@suneethnazer9217 Hi! Thank you so much for the kind comment! I wouldn’t say there’s a log just for installation on the Intune, but you can see which apps are installed on the device when viewing the individual device’s Managed Apps blade on Intune. Another way is to view from the Intune > Apps page of which devices the apps were successfully installed on or not.
thank you SO much for the pointer to the VPP token when deploying Apps. I couldn't for the lif of me figure out, why Apps were'nt syncing - but the token has just expired.. Also I would like to see a more in-depth technical video about apple+Intune, as there are no such videos on the internet. this one was great though too :)
Hello There! I'm so glad my video was able to help you out! Now you don't have to worry about it over the weekend! LOL I'll keep your request in mind. Thank you!!!
Could you post something to show what it is like for the end user. It seems that the user just gets the device, goes through initial setup and then it begins uploading the business profile. Could you give a demo as I am a bit skeptical.
Correct, the users get the devices and go through the initial screens, which include the Remote Management screen - indicating who the device is managed by - and Apple Setup Assistant screens. You can control the Setup Assistant screens to hide or show them, so the users can configure them. Once they go through the Setup Assistant screens that you allow them to see, then they go into the main screen, which you can also determine which apps should show, be hidden, or be automatically install. Thank you for the request, and I'll keep that in mind for a potential video.
Hello, I found your video very helpful, I'm still at the beginning stages of migrating devices from MaaS360 MDM to MS Endpoint Manager. This has been a very painful process for me because I don't know where to start, I'm the IT person for a company and we have over 200 iPads currently in MaaS360 and this MDM is configured in ABM, however I'm not sure how to do the transition...I'm guessing I will have to bring every device in and remove existing MaaS360 profile...any help, please. Are you a paid for consultant? The hardest part is not understanding how each User's apple ID works in conjunction with ABM and Endpoint, the diffence between managed or not, each user has been assigned an Apple ID using the company email domain, but when added in ABM, I'm getting all kinds of errors.
Hello Diosa! Thank you! I feel your pain because I've been in your shoes before, so I understand your frustration. Take a deep breadth in...and exhale. You can get through this. I'm going to say Intune throughout my msg because Microsoft decided to change Endpoint Manager back to Intune, and Intune is shorter to type. LOL (1) Are all the 200+ iPads on ABM? If Yes, that's a good start. Create an MDM profile for Intune on ABM. Get your vendors to add them to your ABM if you haven't already. (2) Do you have access to your MaaS360 portal still? When is the expiration date? (This is important for #3) (3) You can wipe the device from the MaaS30 portal, which should remove their Apple ID's if it was originally set up correctly. If not, you can email Apple to request Activation Lock removal if you bought it legitimately from vendor - just have to provide proof of purchase. (4) Intune - Create enrollment profiles This tells the devices what the initial enrollment screen look like and if there will be users signing in or not. No user = no user affinity = kiosk (5) Intune - Create your configuration profiles What they are supposed to have or look like? If you have different types of iPads - like they serve different purposes - they may need different profiles. (6) No, you don't need to bring all 200+ iPads into the office. It can be done remotely, but you'll need some remote hands because all those iPads will need to be wiped to be enrolled into Intune. I just went over the most basics that I can on here, and if you want to speak separately with more details, I can definitely provide some paid consultation. Please contact me privately. FYI - Last year, I created a migration plan for around 300 iPads from MaaS360 to Intune, trained our Help Desk Team, and transitioned over the migration responsibility and support them in the background. Hope this helps! 🙂
@@kimandtech Got it, I have watched your video several times now and I feel so much better, I am not that far behind. To answer your questions. (1) All 200+ iPads are on ABM already and I have created and MDM profile for Intune. The part that I was stuck is that I couldn’t understand why my device inventory was not showing up in Intune after doing that, from your video, is because I have to change the MDM for each device to reflect Intune. (2) I have access to the MaaS360 portal until we are completely migrated so, no problem there. (3) Ok, I have never use MaaS360 to wipe a device, will test it out but, yes, I can request to have activation lock remove if necessary (4) Now I know to create enrollment profiles beforehand…Devices will not be use as “Kiosk” they are for specific users, so Will they need to be sign it? * How does this work? Will they sign into their iPads in “Settings” after accessing the home screen? This part is confusing because, each user is signed in already with an apple id that we create using their company email address individually. (5) Now I know to create configuration profiles as well beforehand. (6) Got it…iPads will need to be wiped to be enrolled into Intune. Thanks again, I will work with my team and discuss consulting with you for sure. Your help is greatly appreciated.
