Apple Business Manager is a critical tool for anyone who managed Apple devices. It provides a critical link between your device-management solution and your devices, enabling things like Automated Device Enrollment (ADE). Add in its tools for distributing apps and other content and its ability to federate with user directories, and Apple Business Manager clearly becomes essential for any Mac admin.
This guide will provide an overview of how Apple Business Manager works and how you can use it to manage Apple devices in your org. We’ll cover its primary components—People, Devices, and Content—as well as its role in the device-management infrastructure.
Note: Apple Business Manager is found at the URL business.apple.com. But when Apple Business Essentials ships (which is expected to happen later this spring), it will use that same URL; the interface will differ depending on whether or not you’re a Business Essentials customer.
What Is Apple Business Manager?
Apple Business Manager is a web-based portal that gives IT administrators tools for deploying and configuring macOS, iOS, and iPadOS devices. When connected to a device-management solution (such as Kandji), it lets you configure settings for those devices and distribute content to them. Apple Business Manager is not a device-management solution in and of itself; rather, it complements one.
Apple runs a similar service for education customers, Apple School Manager; we won’t be covering that service here, but it is worth noting that it offers some features—including a quantity of cloud storage and tools for managing school rosters—that Apple Business Manager doesn't.
Before you can take advantage of Apple Business Manager, you must first enroll in it. That process is detailed in Apple's Getting Started guide, but to summarize: You provide information about your organization, including an email address associated with your business. Apple reviews that information and verifies your identity and your role within your company. Assuming that all checks out, you’re granted an Apple Business Manager account; the person associated with the provided email address is the default administrator. That first administrator can then enable others.
You'll want to supply some additional information after you enroll: Your organization’s Apple customer number (if you purchase directly from Apple) or a reseller ID (if you purchase Apple devices from a participating Apple Authorized Reseller or carrier); you can enter more than one if you purchase Apple devices from multiple vendors. Here’s how to do so. We’ll explain why you should in just a bit.
Organization and People
The lefthand navbar of the Apple Business Manager web interface is divided into four sections: Organization, People, Devices, and Content. The first two are chiefly concerned with managing your Apple Business Manager instance itself.
Organization is where you can view activity and status messages for your Apple Business Manager account. Viewable activities run the gamut from new account sign-ins to devices deactivations; see the full list here.
This is also where you manage Locations. When you set up your Apple Business Manager account, the address you provide becomes your first location. You can then add and manage others in the Locations section of Apple Business Manager; they can correspond to physical offices, departments, or groups.
One reason locations are significant: Content licenses are tied to them. You can transfer any unassigned licenses from one location to another. That ability can come in handy when you’re migrating from one device-management solution to another: You can create a new location for your new MDM and transfer the licenses to it.
The People section is where you manage the roles of people who will be working with your Apple Business Manager instance.
There are five roles in Apple Business Manager: Administrator; People Manager; Device Manager; Content Manager; and Staff. Apple has a useful table that breaks down the privileges for each one, but the correspondence between those roles and the sections of the Apple Business Manager interface should give you a clue as to what each can do. Administrators can do everything the other roles can. When you create a new account in Apple Business Manager, that creates a Managed Apple ID for that admin, which they then use to log in. (To learn more, read our guide to Managed Apple IDs.)
While the People section is primarily about managing access for admins, it can have other uses. For example, some organizations use Apple Business Manager to create Managed Apple IDs specifically for whoever manages their Apple Push Notification service (APNs) certificates. Managed Apple IDs can also be created if you federate Apple Business Manager with an Azure AD user directory. The users in that directory can then use their Azure AD credentials as Managed Apple IDs. Apple explains how that works here. One use-case where that can be useful: When you want to implement user-based enrollment.
Managing devices—and, crucially, connecting them to your device-management service—is where Apple Business Manager really earns its central place in a Mac admin’s heart.
Adding devices to Apple Business Manager guarantees that the device is owned and managed by your business instead of the employee; that, in turn, means you can supervise that device. Devices tied to your Apple Business Manager account are easier to deploy to end-users, thanks to features like Automated Device Enrollment.
