. Brian Reid avatar
      Brian Reid

      Apps take 24 hours to appear in Intune, unless you sync the apps via the VPP token (click … to the right of the token and choose sync – wait 15 minutes – your new apps should now appear). I have not tried “not renewing the DEP token” so I have no idea if it breaks anything or not.

      Reply
  3. Tim avatar
    Tim

    Hi Brian,
    Thank you for the great info. I have to renew VPP & Intune Enrollment Token. This was originally enrolled by another member of my team. Will renewing the VPP & Intune Enrollment Token under my username break anything? We are both admins under the same ABM account.

    Thank you

    Reply
    1. Brian Reid avatar
      Brian Reid

      I have not had an issue doing this with the VPP token before. I have sometimes seen that I cannot issue a new token for a new user account for the Intune Enrolment Token, but if I login as the existing user then I can renew the token and it works fine. If the existing user has left the company, just add their email address to your mailbox and perform a password and MFA reset of the Apple ID – it will send the info to your mailbox.

      I intentionally make a shared mailbox on any tenant I set this up on with an email address of apple@tenant.com and then assign that shared mailbox to whomever needs to reset the tokens. I add google@tenant.com to the same mailbox, though I do not need to renew the Google MDM enrolment at this time.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.