So glad to hear that my video is helpful Diosa!!! 💖 (1) Yes, you are correct, you have to manually assign existing devices from MaaS360 to Intune MDM server on ABM. Tip - ABM > Devices > select a device and search for multiple devices using S/N separating by a comma > All Devices > Edit MDM Server and to do a bulk change of the MDM Server (2) Perfect! (3) Yeah, unfortunately, our MaaS portal is no longer available so I don't know where the option is, but I used it before to wipe devices during my test and migration. (4) The Enrollment Profile will need to use User Affinity because they will need Company Portal and other user apps. Since this is for individual user, I also want to mention about Domain Verification and Federation Authentication on ABM for centralized management. Sorry, don't mean to throw more stuff in the mix but want to make sure you are aware and do things right from the beginning. support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/1/web/1 support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/web (5) Perfect! (6) Correct, if they're not wiped, nothing will change on the iPad because the iPad is still using and seeing the MaaS360 profile and not Intune's profiles. You're welcome and feel free to reach out. My contact is on my channel. It's going to be fun because you're going to learn so much from this! Good luck with the migration!!
@@kimandtech Again, thank you for all the great information, I will read the references you included, this is the main piece that is missing for me, when I do the steps to make that "federation" happen, is when I'm getting all the "conflicts" this is because, all the users are already signed in w/ an Apple ID that uses their Office 365 account, so to resolve the conflict, I believe each user needs to relinquish their current Apple ID's. This process is mainly the reason why I have not been able to move forward, once the Federation is in place, newly assigned iPads cannot be issue out because in MaaS360 I need an apple ID to complete the setup, if I use their Office 365 email for their Apple ID, I'm getting error "that Apple ID cannot be use".....Again, I will read the guide you linked....thanks Again.
Hello. Once federation has been enabled, anyone using an Apple ID with the corporate email will get a notification that they'll need to change it to a non-corporate email within 60 days. After that period, those emails will be released to the company, which will be tied to the company's emails and password - no longer personal.
You need to buy iOS phones from an approved Apple vendor to use Automated Device Enrollment (ADE). Now, you don't need to stick with just 1 vendor. You can have multiple and have them set up a connection to your ABM. That way, when an iOS phone is purchased, the vendor can import the phone's info into your ABM for management. BYOD is a different setup, which you do not own the device. With ADE, Apple knows that the company owns those iOS devices, which then allows those devices to automatically go through the Intune Enrollment you configure. With BYOD, it's more a manual enrollment into Intune. Also, if any users put their personal Apple ID on BYOD iOS devices, then you cannot remove it unlike devices that have run through ABM for ADE into Intune. Apologies for the long response. Hope this is clear.
If you're referring to existing macOS devices that you didn't buy from an approved ABM vendor or were bought before you set up ABM, then you can use Apple Configurator to add to ABM. If you've bought with an approved vendor but forgot to tell them to add to your ABM, you can try reaching out to see if they can still add it; this may have a duration where the vendor cannot go back further than a certain date to add devices. Apple Article on adding devices from Apple Configurator to ABM: support.apple.com/guide/apple-business-manager/add-devices-from-apple-configurator-axm200a54d59/web
Hello, thanks for the information. I have a 2 Part question. We have about 30k ios/ipads devices that are in workspace one/airwatch that we need to migrate to Intune. I do know that those devices IN Airwatch would need to wiped first (what is the best way to WIPE or un-enroll 30k devices from an Engineering perspective? Next question, these devices are Automatically device enrolled, so we need them to be automatically device enrolled for the Intune side as well, what is the best way to enroll 30k existing ios/iPad devices to Intune? Is it done thru the apple business manager portal or in Intune?
