Overview
This article provides an overview of the ABM (Apple Business Manager) link and VPP (Volume Purchase Program) token connection that needs to occur with NHSmail Intune.
Whilst LAs can link their ABM tenant to NHSmail Intune by themselves (without requesting an ABM Link session although this is strongly recommended), they are not able to do this for VPP tokens.
An ABM Link Session will be required to connect your VPP tokens to Intune.
Please visit our iOS Maintenance Support Site article for information on how to renew your ABM link and VPP tokens (as these expire every 365 days); LAs are able to renew both tokens themselves.
1. ABM Link Connection to NHSmail Intune
The ABM link is a connection between the ABM tenant and NHSmail Intune. All organisations onboarded onto the NHSmail Intune platform who wish to enrol iOS/iPadOS devices will need to ensure that their ABM is linked to NHSmail Intune to enrol devices.
If your ABM tenant has not been linked to NHSmail Intune, you will not be able to enrol any iOS/iPadOS devices.
1.1 ABM Link Prerequisites
The following are some of the key points to note before linking your ABM tenant to NHSmail Intune:
 |
Organisations wanting to enrol Apple devices (iOS iPhones and iPadOS iPads) will require those devices to exist in an Apple Business Manager (ABM) instance already. |
 |
Organisations will be required to associate their vendor management portals with Intune (e.g., connect ABM with NHSmail Intune) |
 |
When connecting your organisation’s ABM into NHSmail Intune, the Apple ID used to connect into Intune should have either the Administrator role or the Device Enrolment Manager (DEM) role assigned to it in ABM.
Note: Please do not have both roles assigned to the Apple ID being used to connect into Intune as this may cause a conflict. |
 |
“Locations” terms and conditions should be accepted to enable deployment of applications. |
 |
Domain verification should be pre-configured (if required, Apple does enable the use of a default domain) |
 |
Management of Apple Business Manager (ABM) for iPads and iPhones is to be maintained by LAs (including Apple IDs). |
 |
The NHSmail Intune platform does not support the management of any Apple devices which are not enrolled into ABM. |
 |
When onboarding a Multi Org and you are adopting the Model 2 approach, LAs will need to configure multiple MDM servers within a single ABM tenant which allows the organisation to segregate the devices into “containers”. |
1.2 Request Support with the ABM Connection
LAs can connect their ABM into NHSmail without needing to request support, although it is recommended that LAs request a session with the Intune Live Service Team who will be able to assist with the connection and ensure that it is done correctly.
Please raise a service request via Helpdesk Self-Service if you would like support from the Intune Live Service Team with connecting your organisation’s ABM into NHSmail Intune. LAs should select ‘Onboard Apple Business Manager (ABM) for Apple Devices’, from the list of possible service requests to do this.
If you are happy to proceed with the ABM link into NHSmail Intune without support, you will need to follow the step-by-step instructions below and read all important notes to ensure that the connection is successful.
It is strongly recommended that LAs request an ABM link session so the Intune Live Service Team can support with the connection and ensure it is completed correctly.
1.3 Steps to link your ABM into NHSmail Intune
Please follow the steps below if you wish to link your organisation’s ABM into NHSmail without assistance:
LAs must ensure that during the connection process linking your organisation’s ABM and Intune the naming standards shown below are followed for the ADE token:
<ODS>-ABM-Production
- Navigate to the following: Devices> iOS/iPadOS > iOS/iPad Enrolment > Enrolment Program Tokens;
As part of the Intune and ABM connection process a handshake needs to be made by swapping tokens.
- Select I agree to grant Microsoft permissions and then download the Intune ‘Public Key’.
- Enter the Apple ID from the ABM instance that will be connected.
It is recommended that you use a shared Apple ID/mailbox for the connection process. If a shared mailbox is not used, it is still possible to renew the ADE Token via another administrative account within the ABM. If there any issues with renewing the token, LAs should contact Apple Support.
- Log into the ABM portal and click your Username on the bottom left. Then select ‘Preferences’
- In the ‘Your MDM Servers’ section, click ‘Add’ to add a new MDM server.
- Upload Public Key from Intune and give the Server a name: <ODS>-ABM-Production.
- Download the Token from ABM by selecting Download Token and then selecting Download Server Token
- Upload the ABM token file into Intune and then once done click next twice, before finally clicking create .
Once this has been completed successfully, you should be able to enrol your iOS/iPadOS devices.
ABM tokens expire every 365 days and will need to be renewed (this is the LAs responsibility).
2. VPP Token
Location tokens are volume purchase licences that were commonly known as Volume Purchase Program (VPP) tokens. Location tokens are used to assign and manage licences purchased using Apple Business Manager.
Content Managers can purchase and associate licences with location tokens they have permissions to in Apple Business Manager. These location tokens are then downloaded from Apple Business Manager and uploaded in Microsoft Intune. Microsoft Intune supports uploading multiple location tokens per tenant. Each token is valid for one year.
Microsoft Intune can help organisations manage apps purchased through the VPP program by:
- Synchronizing location tokens that are downloaded from Apple Business Manager.
- Tracking how many licences are available and have been used for purchased apps.
- Monitor app installs up to the number of licences you own.
As part of the Onboarding Process a new “Location” must be created in ABM and the VPP token must be added from the organisation’s ABM into Intune. The connection process is a one-time setup.
Admins will be required to assign the Company portal licence to the NHS Intune tenant to ensure that users can enrol with “User Affinity”.
2.1 Adding A New Location
- Click Locations in the sidebar, then click the Add (+) button
- Enter the information for your new location then click Save. You must enter the location name (<ODS>-VPP-Token) and address (phone number and website URL are optional).
- Verify that the new location appears in the list of existing locations.
2.2 VPP Token Connection to NHSmail Intune
The naming standard shown below must be followed when connecting the VPP token to Intune.
<ODS>-VPP-Token
1. In Apple Business Manager, click Settings > Apps and Books. Click Download and save the VPP token.
2. Navigate to: Tenant Administration > Connectors and Tokens > Apple VPP tokens.
This will be required to connect your ABM VPP licences into Intune. As part of the enrolment process users are required to have Company Portal VPP licences available.
3. Select Create.
4. Enter your organisation’s name with the correct ODS prefix, <ODS>-VPP-Token.
a. The “Apple ID” can be the same Apple ID used to connect your ABM to Intune.
b. Export a VPP token file from ABM and import into Intune.
5. Complete the settings page as shown in the example below:
a. Take Control of token from another MDM = No
b. Country/Region = United Kingdom
c. Automatic Updates = Yes
d. Select the tick box to complete the connection process
6. Assign Intune Portal licence in ABM.
Click on Apps and books > Search for Intune > Select Intune Company Portal > Select Licence quantity.
VPP tokens expire every 365 days and will need to be renewed (this is the LAs responsibility).
| Last Reviewed Date | 14/03/2024 |
