Connect Apple Business Manager
What is Apple Business Manager?
Apple Business Manager (ABM) is Apple's web-based portal for IT administrators to manage Apple devices and content in your organization. It serves as the central source of truth for device ownership, procurement, and assignment.
ABM gives you:
- Device assignment — Link devices purchased through Apple or authorized resellers to your MDM
- Automated Device Enrollment (ADE) — Formerly DEP, this lets devices enroll in MDM automatically during first boot, before the user ever touches them
- Managed Apple IDs — Create and manage user accounts tied to your organization
- App and book distribution — Assign volume-purchased apps and books to devices or users
Why Connect ABM to GuardMDM?
Connecting ABM to GuardMDM unlocks zero-touch deployment:
- Automated enrollment — Devices enroll in GuardMDM the moment they're unboxed, with no user interaction required
- Supervision — Devices become supervised, giving you full control over restrictions, settings, and MDM removal prevention
- Device sync — GuardMDM automatically pulls in devices assigned to your MDM server in ABM, keeping your inventory up to date
- ADE profile — You configure the enrollment experience (skip panes, authentication method, etc.) once in GuardMDM and it applies to every new device
Without ABM, you can still enroll devices manually, but you lose supervision and the ability to enforce certain security policies.
Step-by-Step: Connect ABM to GuardMDM
1. Download the Public Key from GuardMDM
- Log in to your GuardMDM dashboard
- Navigate to Settings > MDM > Apple Business Manager
- Click Download Public Key — this saves a
.pemfile to your computer
This public key tells ABM that GuardMDM is authorized to manage your devices.
2. Upload the Public Key in ABM
- Go to business.apple.com and sign in with your ABM admin account
- Navigate to Settings > MDM Server
- Click Add MDM Server, give it a name (e.g., "GuardMDM Production")
- Under Upload Public Key, select the
.pemfile you downloaded from GuardMDM - Click Save
Tip: You can assign different MDM servers to different device types or departments. For example, one server for corporate-owned iPhones and another for employee-owned Macs. Just create a separate MDM server entry in ABM for each GuardMDM instance.
3. Download the ABM Token
- In ABM, go back to Settings > MDM Server
- Find the server you just created and click Download Token
- This downloads a
.p7mor.p12file — the server token that authorizes GuardMDM to communicate with ABM on your behalf
4. Upload the Token to GuardMDM
- Back in GuardMDM, go to Settings > MDM > Apple Business Manager
- Click Upload Token and select the token file you downloaded from ABM
- Click Save
GuardMDM will validate the token and confirm the connection is active. You should see a green "Connected" status.
Syncing ABM Devices
Once the token is uploaded, GuardMDM automatically syncs devices assigned to your MDM server in ABM. To trigger a manual sync:
- Go to Devices > All Devices
- Click Sync ABM Devices
New devices appear in GuardMDM with a status of Pending (ADE) — they're waiting for an ADE profile assignment before they can enroll.
Setting Up a Default ADE Profile
The ADE profile controls what the user sees during first-time setup. To configure it:
- Go to Settings > MDM > Apple Business Manager
- Under Default ADE Profile, click Edit
- Configure the enrollment experience:
- Authentication — Choose between user-based (requires Apple ID) or device-based (no user interaction)
- Skip panes — Select which Setup Assistant screens to skip (e.g., Siri, Touch ID, Analytics)
- Supervision — Always enabled when using ABM
- Click Save
Every new device that syncs from ABM will use this profile. You can override it per-device or per-group later if needed.
Automatic Periodic Sync
GuardMDM syncs with ABM every 5 minutes automatically. This means:
- Devices assigned to your MDM server in ABM appear in GuardMDM within minutes
- Devices removed from your MDM server in ABM are removed from GuardMDM on the next sync
- Token expiry is checked automatically — GuardMDM will warn you before the token expires so you can renew it
No manual intervention required for day-to-day operation.
ABM Token Expiry — New Device Enrollment Breaks
When the ABM token expires, GuardMDM loses connection to Apple Business Manager:
- Device sync stops — newly purchased devices won't appear in GuardMDM
- ADE enrollment fails — new devices cannot enroll automatically
- Device info stops syncing — changes in ABM are not reflected in GuardMDM
Already enrolled devices are NOT affected — they continue working normally. Remote commands and profile pushes still function.
Recovery: Download a new token from Apple Business Manager and upload it to GuardMDM.
What's Next?
- Enroll Your First Device — Walk through enrolling a device with ADE
- Create a Blueprint — Build your first configuration template
- Assign Devices to Groups — Organize your fleet
