To sync Apple OS devices to Intune you need a token created by Apple and uploaded to Intune. There are at least 3 seperate tokens that you might use and each of these expires one year after creation and needs renewing before they expire.
The three (plus) tokens you need are:
- Apple MDM Push certificate
- Apple Business Manager enrolment program token (previously known as DEP tokens)
- Apple VPP Tokens (or Apps and Books token for Apples new name for them)
Apple MDM Push Certificate
There will be only one of these and if you do not renew this certificate before it expires them you will loose connectivity for all your devices and need to reenrol them all.
Therefore, this one must be renewed before the year expires.
You can renew this certificate with the same Apple ID or a different Apple ID when it comes to renewal – changing Apple ID has no impact. As mentioned above, the only issue here is not renewing before the expiry date.
Apple Business Manager Enrolment Program Token (DEP)
This is only used if you purchase your Apple devices via the Apple Business Manager (ABM) or Apple Schools Manager (ASM) program. This used to be known as DEP.
This token is only obtainable in Apple Business/Schools Manager if you have an Administrator role, and you can only have a maximum of four users with this role.
It needs renewing before it expires and there is no impact in changing the name of the Apple ID used when renewing.
To renew you download the token from the MDM page in ABM and upload it to Intune. On upload, Intune will resync all devices from ABM (or ASM) and this resync will happen automatically.
You can have more than one ABM instance (for example due to mergers or different corporate regions) and therefore can have more than one token to renew each year.
Apple VPP Token
This is used to sync apps from Apple Business/School Manager into Intune. You will have one token per ABM instance, and as you can have more than one ABM instance you could have more than one token to renew each year. Each app appears against a single token.
Failure to renew will result in apps not being updated, and renewing late (token already expired) will result in all the apps appearing again (a second time) in Intune and will need assigning to each group again and the old apps (from the expired token) removing. Devices will not see any impact as they should be reassigned the same apps as before.
Failing to renew the VPP token will result in all apps appearing twice – one will be assigned (and exists due to the old, expired token) and one will not be assigned. Each app that is not assigned will need to be configured to match the assigned one, and the assigned one will disappear when the expired token is removed from the Intune Tenant administration > Connectors and Tokens > Apple VPP tokens page.