Blog

ADE

Intune – Apple Device Enrollment (ADE) Method – Part 1

INTRODUCTION

In this short blog post, we’ll take a closer look at Apple Device Enrollment (ADE) in Intune. I’ll explain what ADE actually is, the requirements to use it, and when it makes sense to choose this enrollment method. In addition, I’ll share a few good-to-know lessons learned directly from the field—real, first-hand experiences rather than theory.

I’ll also try to answer some of the basic questions I had myself before I started working with ADE, especially the ones that aren’t always clear when you rely only on documentation.

Microsoft Learn already provides detailed and official guidance, and I strongly recommend checking it out if you need the full picture. With this post, however, my goal is to give you a quick, practical overview of ADE and add hands-on insights that may save you time in real-world environments.

Microsoft Learn Documentation – Apple Device Enrollment (ADE)

What is Apple Automated Device Enrollment?

Apple Automated Device Enrollment is a zero-touch deployment method that uses Apple Business Manager. Devices enrolled through ADE are supervised, locked to the organization, and fully managed. As a result, IT retains full control over the device from the first boot.

What is zero-touch deployment?

In the context of Microsoft Intune and Apple Device Enrollment, zero-touch deployment means that IT does not need to physically handle the device at any point. When a device is purchased through an Apple-authorized reseller and assigned to your organization in Apple Business Manager, it is automatically linked to Intune. As soon as the user turns on the device and connects it to the internet, Apple recognizes it as company-owned and enforces management during the initial setup.

From the user’s perspective, the experience is simple. They power on the device, sign in with their corporate account, and the setup continues automatically. In the background, the device enrolls into Intune, applies management profiles, installs required applications, and enforces security policies. Optional setup steps, such as Apple ID or iCloud configuration, are handled by IT. As a result, there is no need for manual enrollment, local admin credentials, or helpdesk involvement.

This approach matters in real-world deployments because it allows devices to ship directly from the reseller to the end user. IT teams no longer need to pre-stage or image devices, and every device follows the same controlled setup. Most importantly, the device stays locked to the organization and cannot be removed from management by the user.

What does it mean when a device is supervised?

A supervised Apple device operates in a company-owned management mode that provides IT with significantly more control and visibility than user-driven enrollment. When devices enroll through Apple Device Enrollment, supervision is enabled automatically and remains in place for the lifetime of the device.

Supervision marks the device as managed by an organization and prevents users from removing MDM. It also unlocks advanced management capabilities that are otherwise unavailable, such as silent app installation, tighter security restrictions, stronger control over system features, and more advanced OS update and Lost Mode options. Without supervision, many of these controls simply do not work.

To become supervised, the device must enroll through Apple Business Manager using ADE during the initial setup. Supervision cannot be enabled later. Even after a factory reset, the device remains supervised and tied to the organization, which ensures consistent and enforceable management.

Why supervision matters

From real-world experience, supervision is what makes ADE worth using:

  • Management becomes predictable and enforceable
  • Users can’t bypass or remove MDM
  • Organizations can fully standardize devices

How does ADE compare with other enrollment methods?

Method Ownership Supervised Zero-touch Scales well
ADE Company ✅ Yes ✅ Yes ✅ Excellent
Apple Configurator Company ✅ Yes ❌ No ⚠️ Limited
User Enrollment Personal ❌ No ❌ No ✅ Good
Device Enrollment Mixed ❌ Usually no ❌ No ⚠️ Limited

Is the Automated Device Enrollmentment free?

Yes. Apple does not charge for Automated Device Enrollment.

What is free

  • Apple Business Manager (ABM)
  • Automated Device Enrollment (ADE)
  • Device assignment and automated enrollment

What does cost

  • The devices themselves
  • Your MDM solution (for example, Microsoft Intune)
  • Optional Apple services such as Apple Business Essentials
  • In some cases, reseller fees for ABM device registration

Benefits of zero-touch deployment

Zero-touch deployment allows organizations to deliver devices that are ready for use from the first boot, without any hands-on work from IT. It provides a consistent setup experience, applies security controls immediately, and reduces operational overhead. At the same time, users benefit from a faster and simpler onboarding process, as they only need to sign in once to start working. Because the process scales easily, zero-touch deployment is especially valuable for distributed teams, large rollouts, and environments where devices must remain under strict organizational control.

Downsides of ADE

Despite its advantages, ADE does introduce some tradeoffs. Devices must be purchased correctly and assigned in Apple Business Manager before delivery; otherwise, zero-touch enrollment will not work. Any mistake in the enrollment profile affects all new devices until it is fixed. Troubleshooting issues during the initial setup can also be limited, and enrolling or re-enrolling a device always requires a factory reset. In addition, the device must have a reliable internet connection during the first boot.

