Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/articles/apple-mdm-setup.md
melpike c8cb7bfa2a
Move renew abm token instructions to guide (#42589) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Related to
https://github.com/fleetdm/fleet/issues/42512

---------

Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
2026-03-30 07:26:38 -06:00

9.2 KiB
Raw Blame History

Apple MDM setup

To turn on macOS, iOS, and iPadOS MDM features, follow the instructions on this page to connect Fleet to Apple Push Notification service (APNs).

To use automatic enrollment (aka zero-touch) features on macOS, iOS, and iPadOS, follow instructions to connect Fleet with Apple Business Manager (ABM).

To turn on Windows MDM features, head to this Windows MDM setup article.

Turn on Apple MDM

Apple uses APNs to authenticate and manage interactions between Fleet and hosts.

To connect Fleet to APNs or renew APNs, head to the Settings > Integrations > Mobile device management (MDM) page.

Then select Turn on under the Apple (macOS, iOS, iPadOS) MDM section.

Apple requires that APNs certificates are renewed annually.

  • The recommended approach is to use a shared admin account to generate the CSR ensuring it can be renewed regardless of individual availability.
  • If your certificate expires, you must turn MDM off and back on for all macOS hosts. Until then, configuration profile changes and other MDM commands will remain stuck in “Pending.”
  • Be sure to use the same Apple ID from year-to-year. If you don't, you will have to turn MDM off and back on for all macOS hosts.

Apple Business Manager (ABM)

Available in Fleet Premium

Connect Fleet to your ABM to allow automatic enrollment for company-owned and Account-driven User Enrollment for personal (BYOD) macOS, iOS, and iPadOS hosts.

To connect Fleet to ABM, you have to add an ABM token to Fleet. To add an ABM token:

  1. Navigate to the Settings > Integrations > Mobile device management (MDM) page.
  2. Under Automatic enrollment, select Add ABM, and then follow the instructions in the modal to upload an ABM token to Fleet.

When one of your uploaded ABM tokens has expired or is within 30 days of expiring, you will see a warning banner at the top of page reminding you to renew your token.

To renew an ABM token:

  1. Sign in to Apple Business Manager
  2. Select your account name at the bottom left of the screen, then select Preferences.
  3. In the Your MDM Servers section, select your Fleet server, then select Download Token at the top.
  4. In Fleet, navigate to the Settings > Integrations > Mobile device management (MDM) page.
  5. Under Automatic enrollment:
  • Select Edit, and then find the token that you want to renew.
  • Select the Actions dropdown for the token and then select Renew.

Note: Token status is indicated in the Renew date column: tokens less than 30 days from expiring will have a yellow indicator, and expired tokens will have a red indicator.

  1. Upload the downloaded token (.p7m file).

After connecting Fleet to ABM, set Fleet to be the MDM for all Macs:

  1. Log in to Apple Business Manager
  2. Select your profile icon in the bottom left
  3. Select Preferences
  4. Select MDM Server Assignment and select Edit next to Default Server Assignment.
  5. Switch Mac, iPhone, and iPad to Fleet.

macOS, iOS, and iPadOS hosts listed in ABM and associated to a Fleet instance with MDM enabled will sync to Fleet and appear in the Hosts view with the MDM status label set to "Pending".

Hosts that automatically enroll will be assigned to a default fleet. You can configure the default fleet for macOS, iOS, and iPadOS hosts:

  1. Create a fleet, if you have not already, following this guide.
  2. Navigate to the Settings > Integrations > Mobile device management (MDM) page and select Edit under Automatic enrollment.
  3. Select the Actions dropdown for the ABM token you want to update, and then select Edit fleets.
  4. Select the default fleet for each platform, and select Save to save your selections.

If no default fleet is set for a host platform (macOS, iOS, or iPadOS), then newly enrolled hosts of that platform will be placed in "Unassigned".

A host can be transferred to a new (not default) fleet before it enrolls. In the Fleet UI, you can do this under Settings > Fleets.

Turn on MDM on a host

Fleet supports manually turning on MDM for macOS hosts that are already enrolled in Fleet.

