Mac Admin

Apple IDs, MDM Servers and You!

Updated: 2018-11-08

Hi All,

As a part of my Jamf Integrator role, I find myself recommending a number of general practices when using Apple IDs and MDM solutions. I felt it was time to document these, with the result being this post.

As with most things I write here, these are my opinions and personal best practices based on my own experiences and encounters and are by no means without fault. If you see anything you don’t think is right, please reach out to me via the comments, Twitter or Slack (or indeed in person!).

Apple ID usage in an MDM Server

There are four main areas Apple IDs can used in relation to an MDM Server:

Apple Push Notification service (APNs) certificate

Probably the most common, this is the Apple ID you would use to create and renew your APNs certificate yearly.

Volume Purchase Program (VPP)

Probably the second most common, this is the Apple ID you would use with the previous VPP store (https://vpp.itunes.apple.com) to bulk buy App and Book licenses from Apple. In most cases, this has been migrated / replaced with the Apple School Manager (https://school.apple.com) or Apple Business Manager (https://business.apple.com) programs.

Device Enrolment Program (DEP)

Probably the third most common, this is the Apple ID you would use with the previous deployment portal (https://deploy.apple.com) to manage your Apple hardware auto-enrolments under the DEP program. In most cases, this has been migrated / replaced with the Apple School Manager (https://school.apple.com) or Apple Business Manager (https://business.apple.com) programs.

Managed Apple IDs (MAIDs)

The newest, and most niche Apple ID, MAIDs are used for education, allowing students who would otherwise be too young, to use Apple services and features such as Shared iPad. MAIDs are outside the scope of this post, but I hope to do a post in the future just on these!

Best Practices

And now the meat of this post, best practices and recommendations created from my own experience as well as other Mac Admins I’ve worked and / or spoken with.

APNS_Logo  APNs Apple ID

APNs certificate expiry

This Apple ID is used with your MDM server and the Apple Push Certificates Portal (https://identity.apple.com/pushcert/) to generate an APNs (or ‘push’) certificate. This in turn, is linked to your MDM enrolled devices (iOS and macOS) in order to carry out MDM tasks. These include:

  1. Deployment of profiles
  2. Deployment of VPP Apps and Books
  3. Running of MDM commands
  4. DEP enrolment (kinda)

This certificate is free to obtain and expires yearly. As there is no charge or disruption to service you can renew this certificate at any time before it expires. It must be renewed with the same Apple ID that was used to create it.

Failure to renew the certificate before it expires, or failure to use the same Apple ID, will require you to generate a new APNs certificate. As a result of this, you will need to re-enrol the MDM aspect of all devices. For Supervised iOS and macOS devices with non-removable MDM Profiles, this will necessitate a full wipe and re-enrollment!

Once you create your APNs Certificate, set a reminder in a task tracking solution and / or calendar. Double points if you do this in a team calendar so multiple people will see it. I tend to suggest stick an alert 30 days before, then a week before, then daily. Once you’ve renewed the certificate and have a new expiry date, just adjust the reminders / events.

Service Apple ID Account

In order to help with the above, create a dedicated Apple ID just for the purpose of creating and renewing the APNs certificate.

Do not use a personal Apple ID! If you, or the owner of the Apple ID leaves the company, you’ll need to create a new Apple ID, a new APNs certificate and to re-enrol the MDM aspect of all devices For Supervised iOS and macOS devices with non-removable MDM Profiles, this will necessitate a full wipe and re-enrollment!

You can create a brand new Apple ID, without any payment details by using the Apple ID web page at https://appleid.apple.com and clicking the ‘Create your Apple ID‘ option in the upper right corner. Use this new account in the Apple Push Certificates Portal when creating the APNs Certificate.

Bonus Tip: If you have multiple MDM venders (perhaps you have a test/dev and production instance, or you have separate MDM instances for iOS or macOS), you can use the same AppleID to create and renew multiple APNs certificate. Just make sure to use the ‘Notes’ box to note which is for which server!

But before that…

Use an Email Alias or Group

Don’t use your personal or individual email account for the Service Apple ID account. Create an email alias or group and use this. I’d typically suggestion something along the lines of apns@domain.com.

That way, if you (or the person who creates the APNs account and certificate) leaves, the institute or company isn’t stuck with an Apple ID they don’t have access to, and no way to renew their APNs certificate. They’ll also be stuck with anger and frustration and potentially pitchforks.

Also, Apple will email this address when the certificate reaches 30-days, 7-days and 1-day to expiry, so it’s worth setting up email forwarding rules, especially if you can link them into a ticketing system!

Multi-Multi-Factor

One key point (as highlighted by Graham Pugh in the comments) is you can add multiple mobile / cell numbers to the same Apple ID for 2 factor authentication. This would allow multiple administrators to log into a service Apple ID without resorting to not using 2 factor authentication.

A second number can be added via the same https://appleid.apple.com page.

vpp-128x128.png VPP Apple ID

VPP token expiry

This Apple ID is used with your MDM server and the VPP / Apple School Manager / Apple Business Manager portal to generate a VPP token. This in turn, is linked to your MDM solution in order to deliver VPP content such as Apps and Books. This token is free to obtain and expires yearly. As there is no charge or disruption to service you can renew this token at any time. If you’re using the previous VPP Portal, it must be renewed with the same Apple ID that was used to create it. If you’re using Apple School Manager / Apple Business Manager, then any account with access to the portal (and has the role ‘Content Manager’ or ‘admin’) can renew this.