Hello! WOW 30K?? That's A LOT of devices you got there!! Thank you for the background of your environment! It helps me understand your situation to better answer your questions. It's great that the devices are already on ABM because that will help you tremendously. 1. You can actually migrate the iOS/iPad devices from AirWatch to Intune in phases - don't have to do them all at once. You will not want to show up to work if you do. Or worse, you'll want to pull your hair out. LOL For example, if you have multiple offices, do the devices from 1 or 2 offices first AFTER you've successfully run through all of your tests confirming that the settings are what you want to move forward with. Below should be a rough high-level process: 1. Finish Intune configs & ABM setup for Intune 2. Run pilot group 3. Go back and make any config changes needed 4. Run through with pilot group again and make sure everything is good. Repeat step 3-4 as long as you need to get the config as close to the requirements as much as possible. 5. Pick 1-2 offices (best to pick ones that you're located in or are closest to you to ensure you have visibility and hands-on access if needed) for the migration 6. Change MDM server on ABM for the devices of the 1-2 offices from Step 5. 7. Wipe devices from AirWatch 8. Enroll devices into Intune 9. Rinse and Repeat Step 5-8. You can add more locations as you get more comfortable. 2. You can only set automatic MDM server enrollment to Intune for newly purchased devices on ABM. For any existing devices on ABM, you'll have to change the MDM server manually, but you should be able to mass select more than 1 to change it. I don't recall if there's a max for mass selection or you can do all. Point is you don't have to do 1-by-1, so it's not bad. Hope this helps with your migration!
@@kimandtech Any guidance on the managed APPLE IDs for shared ipads, existing shared. Ipads? I know the company issues out the managed APPLE IDS, but how do and where do I do that? What portal?
I hope you are using a service account for that Apple ID. If yes, then I'd recommend federate Apple with Azure, so it's using the same password as Azure. That's how you'd get a managed Apple ID. Then just be sure to set MFA to use the time-limited passcode if you're using the Authenticator app, so it doesn't prompt MFA for everyone who is sharing that account. It may freak people out, and they potentially alerting a false positive fraud. LOL
Hi. You don't need ABM to enroll iOS devices into Intune, but it is VERY HELPFUL. It's also best practice. Is there a reason for not wanting to use ABM? You can also use Apple Configurator for the enrollment, but it's not smooth, and I really don't recommend. I enrolled an iPad using Apple Configurator once, and I hated it. Took me the whole weekend for 1 iPad. 😢
Hi Kim, Chan here. Would like to have your guidance. i have tons of iPad can not make it enroll to Apple school manager. of course all those purchased from retail. My objective is to let my ipads manage by Microsoft endpoint manager/intune. By the way, my windows devices working fine currently with my Microsoft endpoint manager/intune.
Hi Chan! Since the iPads were not purchased properly through a vendor and registered to Apple School Manager, you’ll need to use Apple Configurator to manually add them to Intune. Just be warned that it’s not a very smooth process as it has taken me the whole weekend before to enroll just 1 iPad.
@@dg5959654 The apple configurator is great when it works and terrible when it starts throwing errors. I've had a few iphones that will occasioanlly throw a generic error, but still added to my MDM correctly. I've had others that did not add correctly the first time. I reformat, try a second time, and then all of a sudden it works fine. All of our apple products are third party purchased so we do it the hard way.
This video saves hundreds of hours "figuring things out"! Thank you so much for the clear and easy to follow walkthrough. Subscribing!
Glad it helped! Thanks for the sub!!
Will be checking out more contents like this once ABM enrollment is completed. Thank you.
Good Luck with your ABM enrollment! :)
Subscribed! Thanks for this nice content and it’s really useful.
Awesome!! Thank you so much. Glad to hear!
This video helped me alot, saving my time to understand basic concept of ABM and Intune
Awesome!! So glad to hear!! 🙏
This is exactly what I needed...thank you!
So GLAD to hear!!
Hi, super informative. Thanks a lot - is there a method in intune or ABM to figure out the app installation logs for troubleshooting purposes..