Experiences from the field

Requirements

  • Apple Business Manager configured
  • Automatic Enrollment enabled
  • Intune set as MDM authority
  • Autodiscover CNAME configured
  • Apple Push Certificate registered
  • Enrollment Program Token configured
  • VPP (Apps and Books) token configured
  • Devices registered in ABM
  • Factory reset before enrollment
  • Network access during activation

Best for

  • Fully managed corporate devices
  • Enterprise deployments
  • Aviation, logistics, and government environments
  • Large-scale rollouts
  • Scenarios where devices must never leave management

Good to know

  • Without Apple IDs, app licenses must use device-based assignment
  • Available apps won’t appear unless deployed as Required
  • ABM–Entra federation may require users to change personal Apple IDs
  • Microsoft Passkeys are not supported during enrollment
  • Devices must be excluded from strong MFA during enrollment
  • Unfortunately, there is no easy way to test ADE deployment in a “test lab.” Apple Business Manager (ABM) is a prerequisite for ADE deployment, and obtaining ABM is not trivial. ABM is designed for organizations, and Apple verifies this by requiring a D-U-N-S number, a legal entity, and authorization to sign on behalf of the organization.
  • Microsoft Entra work accounts are supported. To register for Apple Business Manager, you can use an existing Entra work account. It is recommended to use a dedicated account created specifically for ABM rather than a personal or daily-use account.
  • Lost Mode requires network connectivity: During testing, I found that if an ADE-enrolled device is placed into Lost Mode and then moved to a different location, it may fail to connect to Wi-Fi. Without an active network connection, Lost Mode cannot be disabled from the MDM. To recover, the device must be returned to a known Wi-Fi network that it can auto-connect to, or be given internet access via a Mac using network sharing or a physical Ethernet connection. A mobile hotspot is not a reliable option, as user interaction is blocked while the device is in Lost Mode.

Just-in-Time Registration (Single Sign-On)

Single Sign-On works across multiple enrollment types, including ADE. Intune enables SSO using Just-in-Time (JIT) registration, configured through Device Configuration features.

JIT uses the Microsoft Authentication Library (MSAL) to enable SSO automatically. After enrollment, the user opens a Microsoft app such as Microsoft Authenticator or Microsoft Teams. This first sign-in registers the device with Microsoft Entra ID and Intune.

Once registration completes, the SSO extension activates and provides seamless access across Microsoft apps. For non-Microsoft apps, you can extend SSO by adding the app’s bundle ID.

What to check before implementing ADE

  • Ownership model (Corporate vs BYOD)
  • Licensing model (Device vs User)
  • ABM federation decision
  • Enrollment method comparison
  • VPP deployment strategy
  • SSO approach
  • Update and compliance strategy
  • Support model
  • Certificate lifecycle ownership

What to check after implementing ADE

Apple Business Manager (ABM) – ADE / MDM Token

Use a dedicated account that is not associated with any user, for example: ade-token@domain.com

What to verify

  • Token is uploaded and Active
  • Correct MDM server assigned to devices in ABM
  • Devices appear in Intune with ADE = Yes
  • Token expiration date documented (Validity: 1 year)

Ongoing maintenance

  • Schedule token renewal before expiration
  • Confirm renewal process does not require device re-enrollment

Critical warning

  • Do NOT delete the MDM server in ABM
  • Deleting breaks device assignment → may require device wipe

 

Apple Push Certificates Portal

Use a dedicated account that is not associated with any user, for example: ade-push-cert@domain.com

What it is

  • Used to establish trust between ABM and Intune
  • Required for ADE, Apps and Books, and device assignment
  • Validity: 1 year

What to verify

  • Certificate is active and not nearing expiration
  • Apple ID used for the certificate is documented and owned by IT
  • Renewal reminder is in place

If the certificate expires

  • The devices will lose connectivity with Intune.
  • Devices will need to be enrolled again

 

VPP / Apps and Books Token

Use a dedicated account that is not associated with any user, for example: vpp-token@domain.com

What to verify

  • Token is active and synced
  • App licenses appear correctly in Intune
  • Device/User assignment matches intended licensing model

Operational checks

  • Apps install during ADE enrollment
  • Updates deploy successfully
  •  No license mismatch or “missing” apps

Token health

  • Confirm expiration date (Validity: 1 year)
  • Schedule renewal before expiration

 

 

In Part 2, I’ll walk through a real customer project, covering the journey from the initial workshop through to a production-ready ADE deployment. This will include the high-level design, architecture decisions, and practical considerations taken along the way.

Leave a Reply