Failure to renew the token before it expires, or failure to use the same Apple ID (VPP Portal only), will prevent you from updating or deploying any VPP content. 

You can renew this token after its expired without having to re-enrol devices!

Once you create your VPP token, set a reminder in a task tracking solution and / or calendar. Double points if you do this in a team calendar so multiple people will see it. I tend to suggest stick an alert 30 days before, then a week before, then daily. Once you’ve renewed the token and have a new expiry date, just adjust the reminders / events.

Service Apple ID Account

If you’re not using Apple School Manager or Apple Business Manager, you can only have one VPP Apple ID. As with APNs Apple IDs, make sure to use a service account, and not one tied to a specific person. If you don’t get the chance to create one as part of the setup (and you should), then feel free to create another one as detailed above under “Service Apple ID Account“.

If you are using Apple School Manager / Apple Business Manager, it is recommended to not use your own personal Apple IDs and instead to create a new one just for the purpose of accessing these portals. If need be, create a new email alias for yourself of something like asm.[name]@domain.com or abm.[name]@domain.com and use this to create a new Apple ID.

Use an Email Alias or Group

Don’t use your personal or individual email account for the Service Apple ID account (previous VPP Portal) or your access Apple ID (Apple School Manager or Apple Business Manager portal). Create an email alias or group and use this. I’d typically suggestion something along the lines of vpp@domain.com, asm.[name]@domain.com or abm.[name]@domain.com.

That way, if you (or the person who creates the VPP account) leaves, the institute or company isn’t stuck with an Apple ID they don’t have access to, and no way to renew their VPP token or make new purchases. Again, here be possible pitchforks.

Multi-Multi-Factor

One key point (as highlighted by Graham Pugh in the comments) is you can add multiple mobile / cell numbers to the same Apple ID for 2 factor authentication. This would allow multiple administrators to log into a service Apple ID without resorting to not using 2 factor authentication.

A second number can be added via the same https://appleid.apple.com page.

DEP DEP Apple ID

DEP token expiry

This Apple ID is used with your MDM server and the Deploy / Apple School Manager / Apple Business Manager portal to generate a DEP token. This in turn, is linked to your MDM solution in order to managed DEP enrolment of devices. This token is free to obtain and expires yearly. As there is no charge or disruption to service you can renew this token at any time. It can be renewed with any account with access to the portal (specific minimum account permissions TBC!) can renew this.

Failure to renew the token before it expires, will prevent you from modifying DEP information or adding new devices.

You can renew this token after its expired without having to re-enrol devices!

Once you create your DEP token, set a reminder in a task tracking solution and / or calendar. Double points if you do this in a team calendar so multiple people will see it. I tend to suggest stick an alert 30 days before, then a week before, then daily. Once you’ve renewed the token and have a new expiry date, just adjust the reminders / events.

Apple ID Account

As with all these Apple ID accounts, it is recommended to not use your own personal Apple IDs and instead to create a new one just for the purpose of accessing the Deploy / Apple School Manager / Apple Business Manager portals. If need be, create a new email alias for yourself of something like dep.[name]@domain.com and use this to create a new Apple ID.

New Terms and Conditions

At least once a year Apple release new Terms and Conditions for their Deployment service. This is typically around Autumn when new OS version are released, and occasionally in Spring with any secondary major OS release. You’ll get notified of this via email to the address configured for each Deploy / Apple School Manager / Apple Business Manager portal account.

You’ll need to log into the correct portal, review the changed T’s and C’s and agree them (if acceptable to you). If you fail to do so, you’ll be in the same position as if you let the DEP token expire, namely:

You will not be able to modify DEP information or add new devices.

Multi-Multi-Factor

One key point (as highlighted by Graham Pugh in the comments) is you can add multiple mobile / cell numbers to the same Apple ID for 2 factor authentication. This would allow multiple administrators to log into a service Apple ID without resorting to not using 2 factor authentication.

A second number can be added via the same https://appleid.apple.com page.

Summary

There we go. A long blog full of recommendation when using various Apple IDs with MDM solutions. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Update 2018-11-08

Graham Pugh left an interesting comment in this post regarding the ability to switch to another APNs certificate without having to re-enrol all devices! In his words:

It requires opening up a request ticket and supplying all the cert IDs, and it took a couple of days – so don’t leave it til they’re about to expire!

He also mentioned the ability to add 2FA to an Apple Id, but using multiple phone numbers to allow for multiple administrators to log into the same account. I’ve added this into the post above.

Advertisements
Standard

2 thoughts on “Apple IDs, MDM Servers and You!

  1. Graham says:

    Great post! A nice reminder NEVER to let push certs expire.

    Couple of notes:
    1. It *is* possible to get certs migrated to another account. I’ve done this myself, as I had broken rule #1 and created several push certs with a personal ID (albeit still an account associated with the institution). It requires opening up a request ticket and supplying all the cert IDs, and it took a couple of days – so don’t leave it til they’re about to expire!.

    2. If you have 2FA set up, it’s really neat that Apple will let you add multiple numbers to which an SMS will be sent, so that each member of your team can do the 2FA. We have three mobile numbers set up. You just have to remember the last 2 digits of your number, and preferably, there won’t be two mobile numbers with the same last two digits, since that’s all that is displayed!

    Like

    • Hi Graham,

      Thanks a bunch! 😊
      1. This is news to me and colour my interested! Have you got any more details or a post I can link?
      2. Good point and I’ll get that added shortly!

      Thanks again for your comment

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s