@suneethnazer9217 Hi! Thank you so much for the kind comment! I wouldn’t say there’s a log just for installation on the Intune, but you can see which apps are installed on the device when viewing the individual device’s Managed Apps blade on Intune. Another way is to view from the Intune > Apps page of which devices the apps were successfully installed on or not.
thank you SO much for the pointer to the VPP token when deploying Apps. I couldn't for the lif of me figure out, why Apps were'nt syncing - but the token has just expired..
Also I would like to see a more in-depth technical video about apple+Intune, as there are no such videos on the internet. this one was great though too :)
Hello There! I'm so glad my video was able to help you out! Now you don't have to worry about it over the weekend! LOL
I'll keep your request in mind. Thank you!!!
I have no idea what are you talking about, but you are wise and it look professional!
HAHAHAHA 🤣 Thanks for the latter comment!
Could you post something to show what it is like for the end user. It seems that the user just gets the device, goes through initial setup and then it begins uploading the business profile. Could you give a demo as I am a bit skeptical.
Correct, the users get the devices and go through the initial screens, which include the Remote Management screen - indicating who the device is managed by - and Apple Setup Assistant screens. You can control the Setup Assistant screens to hide or show them, so the users can configure them. Once they go through the Setup Assistant screens that you allow them to see, then they go into the main screen, which you can also determine which apps should show, be hidden, or be automatically install.
Thank you for the request, and I'll keep that in mind for a potential video.
Hello, I found your video very helpful, I'm still at the beginning stages of migrating devices from MaaS360 MDM to MS Endpoint Manager. This has been a very painful process for me because I don't know where to start, I'm the IT person for a company and we have over 200 iPads currently in MaaS360 and this MDM is configured in ABM, however I'm not sure how to do the transition...I'm guessing I will have to bring every device in and remove existing MaaS360 profile...any help, please. Are you a paid for consultant? The hardest part is not understanding how each User's apple ID works in conjunction with ABM and Endpoint, the diffence between managed or not, each user has been assigned an Apple ID using the company email domain, but when added in ABM, I'm getting all kinds of errors.
Hello Diosa! Thank you!
I feel your pain because I've been in your shoes before, so I understand your frustration. Take a deep breadth in...and exhale. You can get through this.
I'm going to say Intune throughout my msg because Microsoft decided to change Endpoint Manager back to Intune, and Intune is shorter to type. LOL
(1) Are all the 200+ iPads on ABM? If Yes, that's a good start. Create an MDM profile for Intune on ABM. Get your vendors to add them to your ABM if you haven't already.
(2) Do you have access to your MaaS360 portal still? When is the expiration date? (This is important for #3)
(3) You can wipe the device from the MaaS30 portal, which should remove their Apple ID's if it was originally set up correctly. If not, you can email Apple to request Activation Lock removal if you bought it legitimately from vendor - just have to provide proof of purchase.
(4) Intune - Create enrollment profiles
This tells the devices what the initial enrollment screen look like and if there will be users signing in or not. No user = no user affinity = kiosk
(5) Intune - Create your configuration profiles
What they are supposed to have or look like? If you have different types of iPads - like they serve different purposes - they may need different profiles.
(6) No, you don't need to bring all 200+ iPads into the office. It can be done remotely, but you'll need some remote hands because all those iPads will need to be wiped to be enrolled into Intune.
I just went over the most basics that I can on here, and if you want to speak separately with more details, I can definitely provide some paid consultation. Please contact me privately.
FYI - Last year, I created a migration plan for around 300 iPads from MaaS360 to Intune, trained our Help Desk Team, and transitioned over the migration responsibility and support them in the background.
Hope this helps! 🙂
@@kimandtech Wow, before I reply to this, allow me to say thank you so very much....
@@kimandtech Got it, I have watched your video several times now and I feel so much better, I am not that far behind. To answer your questions.
(1) All 200+ iPads are on ABM already and I have created and MDM profile for Intune. The part that I was stuck is that I couldn’t understand why my device inventory was not showing up in Intune after doing that, from your video, is because I have to change the MDM for each device to reflect Intune.
(2) I have access to the MaaS360 portal until we are completely migrated so, no problem there.
