Connect Cortado with Apple Business Manager (ABM)
The fastest way to enroll company-owned Apple devices is with Automated Device Enrollment (ADE). Using ADE, you can configure a large number of iOS devices remotely without picking them up.
Prerequisite: You have registered your company and all iOS/iPad devices in Apple Business Manager. You can find further instructions here.
Once all the serial numbers of the Apple devices have been loaded into Apple Business Manager, you can start the configuration. For this, Cortado´s administration portal must firstly be connected to the Apple Business Manager.
Note! Create up to four additional administrator accounts to configure Cortado MDM.
- In the administration portal open Administration→ Settings.
- In the Apple Automated Device Enrollment tab under ADE Certificate,you have the following options (right column):
- Download: Download the ADE certificate here. This is a Cortado generated certificate.
- Renew: You can generate a new ADE certificate here, if necessary (for example, if the old one expires).
- Import: If required, you can import a previously generated certificate here.
- The ADE certificate downloaded in the last step (arrow in upper picture), has to be uploaded to Apple in the next step.
- For this purpose, open the Apple Business Manager under https://business.apple.com/ and log in with your Apple ID.
- Then click in your profile (left arrow in illus.) under Preferences on MDM Server Assignment(middle arrow in illus.).
Then select Add MDM Server (right arrow in illus.).
- Under MDM Server Info enter a name of your choice (e.g.: department, location, user groupe) (upper arrow in illus.).
Note! At this point, you need to add a separate MDM server for each ADE profile you want to add, since a separate server token is needed for each profile.
- Under MDM Server Settings→ Choose File (lower arrow in illus.) select the ADE certificate, that you downloaded in the administration portal under Settings→ ADE→ Download.
- Then save the settings by clicking Save.
- Download your Token now (arrow in illus.). You must load this token into the ADE profile later in the administration portal.
- Then, under Device (left arrow in illus.) select the devices, you want to assign (middle arrow in illus.).
- After this, click on Edit MDM Server (right arrow in illus.).
- Under Assign to the following MDM (arrow in illus.) select your MDM server (or your ADE profile).
- Confirm by clicking on Continue.
Create configuration profile in the administration portal
- In the Cortado administration portal select Settings→ ADE→ Add (arrow in illus.).
Note for Cortado Server! Illustrations may vary slightly.
Configure the ADE profile as follows:
- Mandatory: Specify here whether the use of the profile should be mandatory for the users. If the checkbox is left empty, the users can choose whether to install the ADE profile or to create a profile of their own.
- Verify profile: If this checkbox is enabled, the device configuration can only be completed if all steps required in the Cortado administration portal have been carried out.
- Supervised: Currently, all devices that receive this profile are placed into supervised mode. This is regardless whether this checkbox is crossed or not.
- Enable pairing: If this checkbox is enabled, the user may connect his device to a Mac or a PC and connect to iTunes.
- Shared iPad: Activate this checkbox if an iPad should be used by multiple users. This allows different user profiles to be set up on one iPad. You can find more information on the Apple page.
- Upload token: Select the Select token button and upload the Token from the Apple Business Manager (arrow in illus.).
- Anchore certificate (Cortado Server only!):
- Root certificate: Retain this pre-set selection if you use certificates generated by Cortado Server (self signed) (see the section Encryption (Certificates))
- None: Select this setting if you are using Cortado Server root certificates that were purchased from a public certification authority (e.g. Symantec or Comodo). Apple installs these purchased certificates onto the devices automatically and they don’t need to be rolled out separately via ADE.
- Upload root certificate: Select this setting if you are using root certificates generated by your company-owned certification authority for Cortado Server. (You can find detailed information about certification in the section Encryption (Certificates).)
- Device setup steps: You can specify what steps the user is allowed to make during setup of the device itself. Take note here that when you enable the checkbox Sign in to Apple ID and iCloud, you allow the devices to be used for business as well as for private purposes (COPE). Remove the checkmark if the devices are to be used exclusively for business purposes (COBO). If the checkmark is in place, the user can enter her private Apple ID during the configuration.
- Click on OK to finish configuration.
Users now only have to switch on the devices. The newly created ADE profile will now be automatically used for the device configuration (left illus.). Provided that the devices are new and unused or have been reset to factory settings.
During configuration, the user must enter her user name and password (right illus.). Therefore, before the device can be configured, the user must have been imported into the administration portal. Cortado Server users use their domain credentials.
Note for Cortado MDM! Users must create a password using the invitation email and your email address. Alternatively, you can assign a password for the user during user import.
That means that, during the configuration, the user only needs to carry out the setup steps that you selected under Device setup steps.