This article provides an overview of the ABM (Apple Business Manager) link and VPP (Volume Purchase Program) token connection that needs to occur with NHSmail Intune.
1. ABM Link Connection to NHSmail Intune
The ABM link is a connection between the ABM tenant and NHSmail Intune. All organisations onboarded onto the NHSmail Intune platform who wish to enrol iOS/iPadOS devices will need to ensure that their ABM is linked to NHSmail Intune to enrol devices.
1.1 ABM Link Prerequisites
The following are some of the key points to note before linking your ABM tenant to NHSmail Intune:
|Organisations wanting to enrol Apple devices (iOS iPhones and iPadOS iPads) will require those devices to exist in an Apple Business Manager (ABM) instance already.|
|Organisations will be required to associate their vendor management portals with Intune (e.g., connect ABM with NHSmail Intune)|
|When connecting your organisation’s ABM into NHSmail Intune, the Apple ID used to connect into Intune should have either the Administrator role or the Device Enrolment Manager (DEM) role assigned to it in ABM.
Note: Please do not have both roles assigned to the Apple ID being used to connect into Intune as this may cause a conflict.
|“Locations” terms and conditions should be accepted to enable deployment of applications.|
|Domain verification should be pre-configured (if required, Apple does enable the use of a default domain)|
|Management of Apple Business Manager (ABM) for iPads and iPhones is to be maintained by LAs (including Apple IDs).|
|The NHSmail Intune platform does not support the management of any Apple devices which are not enrolled into ABM.|
|When onboarding a Multi Org and you are adopting the Model 2 approach, LAs will need to configure multiple MDM servers within a single ABM tenant which allows the organisation to segregate the devices into “containers”.|
1.2 Request Support with the ABM Connection
LAs can connect their ABM into NHSmail without needing to request support, although it is recommended that LAs request a session with the Intune Live Service Team who will be able to assist with the connection and ensure that it is done correctly.
Please raise a service request via Helpdesk Self-Service if you would like support from the Intune Live Service Team with connecting your organisation’s ABM into NHSmail Intune. LAs should select ‘Onboard Apple Business Manager (ABM) for Apple Devices’, from the list of possible service requests to do this.
If you are happy to proceed with the ABM link into NHSmail Intune without support, you will need to follow the step-by-step instructions below and read all important notes to ensure that the connection is successful.
1.3 Steps to link your ABM into NHSmail Intune
Please follow the steps below if you wish to link your organisation’s ABM into NHSmail without assistance:
1. Navigate to the following: Devices> iOS/iPadOS > iOS/iPad Enrolment > Enrolment Program Tokens;
2. Select I agree to grant Microsoft permissions and then download the Intune ‘Public Key’.
3. Enter the Apple ID from the ABM instance that will be connected.
4. Log into the ABM portal and click your Username on the bottom left. Then select ‘Preferences’
5. In the ‘Your MDM Servers’ section, click ‘Add’ to add a new MDM server.
6. Upload Public Key from Intune and give the Server a name: <ODS>-ABM-Production.
7. Download the Token from ABM by selecting Download Token and then selecting Download Server Token
8. Upload the ABM token file into Intune and then once done click next twice, before finally clicking create .
Once this has been completed successfully, you should be able to enrol your iOS/iPadOS devices.
2. VPP Token
Location tokens are volume purchase licences that were commonly known as Volume Purchase Program (VPP) tokens. Location tokens are used to assign and manage licences purchased using Apple Business Manager.
Content Managers can purchase and associate licences with location tokens they have permissions to in Apple Business Manager. These location tokens are then downloaded from Apple Business Manager and uploaded in Microsoft Intune. Microsoft Intune supports uploading multiple location tokens per tenant. Each token is valid for one year.
Microsoft Intune can help organisations manage apps purchased through the VPP program by:
- Synchronizing location tokens that are downloaded from Apple Business Manager.
- Tracking how many licences are available and have been used for purchased apps.
- Monitor app installs up to the number of licences you own.
2.1 Adding A New Location
1. Click Locations in the sidebar, then click the Add (+) button
2. Enter the information for your new location then click Save. You must enter the location name (<ODS>-VPP-Token) and address (phone number and website URL are optional).
3. Verify that the new location appears in the list of existing locations.
2.2 VPP Token Connection to NHSmail Intune
1. In Apple Business Manager, click Settings > Apps and Books. Click Download and save the VPP token.
2. Navigate to: Tenant Administration > Connectors and Tokens > Apple VPP tokens.
This will be required to connect your ABM VPP licences into Intune. As part of the enrolment process users are required to have Company Portal VPP licences available.
4. Enter your organisation’s name with the correct ODS prefix, <ODS>-VPP-Token.
a. The “Apple ID” can be the same Apple ID used to connect your ABM to Intune.
b. Export a VPP token file from ABM and import into Intune.
5. Complete the settings page as shown in the example below:
a. Take Control of token from another MDM = No
b. Country/Region = United Kingdom
c. Automatic Updates = Yes
d. Select the tick box to complete the connection process
6. Assign Intune Portal licence in ABM.
Click on Apps and books > Search for Intune > Select Intune Company Portal > Select Licence quantity.
|Last Reviewed Date||11/08/2022|