End users can turn on MDM from their Fleet Desktop > My device page.

Host is in Apple Business Manager (ABM)

If a macOS host is listed in ABM:

  1. The end user will see a Turn on MDM banner at the top of their My device page.
  2. Clicking Turn on MDM opens a modal with a step-by-step instruction on how to turn on MDM on their host.
  3. After completing the steps, the host has MDM features turned on.

Host isn't in ABM

If the host isnt in ABM, users can still turn on MDM:

  1. On the My device page, the end user sees the same Turn on MDM banner.
  2. Clicking Turn on MDM opens a new tab.
    • If end user authentication is enabled, the end user is prompted to sign in with your organizations identity provider (IdP).
    • If authentication is successful, or if end user authentication is disabled, the end user is taken to a page with instructions to download the manual enrollment profile and install it on their macOS host.

Volume Purchasing Program (VPP)

Available in Fleet Premium

Connect Fleet to VPP to deploy Apple App Store apps to your hosts:

  1. In Fleet, select your avatar on the far right of the main navigation menu, and then Settings > Integrations > Mobile device management (MDM)

  2. In the Volume Purchasing Program (VPP) section, select Add VPP, and then select Add VPP again on the following page. Follow the directions on the modal to get your VPP token from Apple Business Manager, and then select the Upload button at the bottom to upload it to Fleet.

  3. To assign the VPP token to a specific fleet, find the token in the table of VPP tokens. Select the Actions dropdown, and then select Edit fleets. Use the picker to select which fleet(s) this VPP token should be assigned to.

To renew a VPP token:

  1. Navigate to the Settings > Integrations > Mobile device management (MDM) page

  2. Under Volume Purchasing Program (VPP), select Edit and then find the token that you want to renew. Token status is indicated in the Renew date column: tokens less than 30 days from expiring will have a yellow indicator, and expired tokens will have a red indicator. Select the Actions dropdown for the token and then select Renew. Follow the instructions in the modal to download a new token from Apple Business Manager and then upload the new token to Fleet.

Best practice

Most organizations only need one ABM token and one VPP token to manage their macOS, iOS, and iPadOS hosts.

These organizations may need multiple ABM and VPP tokens:

  • Managed Service Providers (MSPs)
  • Enterprises that acquire new businesses and as a result inherit new hosts
  • Umbrella organizations that preside over entities with separated purchasing authority (i.e. a hospital or university)

For MSPs, the best practice is to have one ABM and VPP connection per client.

The default fleets for each client's ABM token will look like this:

  • macOS: 💻 Client A - Workstations
  • iOS: 📱🏢 Client A - Company-owned iPhones
  • iPadOS:🔳🏢 Client A - Company-owned iPads

Client A's VPP token will be assigned to the above fleets.

For enterprises that acquire, the best practice is to add a new ABM and VPP connection for each acquisition.

These will be the default fleets:

Enterprise ABM token:

  • macOS: 💻 Enterprise - Workstations
  • iOS: 📱🏢 Enterprise - Company-owned iPhones
  • iPadOS:🔳🏢 Enterprise - Company-owned iPads

The enterprises's VPP token will be assigned to the above fleets.

Acquisition ABM token:

  • macOS: 💻 Acquisition - Workstations
  • iOS: 📱🏢 Acquisition - Company-owned iPhones
  • iPadOS:🔳🏢 Acquisition - Company-owned iPads

The acquisitions's VPP token will be assigned to the above fleets.

Simple Certificate Enrollment Protocol (SCEP)

Fleet uses SCEP certificates (1 year expiry) to authenticate the requests hosts make to Fleet. Fleet renews each host's SCEP certificates automatically every 180 days.

Troubleshooting failed enrollments

If a host is turned off due to user action or a low battery during the Setup Assistant, it may fail to enroll. This can also happen if your Fleet instance is down for maintenance when a host tries to enroll automatically during the Setup Assistant. In these cases, hosts usually restart after the user attempts to get past the “Welcome to Mac" screen. The best practice in this situation is to wipe the host with Fleet if it has network connectivity or to reinstall macOS from Recovery.