ADE, in turn, enables zero-touch deployments, so you can set up and ship devices for new employees without physically touching them; when the device is unboxed and activated, the device is automatically enrolled into your device-management solution, with the settings and apps you want in place and ready to go. ADE also enables security tools such as device-based activation lock bypass and remote authorization of legacy system extensions (f.k.a. kexts) on Apple silicon devices.
For all this to happen, you must first link your MDM solution to your Apple Business Manager account. The specifics for doing so will vary by solution. (Kandji’s instructions are here.) But the general workflow is: Add an MDM server to your Apple Business Manager account, upload a public key certificate that your MDM provides to Apple Business Manager, then download a token that Apple Business Manager provides and upload that to your device management solution. (One reason Apple requires Managed Apple IDs for admins is so an organization can still update its tokens if the original manager can’t—if, say, that person leaves the company.)
Once you’ve connected your MDM solution to Apple Business Manager, there are two ways to get devices into your account: Buy them directly from Apple or an authorized reseller, or enroll them using Apple Configurator.
If you buy them from Apple or an authorized reseller, Apple Business Manager will automatically match devices to your account—but only if you added your Apple customer number (in the first instance) or the reseller’s ID (in the second). That’s why we suggested you do so above.
The other way to get devices into Apple Business Manager is using Apple’s Configurator app. It’s available on iOS (to enroll Mac computers) and on Mac (to enroll iOS and iPadOS devices.) Apple has the instructions here. Devices added using Configurator are placed in a special group in the Devices section of Apple Business Manager.
One significant difference between devices added to Apple Business Manager by purchase and by Configurator: The latter behave like those you purchase directly from Apple or an authorized reseller, in that they're automatically enrolled in your MDM solution and supervised by default. But their users have a 30-day provisional period in which they can release the device from supervision. Devices must be erased before they can be enrolled via Configurator, so it’s not a great option for devices that are already in use.
Once you’ve added devices to Apple Business Manager, they need to be assigned to an MDM server. You can set defaults for associating new devices to a specific server, which makes it easier to assign devices in batches. You can do this by device type if you wish—managing iOS devices on one server and Mac computers on another.) Of course, there’s an Apple support article for that.
Alternatively, you can manually assign new devices to an MDM server, using their serial numbers (OK for smaller batches), order numbers (for larger ones), or by copying and pasting the contents of a CSV file.
As with devices, Apple Business Manager also works hand-in-hand with your device-management solution when it comes to managing apps and other content. This is a two-step process.
First, you obtain App Store software licenses (paid or free) in Apple Business Manager. (If you’ve been managing Apple devices for a while, you might remember when this was managed through the Volume Purchase Program, or VPP.) This purchasing process is the province of those who’ve been given the content manager role in Apple Business Manager; they’re the ones who can purchase and distribute content. Content managers can be tied to specific locations and so manage app distribution there. (See Apple’s explanation of content management and locations for more details.)
Second, you use your device-management solution to assign and install those licensed apps to devices. You’ll have to download a specific content token from Apple Business Manager to your MDM; Apple explains how here. The specifics of this process depend on the device-management solution you use. In Kandji, we manage it through Blueprints: Groups of devices assigned to a given Blueprint can get apps along with configuration profiles and parameters; any device enrolled in that Blueprint gets the assigned apps. (See here for more details.)
Apple Business Manager won't help you distribute apps that aren’t in the App Store. Again, depending on your device-management system, there may be other ways to do that. (See, for example, how to deploy Custom Apps and Auto Apps and work with Self Service in Kandji.)
The bottom line: Apple Business Manager is an essential—and free—tool for any Mac admin. It requires a bit of planning and preparation upfront, so be sure to give yourself enough time for that. But once it’s set up, there’s little to do but make sure tokens don’t expire and that devices are correctly assigned.
Kandji integrates tightly with Apple Business Manager, as well as a host of other management and security tools that can make work-life better for you and your users. With a suite of features like zero-touch deployment, one-click compliance, and offline remediation, Kandji is already a great way to enroll, configure, and secure your devices, and we look forward to creating new functionality as the SSO landscape evolves.
This article was substantially updated March 11, 2022.