Skip to content

Connect Apple Business Manager

What is Apple Business Manager?

Apple Business Manager (ABM) is Apple's web-based portal for IT administrators to manage Apple devices and content in your organization. It serves as the central source of truth for device ownership, procurement, and assignment.

ABM gives you:

  • Device assignment — Link devices purchased through Apple or authorized resellers to your MDM
  • Automated Device Enrollment (ADE) — Formerly DEP, this lets devices enroll in MDM automatically during first boot, before the user ever touches them
  • Managed Apple IDs — Create and manage user accounts tied to your organization
  • App and book distribution — Assign volume-purchased apps and books to devices or users

Why Connect ABM to GuardMDM?

Connecting ABM to GuardMDM unlocks zero-touch deployment:

  • Automated enrollment — Devices enroll in GuardMDM the moment they're unboxed, with no user interaction required
  • Supervision — Devices become supervised, giving you full control over restrictions, settings, and MDM removal prevention
  • Device sync — GuardMDM automatically pulls in devices assigned to your MDM server in ABM, keeping your inventory up to date
  • ADE profile — You configure the enrollment experience (skip panes, authentication method, etc.) once in GuardMDM and it applies to every new device

Without ABM, you can still enroll devices manually, but you lose supervision and the ability to enforce certain security policies.

Step-by-Step: Connect ABM to GuardMDM

1. Download the Public Key from GuardMDM

  1. Log in to your GuardMDM dashboard
  2. Navigate to Settings > MDM > Apple Business Manager
  3. Click Download Public Key — this saves a .pem file to your computer

This public key tells ABM that GuardMDM is authorized to manage your devices.

2. Upload the Public Key in ABM

  1. Go to business.apple.com and sign in with your ABM admin account
  2. Navigate to Settings > MDM Server
  3. Click Add MDM Server, give it a name (e.g., "GuardMDM Production")
  4. Under Upload Public Key, select the .pem file you downloaded from GuardMDM
  5. Click Save

Tip: You can assign different MDM servers to different device types or departments. For example, one server for corporate-owned iPhones and another for employee-owned Macs. Just create a separate MDM server entry in ABM for each GuardMDM instance.

3. Download the ABM Token

  1. In ABM, go back to Settings > MDM Server
  2. Find the server you just created and click Download Token
  3. This downloads a .p7m or .p12 file — the server token that authorizes GuardMDM to communicate with ABM on your behalf

4. Upload the Token to GuardMDM

  1. Back in GuardMDM, go to Settings > MDM > Apple Business Manager
  2. Click Upload Token and select the token file you downloaded from ABM
  3. Click Save

GuardMDM will validate the token and confirm the connection is active. You should see a green "Connected" status.

Syncing ABM Devices

Once the token is uploaded, GuardMDM automatically syncs devices assigned to your MDM server in ABM. To trigger a manual sync:

  1. Go to Devices > All Devices
  2. Click Sync ABM Devices

New devices appear in GuardMDM with a status of Pending (ADE) — they're waiting for an ADE profile assignment before they can enroll.

Setting Up a Default ADE Profile

The ADE profile controls what the user sees during first-time setup. To configure it:

  1. Go to Settings > MDM > Apple Business Manager
  2. Under Default ADE Profile, click Edit
  3. Configure the enrollment experience:
    • Authentication — Choose between user-based (requires Apple ID) or device-based (no user interaction)
    • Skip panes — Select which Setup Assistant screens to skip (e.g., Siri, Touch ID, Analytics)
    • Supervision — Always enabled when using ABM
  4. Click Save

Every new device that syncs from ABM will use this profile. You can override it per-device or per-group later if needed.

Automatic Periodic Sync

GuardMDM syncs with ABM every 5 minutes automatically. This means:

  • Devices assigned to your MDM server in ABM appear in GuardMDM within minutes
  • Devices removed from your MDM server in ABM are removed from GuardMDM on the next sync
  • Token expiry is checked automatically — GuardMDM will warn you before the token expires so you can renew it

No manual intervention required for day-to-day operation.

ABM Token Expiry — New Device Enrollment Breaks

When the ABM token expires, GuardMDM loses connection to Apple Business Manager:

  • Device sync stops — newly purchased devices won't appear in GuardMDM
  • ADE enrollment fails — new devices cannot enroll automatically
  • Device info stops syncing — changes in ABM are not reflected in GuardMDM

Already enrolled devices are NOT affected — they continue working normally. Remote commands and profile pushes still function.

Recovery: Download a new token from Apple Business Manager and upload it to GuardMDM.

What's Next?

Released under the MIT License