Business Manager

Hello,

1: At what point are you getting this issue? When you go to verify the domain? Or are you getting this when you enable federation? If at federation, you likely have the old enterprise App in Azure. Log into https://entra.microsoft.com/ and select Applications > Enterprise Applications from the sidebar. When the list appears, do you see Apple Business Manager in the list of configured apps? If so, I will speculate that you need to delete that app in order to recreate it.

2: You mention Apple Business Manager. In order to lock the device you will need an MDM. Apple Business Manager is for hard and soft asset chain of custody. You don't manage the devices in ABM. Apple offers Apple Business Essentials as an MDM. And there are many other more capable MDMs available. In order to remotely lock the device, it must be enrolled in your MDM and supervised. If you don't have an MDM and the hard assets are in ABM, then you have no mechanism to remotely lock the assets.

3: Regarding AppleCare for Enterprise, as far as I know, you only need one. If you have a multinational presence, you are covered by the Enterprise agreement. You will need to define authorized contacts. AppleCare for Enterprise will provide you with an SE and direct contact with Apple for bug reporting and troubleshooting.

4: Call AppleCare. You should be able to find the regional contact info via a search.

Hope this helps.

If you are going to be managing Macs and plan to use any software that is NOT available in Apple's App Store (this includes Google Chrome, Zoom, Asana, anything from Adobe, etc.), then look into Jamf Pro. If you have 50 units, you can purchase direct from Jamf. If you have less and want to offload your management, look for a Jamf MSP partner as we can start customers with as few as 5 devices.

Other MDMs, from Apple's Apple Business Essentials, to Mosyle, to Intune, are great for iOS/iPadOS devices or for Mac environments that exclusively use App Store apps. Once you need to deploy and manage external apps, the other MDMs show their weakness. We have one customer that fits this role and it is a law firm that uses Pages for all written work, Preview for PDFs, and Mail/Contacts/Calendar for connecting to O365. They are the unicorn from our view. Nearly every other customer has some required piece of software that is not in the App Store. This may be a VOIP app, a productivity tool, or just an alternate browser.

As for DLP, there are a number of options. If you go Jamf, you can add in Jamf Protect and this will provide an extension to DLP by offering the ability to set removable storage policies. The other one I have the most experience with and generally recommend is Microsoft Defender for customers already on Microsoft cloud services. If you are using E5 licenses you already have access. However, you can add Security and Mobility to a Standard or Basic license to unlock the Defender admin portal. Configuring DLP in Defender is a little rough around the edges but in typical Microsoft fashion this will get ironed out in time. This is the core Defender setup https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide and this is for device control https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide. Additional DLP options can be found on the links on those pages.

Remember, Apple Business Manager is all about chain of custody. ABM creates an agreement between your legal business entity and Apple. With the agreement you can link hard assets (Macs, iPhones, iPads, etc) and soft assets (apps and books from the Apple stores). In addition, ABM can also integrate into your identity provider (Microsoft), allowing you to federate the service and allow directory sync. This sync process can allow you to automatically support Managed Apple IDs. While we generally try to avoid using Apple IDs on supervised devices, there are some cases in which an Apple ID is required. However, Managed Apple IDs still have a lot of limitations (see Use Managed Apple IDs in Apple Business Manager - Apple Support) so even if you integrate ABM, there may be cases where a user must create a regular Apple ID.

Hope this is helpful.

DLP solutions have pros and cons. If you do any work in Microsoft Azure via CLI, most solutions break this workflow without significant workarounds that must be watched very closely to ensure functionality remains.

thank you for all your answers. What do you recommend as both mdm and dlp solution for Apple devices?