(3) Ok, I have never use MaaS360 to wipe a device, will test it out but, yes, I can request to have activation lock remove if necessary
(4) Now I know to create enrollment profiles beforehand…Devices will not be use as “Kiosk” they are for specific users, so Will they need to be sign it? * How does this work? Will they sign into their iPads in “Settings” after accessing the home screen? This part is confusing because, each user is signed in already with an apple id that we create using their company email address individually.
(5) Now I know to create configuration profiles as well beforehand.
(6) Got it…iPads will need to be wiped to be enrolled into Intune.
Thanks again, I will work with my team and discuss consulting with you for sure. Your help is greatly appreciated.
So glad to hear that my video is helpful Diosa!!! 💖
(1) Yes, you are correct, you have to manually assign existing devices from MaaS360 to Intune MDM server on ABM.
Tip - ABM > Devices > select a device and search for multiple devices using S/N separating by a comma > All Devices > Edit MDM Server and to do a bulk change of the MDM Server
(2) Perfect!
(3) Yeah, unfortunately, our MaaS portal is no longer available so I don't know where the option is, but I used it before to wipe devices during my test and migration.
(4) The Enrollment Profile will need to use User Affinity because they will need Company Portal and other user apps. Since this is for individual user, I also want to mention about Domain Verification and Federation Authentication on ABM for centralized management.
Sorry, don't mean to throw more stuff in the mix but want to make sure you are aware and do things right from the beginning.
support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/1/web/1
support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/web
(5) Perfect!
(6) Correct, if they're not wiped, nothing will change on the iPad because the iPad is still using and seeing the MaaS360 profile and not Intune's profiles.
You're welcome and feel free to reach out. My contact is on my channel.
It's going to be fun because you're going to learn so much from this!
Good luck with the migration!!
@@kimandtech Again, thank you for all the great information, I will read the references you included, this is the main piece that is missing for me, when I do the steps to make that "federation" happen, is when I'm getting all the "conflicts" this is because, all the users are already signed in w/ an Apple ID that uses their Office 365 account, so to resolve the conflict, I believe each user needs to relinquish their current Apple ID's. This process is mainly the reason why I have not been able to move forward, once the Federation is in place, newly assigned iPads cannot be issue out because in MaaS360 I need an apple ID to complete the setup, if I use their Office 365 email for their Apple ID, I'm getting error "that Apple ID cannot be use".....Again, I will read the guide you linked....thanks Again.
what if the users already have "personal" apple ID"s using the corporate email? Will it clash with the AD one when enabling federation?
Hello. Once federation has been enabled, anyone using an Apple ID with the corporate email will get a notification that they'll need to change it to a non-corporate email within 60 days. After that period, those emails will be released to the company, which will be tied to the company's emails and password - no longer personal.
Great content
Thanks! 🙏
Do you need to buy the phones from a single vendor to use ABM or something? It can't be used with BYOD?
You need to buy iOS phones from an approved Apple vendor to use Automated Device Enrollment (ADE). Now, you don't need to stick with just 1 vendor. You can have multiple and have them set up a connection to your ABM. That way, when an iOS phone is purchased, the vendor can import the phone's info into your ABM for management.
BYOD is a different setup, which you do not own the device. With ADE, Apple knows that the company owns those iOS devices, which then allows those devices to automatically go through the Intune Enrollment you configure. With BYOD, it's more a manual enrollment into Intune. Also, if any users put their personal Apple ID on BYOD iOS devices, then you cannot remove it unlike devices that have run through ABM for ADE into Intune.
Apologies for the long response. Hope this is clear.
I want to add existing intune macos devices to Apple business manager. is that possible ?
If you're referring to existing macOS devices that you didn't buy from an approved ABM vendor or were bought before you set up ABM, then you can use Apple Configurator to add to ABM. If you've bought with an approved vendor but forgot to tell them to add to your ABM, you can try reaching out to see if they can still add it; this may have a duration where the vendor cannot go back further than a certain date to add devices.
