It’s designed for IT administrators and works in combination with a Mobile Device
Management (MDM) solution (e.g., Jamf, Intune, Mosyle) to make device setup faster, more
secure, and consistent across a business.
Core Capabilities
Device Enrollment
Automatically configure and deploy devices with zero-touch enrollment. Pre-configure settings and restrictions before devices reach your users.
App & Book Distribution
Purchase and distribute apps and books in volume. Assign content to users or devices with flexible licensing options.
Role Based Administration
Create and manage Apple IDs for your organization. Integrate with existing identity providers and maintain centralized control.
Advanced Security
Implement comprehensive security policies with device restrictions, app management, and data protection controls.
Key Components of Apple Business Manager
Device Enrollment Program (DEP)
● Allows IT to preconfigure devices before they’re even unboxed.
● Devices purchased directly from Apple or authorized resellers are automatically
added to the organization’s ABM account.
● On first power-on, the device enrolls itself into the company’s MDM system and applies
the company’s configurations, restrictions, and security policies.
Example: You order 50 iPhones → they arrive sealed → employees turn them on → they’re
already set up with company email, Wi-Fi, and apps.
Volume Purchase Program (VPP)
● Lets companies buy apps and books in bulk from the App Store.
● Licenses can be assigned to devices or users and reclaimed/reassigned as needed.
● Prevents the need for employees to use their personal Apple IDs to download work apps.
Managed Apple IDs
● Special Apple IDs created and controlled by the organization.
● Used for:
o Accessing Apple services (iCloud Drive, iWork, etc.)
o Collaborating in Apple apps
o Signing into company-owned devices
● Unlike personal Apple IDs, IT can reset passwords, disable accounts, and reclaim
data when an employee leaves.
Role-Based Administration
● You can assign different admin roles:
o Administrator: Full control over all ABM settings.
o Device Manager: Handles device assignments only.
o Content Manager: Manages apps, books, and licenses.
o Staff/Manager: Limited permissions for specific teams.
● Improves security by giving people only the access they need.
How It Works
1
Purchase & Assign
o You buy devices from Apple or an authorized reseller.
o Devices are automatically linked to your ABM account.
2
Preconfigure
o You set up profiles in your MDM with Wi-Fi, VPN, security, and app settings.
o Assign these profiles to devices in ABM.
3
Deploy
o When employees turn on the device, it activates with those settings.
o No IT desk visit needed.
4
Manage & Update
o You can push new apps, change settings, or remotely lock/wipe devices anytime.
Benefits :-
Zero-Touch Deployment: IT doesn’t need to manually set up each device.
Better Security: Devices are locked to the organization; even if wiped, they re‑enroll in MDM.
Scalability: Works for small teams or thousands of devices.
Centralized App Management: Buy once, distribute to many, reclaim licenses when needed.
Employee Productivity: Devices arrive ready to work immediately.
Separation of Work & Personal Data: Especially in BYOD scenarios.
Requirements to Use Apple Business Manager
- A registered business with a D‑U‑N‑S Number (from Dun & Bradstreet).
- An Apple Business Manager account (free to sign up at business.apple.com).
- A compatible MDM solution for advanced management.
- Devices purchased from Apple or authorized resellers/distributors.
Understanding Manual Enrollment into ABM
Manual enrollment is essentially adding devices to MDM without automatic DEP assignment. However, Apple places restrictions: Devices added manually via Apple Configurator (for iOS/iPadOS) or via Apple Configurator 2 (for macOS) will not have permanent DEP status — instead, they have a 30‑day provisional period where the user can remove the management profile. After 30 days, the device behaves like a fully automated‑enrolled device.
Manual Enrollment on iPhone & iPad (iOS/iPadOS)
Requirements
- A Mac computer with Apple Configurator 2 installed (free from the Mac App Store).
- The device physically present.
- The device must be erased before enrollment (Configurator will handle this).
- Your ABM account credentials.
- Access to your MDM server’s enrollment URL.
Step‑by‑Step Process
Prepare Apple Configurator 2
- Open Apple Configurator 2 on your Mac.
- Sign in with your ABM administrator credentials.
Connect and Prepare the Device
- Connect the iPhone/iPad to the Mac using a USB cable.
- In Configurator, select the device.
- Go to Actions → Prepare.
- Choose Manual Configuration and check: Add to ABM and Enroll in MDM.
- Select your MDM server from the list (or create a new one with the enrollment URL).
- Configure Supervision (recommended for corporate devices).
- Continue — Configurator will erase and prepare the device.
Assign in Apple Business Manager
- Once prepared, the device will appear in ABM under Devices.
- Assign it to the correct MDM server in ABM.
- From now on, whenever the device is erased, it will auto‑enroll.
Manual Enrollment on Mac (macOS)
Requirements
- macOS 12.0 or later for direct enrollment via System Settings.
- OR Apple Configurator 2 for earlier versions or automated assignment.
- ABM account with admin or device manager role.
- Internet access.
Method 1 — Apple Configurator 2 for Mac
(Best for adding to ABM with provisional DEP status)
- On another Mac, install Apple Configurator 2.
- Open it and sign in with ABM credentials.
- Connect the target Mac via USB‑C/Thunderbolt.
- Boot the target Mac into macOS Recovery by holding the power button until “Options” appears.
- In Configurator, select Add to Apple Business Manager.
- Follow prompts — the Mac will restart and enroll into ABM with a 30‑day provisional period.
Method 2 — User‑Initiated MDM Enrollment (Without ABM)
(This doesn’t put the Mac into ABM, but enrolls it into MDM)
- On the Mac, open System Settings → Privacy & Security → Profiles.
- Visit the MDM enrollment URL from your provider.
- Download and install the configuration profile.
- The Mac joins MDM, but it won’t appear in ABM.
Key Limitations of Manual Enrollment
- 30‑Day Removal Window for manually added devices via Configurator.
- Requires Physical Access — you can’t add devices remotely.
- Wipes the Device during preparation (data is erased).
- Not Retroactive for DEP — devices purchased outside Apple/reseller channels won’t get true permanent DEP.
Best Practices
- Automate when possible — buy from Apple or authorized resellers so devices go straight into ABM without manual steps.
- Use Supervised mode for iOS/iPadOS to unlock advanced restrictions and controls.
- Keep a dedicated Mac with Configurator 2 for onboarding legacy or non‑DEP devices.
- Maintain accurate device assignment in ABM so MDM profiles deploy correctly.