Skip to content

ABM / DEP Integration

Apple Business Manager (ABM) is Apple's platform for managing devices at scale. Integrating ABM with GuardMDM enables zero-touch enrollment — devices are managed automatically before the user even unboxes them.

What is ABM?

ABM (formerly DEP — Device Enrollment Program) lets organizations:

  • Assign devices to an MDM server automatically
  • Enroll devices without user interaction
  • Apply settings and restrictions before first launch
  • Supervise devices for full management control
  • Track device ownership and assignment

MDM Server Assignment in ABM

Before GuardMDM can manage ABM-assigned devices, you must register GuardMDM as a trusted MDM server in ABM.

Steps

  1. Generate a token in GuardMDM: go to Settings > ABM Integration > Generate Token
  2. Upload the token to Apple Business Manager at https://business.apple.com under Settings > MDM Server
  3. Download the server token from ABM after it's created
  4. Upload the server token back into GuardMDM under Settings > ABM Integration

Once the token exchange is complete, GuardMDM is authorized to manage devices assigned to it in ABM.

Device Assignment Methods

ABM supports three ways to assign devices to your MDM server.

Automatic Assignment

New devices added to ABM are automatically assigned to the default MDM server. This is the simplest method — no manual steps required.

  • Best for: Large fleets, new device purchases
  • Setup: Configure default MDM server in ABM settings
  • Behavior: Devices appear in GuardMDM automatically after ABM sync

Manual Assignment

Select individual devices in ABM and assign them to GuardMDM's MDM server entry.

  • Best for: Pilot programs, mixed MDM environments
  • Setup: No default server needed
  • Behavior: Only explicitly assigned devices appear in GuardMDM

Serial Number Assignment

Assign devices by uploading a CSV file containing serial numbers to ABM.

  • Best for: Bulk assignment of existing devices
  • Setup: Export serial numbers from your device inventory
  • Format: CSV with serial numbers, one per row
  • Behavior: Matched devices are assigned to the specified MDM server

Syncing ABM Devices

Once the integration is active, GuardMDM fetches device records from ABM.

Manual Sync

Trigger a sync at any time from the GuardMDM dashboard:

  1. Go to Devices > ABM Devices
  2. Click Sync Now
  3. Wait for the sync to complete (typically 10-30 seconds)

Cursor-Based Pagination Sync

GuardMDM uses cursor-based pagination when fetching device lists from ABM. This approach is more reliable than offset-based pagination for large device fleets.

  • How it works: Each sync request returns a cursor pointing to the next batch of devices
  • Batch size: Configurable (default 100 devices per page)
  • Reliability: Handles device additions and removals during sync without missing records
  • Performance: Efficient for fleets of any size, from dozens to hundreds of thousands

Automatic Periodic Sync

GuardMDM automatically syncs with ABM every 5 minutes to pick up new device assignments and changes.

  • Interval: 5 minutes (not configurable)
  • What syncs: New device assignments, device attribute changes, assignment removals
  • Trigger: Runs continuously while the integration is active
  • Latency: Devices appear in GuardMDM within 5 minutes of being assigned in ABM

ADE Profile Assignment

ADE (Automated Device Enrollment) profiles control what happens when a device is first turned on. Each device assigned to GuardMDM must have an ADE profile.

What an ADE Profile Contains

  • Enrollment type: User-initiated vs. automated
  • Setup Assistant skip: Which setup screens to skip (Apple ID, Touch ID, Siri, etc.)
  • Supervision: Whether the device is supervised
  • Lock MDM: Whether the MDM enrollment can be removed by the user
  • Department and support info: Shown during setup

Assigning Profiles

Profiles can be assigned at the device level or the device group level.

MethodScopeUse Case
Device-levelSingle deviceTesting, executive devices
Group-levelAll devices in a groupDepartment rollouts, OS-based groups

Default Profile Per OS

GuardMDM allows you to set a default ADE profile for each operating system. This ensures every new device gets the right profile without manual assignment.

  • iOS / iPadOS default profile: Applied to all new iPhones and iPads
  • macOS default profile: Applied to all new Macs
  • tvOS default profile: Applied to all new Apple TV devices

When a device syncs from ABM, GuardMDM checks:

  1. Does the device have an explicitly assigned profile? → Use it
  2. Does the device's OS have a default profile? → Use it
  3. No profile found → Device is listed as Unassigned in the dashboard

Enrollment Flow with ABM

When a device assigned to GuardMDM is activated:

  1. Device connects to Apple's activation servers
  2. Apple checks ABM for MDM assignment
  3. ABM tells the device to contact GuardMDM
  4. GuardMDM sends the ADE profile
  5. Device applies the profile and enrolls
  6. Device appears as Enrolled in GuardMDM

ABM Token Expiry

ABM Token Expiry — Enrollment Disrupted

ABM tokens are valid for 1 year. After expiry:

  • Device sync stops — new devices won't be pulled into GuardMDM
  • ADE enrollment fails — new devices cannot auto-enroll
  • Device info goes stale — ABM changes no longer sync

Already enrolled devices are NOT affected — remote commands and profile pushes continue working.

Recommendation: Renew the token 30 days before expiry. Download a new token from Apple Business Manager and upload it to GuardMDM.

Troubleshooting

IssueLikely CauseSolution
Devices not appearing in GuardMDMToken expiredRegenerate and re-upload the ABM token
Sync failsNetwork issueCheck firewall rules and retry
Device not enrollingNo ADE profile assignedAssign a default profile for the device's OS
Wrong profile appliedDefault profile misconfiguredUpdate the default profile for the correct OS
Devices stuck in "Unassigned"No matching default profileCreate and assign a default ADE profile

Next: Device Enrollment Methods

Released under the MIT License