A ton of questions regarding Apple Business Manager

Looks like you need a primer. And the community needs more information. First, do you have Apple Business Manager or Apple Business Essentials? The difference is that Apple Business Manager is a chain of custody tool, not an MDM. Adding on Apple Business Essentials will provide you with an MDM. There are many MDMs available on the Market and Apple Business Essentials is not for everyone. If you do not yet have an MDM, you should do some research to make sure you are selecting an MDM that satisfies your needs today as well as your future needs as it sounds like your Apple deployment will grow. Most MDMs for iOS devices are the same. If you have Mac needs and your app stack is complex, make sure you pick an MDM that can properly support Macs.

Ok, here are the basics. The ideal deployment you are looking for is to have Apple Business Manager, purchase all of your equipment from a DEP-aware reseller (this is Apple Business Sales if you work with an Apple Store, Apple Business Sales online, or authorized Apple resellers who participate in DEP - this includes most major cellular providers), and setup an MDM to manage all of the devices from initial enrollment to decommission. (see below on the Apple Configurator topic).

Apple Business Manager establishes chain of custody for hard (computers and devices) and soft (apps and books) assets. If you purchase the equipment properly, the assets will appear in ABM before you receive it. If you setup automatic assignment to your MDM, then the assets will appear in the MDM as well. These assets should be assigned to a pre-stage enrollment policy. This is the policy that sets up initial automated enrollment. On top of that, you can create enrollment policies (on Mac), profiles, and App Store app policies to automatically configure the device. By using ABM's Volume Purchasing Program (VPP), all of the apps from the App Store can be delivered to the device without using Apple IDs. Please, oh, please don't use a single Apple ID on each of these units. continued...

By following this method, your enrolled devices achieve supervised status, allowing you the highest level of device management. Please note, there are three basic types of device enrollment; Automated (DEP), user-initiated institutional, and BYOD. The level of management differs on each of these levels. The general rule of thumb is that if the device is institutionally owned, it should be in ABM, managed by an MDM, and enrolled automatically to achieve supervision. If you have older device that cannot be reset and side loaded into ABM, then use user-initiated institutional. If you have user devices that are not owned by the business, then pursue BYOD enrollment models (this provides a light touch management and the user remains mostly in control of the device).

So, now let's look at your situation... You have pile of hardware purchased through the retail channel. This means they cannot participate in automated enrollment unless you use Apple Configurator to side-load them. If you have iPads and iPhones, you need a Mac running Apple Configurator to do this. The process is to link Apple Configurator to your ABM and then tether the device to the Mac to reset the device to associate the unit to your legal business entity by injecting it into ABM. Yes, you must wipe the device. If there is data on the units, be cautious. Once you do this, the device will appear in ABM but it will be assigned to Apple Configurator as the MDM - this is not very useful. You will need to reassign the device in ABM to your real MDM and then reset the device one more time (this can be done with an Erase all contents and settings from the device). Once it reboots, and assuming you have your MDM setup to deliver an automated enrollment experience to that device, then the device will prompt for automated enrollment and you will enjoy supervision of your Apple assets.

To wrap up, if you have not yet deployed the devices (meaning there is no data and nothing setup), I would encourage you to side-load the devices so they are visible in ABM and thus linked via chain of custody to your legal business entity. Once side-loaded into ABM, remember to reassign the devices to your real MDM. Then erase the units again to allow them to hit your real MDM.

On the MDM side, you must have your DEP and VPP tokens installed on the MDM so it is aware of you hard and soft assets from ABM. And you must have a Push Notification cert installed on the MDM. I strongly encourage that you use a generic Apple ID linked to a group email at the business. Do not use a personal Apple ID. People leave companies. If you let the Push Cert expire or you replace it with one from another Apple ID you will drop all devices from management. That is a very bad day. Don't have that day. Understand your Push Cert requirements and do it right from the start.

On the MDM, setup your pre-stage policy and define you app list as well as profiles for setting enforcement - like setting pin code, enforcing restrictions, etc.

Management of Apple hardware is a dream. While this may seem confusing now, it is a really elegant solution. We barely touch hardware anymore. Everything drop-ships direct to customers and regular users do the setup for us. Done right, it is maybe 4 clicks (country, language, join a network, and enroll).

Good luck with the project. Hope this is helpful,

Reid

Apple Consultant Network Member