Apple Article on adding devices from Apple Configurator to ABM: support.apple.com/guide/apple-business-manager/add-devices-from-apple-configurator-axm200a54d59/web
Hello, thanks for the information. I have a 2 Part question. We have about 30k ios/ipads devices that are in workspace one/airwatch that we need to migrate to Intune. I do know that those devices IN Airwatch would need to wiped first (what is the best way to WIPE or un-enroll 30k devices from an Engineering perspective? Next question, these devices are Automatically device enrolled, so we need them to be automatically device enrolled for the Intune side as well, what is the best way to enroll 30k existing ios/iPad devices to Intune? Is it done thru the apple business manager portal or in Intune?
Hello! WOW 30K?? That's A LOT of devices you got there!! Thank you for the background of your environment! It helps me understand your situation to better answer your questions. It's great that the devices are already on ABM because that will help you tremendously.
1. You can actually migrate the iOS/iPad devices from AirWatch to Intune in phases - don't have to do them all at once. You will not want to show up to work if you do. Or worse, you'll want to pull your hair out. LOL
For example, if you have multiple offices, do the devices from 1 or 2 offices first AFTER you've successfully run through all of your tests confirming that the settings are what you want to move forward with.
Below should be a rough high-level process:
1. Finish Intune configs & ABM setup for Intune
2. Run pilot group
3. Go back and make any config changes needed
4. Run through with pilot group again and make sure everything is good. Repeat step 3-4 as long as you need to get the config as close to the requirements as much as possible.
5. Pick 1-2 offices (best to pick ones that you're located in or are closest to you to ensure you have visibility and hands-on access if needed) for the migration
6. Change MDM server on ABM for the devices of the 1-2 offices from Step 5.
7. Wipe devices from AirWatch
8. Enroll devices into Intune
9. Rinse and Repeat Step 5-8. You can add more locations as you get more comfortable.
2. You can only set automatic MDM server enrollment to Intune for newly purchased devices on ABM. For any existing devices on ABM, you'll have to change the MDM server manually, but you should be able to mass select more than 1 to change it. I don't recall if there's a max for mass selection or you can do all. Point is you don't have to do 1-by-1, so it's not bad.
Hope this helps with your migration!
@@kimandtech Thank you so much!!!
Of course! Glad to help! 🙂
@@kimandtech Any guidance on the managed APPLE IDs for shared ipads, existing shared. Ipads? I know the company issues out the managed APPLE IDS, but how do and where do I do that? What portal?
I hope you are using a service account for that Apple ID. If yes, then I'd recommend federate Apple with Azure, so it's using the same password as Azure. That's how you'd get a managed Apple ID. Then just be sure to set MFA to use the time-limited passcode if you're using the Authenticator app, so it doesn't prompt MFA for everyone who is sharing that account. It may freak people out, and they potentially alerting a false positive fraud. LOL
Is abm necessay when having intune ?? We have mostly apple devices but microsoft shop for users teams sharepoint
Hi. You don't need ABM to enroll iOS devices into Intune, but it is VERY HELPFUL. It's also best practice. Is there a reason for not wanting to use ABM?
You can also use Apple Configurator for the enrollment, but it's not smooth, and I really don't recommend. I enrolled an iPad using Apple Configurator once, and I hated it. Took me the whole weekend for 1 iPad. 😢
You cannot use ABE with Intune apple does not allow 2 management profiles on 1 iPad
Hi Kim, Chan here. Would like to have your guidance. i have tons of iPad can not make it enroll to Apple school manager. of course all those purchased from retail. My objective is to let my ipads manage by Microsoft endpoint manager/intune. By the way, my windows devices working fine currently with my Microsoft endpoint manager/intune.
Hi Chan! Since the iPads were not purchased properly through a vendor and registered to Apple School Manager, you’ll need to use Apple Configurator to manually add them to Intune.
Just be warned that it’s not a very smooth process as it has taken me the whole weekend before to enroll just 1 iPad.
@@kimandtech Hi Kim, thanks for the info. Will give it a try 1st. Appreciate your prompt reply. Good job Kim 👍🏽
@@dg5959654 The apple configurator is great when it works and terrible when it starts throwing errors. I've had a few iphones that will occasioanlly throw a generic error, but still added to my MDM correctly. I've had others that did not add correctly the first time. I reformat, try a second time, and then all of a sudden it works fine. All of our apple products are third party purchased so we do it the hard way.