XenMobile Server

Deploy devices through the Apple Deployment Program

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Business Manager (ABM) or Apple School Manager (ASM) for device enrollment and management in XenMobile. That program is for iOS, iPadOS, and macOS devices.

The Apple Deployment Program is available for organizations and not individuals. You must provide a considerable number of corporate details and information to create an Apple Deployment Program account. So, it can take time to request and receive approval for accounts.

For education accounts, you create an Apple School Manager account. ASM unifies the Apple Deployment Program and Apple volume purchase. To create an Apple School Manager account, go to the Apple School site.

Enroll in the Apple Deployment Program

To enroll in Apple Business Manager, go to business.apple.com. Click Enroll now to apply for a new account. The best practice is to use an email address for your organization, such as deployment@company.com. The enrollment process can take a few days. After you receive your logon credentials, follow the steps provided in the Apple Business Manager to create an account.

Note:

For education accounts, see Integrate with Apple Education features.

Connect your Apple Business Manager account with XenMobile

To connect your Apple Business Manager account with your XenMobile deployment, enter information in the XenMobile console and Apple Business Manager. Follow these steps:

Step 1: Download a public key from your XenMobile Server

  1. In the XenMobile console, go to Settings > Apple Deployment Program.

    Apple Deployment Program settings screen

  2. Under Download Public Key, click Download.

Step 2: Create and download a server token file from your Apple account

  1. Sign in to Apple Business Manager using an administrator or device enrollment manager account.
  2. At the bottom of the sidebar, click Settings and then click Device Management Settings > Add MDM Server.

    Apple Deployment Program settings screen

  3. In the MDM Server Name setting, type a name for the XenMobile Server. The server name that you type is for your reference. It’s not the server URL or name.
  4. Under Upload Public Key, click Choose File. Upload the public key that you downloaded from XenMobile and then save the changes.
  5. Click Download Token to download the server token file to your computer.

    You must upload the server token file when adding the ABM account to XenMobile. Your ABM token information appears in the XenMobile console after you import the token file.

  6. Under Default Device Assignment, click Change. Choose how you want to assign devices and then provide the information requested. For information, see the ABM User Guide.

Step 3: Add an ABM account to XenMobile

You can add multiple ABM accounts to XenMobile. This feature enables you to use different enrollment settings and setup assistant options by country, department, and so on. You then associate ABM accounts with different device policies.

For example, you might centralize all of your ABM accounts from different countries on the same XenMobile Server, to import and supervise all ABM devices. By customizing enrollment settings and setup assistant options per department, organizational hierarchy, or other structure, policies provide appropriate functionality across your organization, and users receive the appropriate assistance.

  1. In the XenMobile console, go to Settings > Apple Deployment Program and, under Add Apple Deployment Program Account, click Add.

    Apple Deployment Program settings screen

  2. In the Server Tokens page, specify your server token file and then click Upload.

    Apple Deployment Program settings screen

    Your server token information appears.

  3. In the Account Info page, specify these settings:

    Apple Deployment Program settings screen

    • Apple Deployment Program account name: A unique name for this Apple Deployment Program account. Use names that reflect how you organize Apple Deployment Program accounts, such as by country or organizational hierarchy.
    • Business/Education unit: The business unit or department to which the device is assigned. This field is required.
    • Unique service ID: An optional unique ID to help you further identify the account.
    • Support phone number: A support phone number that users call for help during setup. This field is required.
    • Support email address: An optional support email address available to end users.
    • Education suffix: For ASM accounts. Type the suffix assigned to devices enrolled through this account.
  4. In iOS Settings, specify these settings:

    Apple Deployment Program settings screen

    Enrollment settings

    • Require device enrollment: Whether to require users to enroll their devices. The default is Yes.
    • Require credentials for device enrollment: Whether to require users to enter their credentials during ABM setup. Citrix recommends that you require all users to enter their credentials during device enrollment, thus allowing only authorized users to enroll devices. The default is Yes.

      When you enable ABM before first time setup and you don’t select this option, XenMobile creates the ABM components. This creation includes components such as ABM user, Secure Hub, software inventory, and ABM deployment group. If you do select this option, XenMobile doesn’t create the components. As a result, if you later clear this option, users who haven’t entered their credentials can’t enroll in ABM because these ABM components don’t exist. To add ABM components, in that case, disable the ABM account and enable it again.

    • Wait for configuration to complete setup: Whether to require users’ devices to remain in Setup Assistant mode until all MDM resources deploy to the device. This setting is available for devices in supervised mode. The default is No.
    • Apple documentation states that the following commands might not work while a device is in Setup Assistant mode:
      • InviteToProgram
      • InstallApplication
      • ApplyRedemptionCode
      • InstallMedia
      • RequestMirroring
      • DeviceLock

    Device settings

    • Supervised mode: Must be set to Yes if you are using the Apple Configurator to manage ABM enrolled devices or when Wait for configuration to complete setup is enabled. The default is Yes. For details on placing an iOS device in supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.
    • Allow enrollment profile removal: Whether to allow devices to use a profile that you can remove remotely. The default is No.
    • Allow device pairing: For devices enrolled through ABM, whether you can manage them through Apple Music and the Apple Configurator. The default is No.

    Required minimum version

    • Allow old devices to enroll: If enabled, devices can enroll even if they could not upgrade to the current required minimum version. The default is On. This option is available only on iOS 17.0 and later.
    • Specified version option: Whether to allow admin to input specified version manually. The default is Off. This option is available only on iOS 17.0 and later.
    • Available iOS versions: You can choose available iOS versions from the list. If the device has an iOS version lower than the current version, it will initiate the update process on the device. If the version expires in the future, a minimum version of the available version list is used. The default is None, it will not take effect when set as None. This option is available only on iOS 17.0 and later.
    • Specified version: If the device has an iOS version lower than the current version, it will initiate the update process on the device. If the version expires in the future, a minimum version of the available version list is used. Ensure you enter the correct version number to prevent any unexpected errors.

    Supervision Identities

    If you use the GroundControl tool, you can add a certificate to do the following:

    • Override pairing restrictions to avoid the “Trust this host” prompt.
    • Escalate managed device actions over USB to do activities such as profile installation without user interaction. Doing so allows GroundControl to enable single app mode and device lock for checkout.
    • Restore a backup to ABM devices.

    For more information on GroundControl, see The GroundControl website.

  5. In macOS Settings, specify these settings:

    Apple Deployment Program Account settings screen

    Enrollment settings

    • Require device enrollment: Whether to require users to enroll their devices. The default is Yes.
    • Wait for configuration to complete setup: If Yes, the macOS device doesn’t continue in the setup assistant until the MDM resource passcode gets deployed to the device. That deployment occurs before the creation of the local account. This setting is available for macOS 10.11 and higher devices. The default is No.

    Device settings

    • Allow enrollment profile removal: Whether to allow devices to use a profile that you can remove remotely. The default is No.
  6. In iOS Setup Assistant Options, select the steps that the iOS Setup Assistant skips when users start their devices the first time. When a screen is skipped, the related feature uses default settings. Users can configure the skipped features after setup completes unless you restrict access to those features completely. For more information about restricting access to features, see Restrictions device policy. The default for all items is cleared. The following descriptions explain what occurs when a setting is selected.

    Apple Deployment Program Account settings screen

    • Location services: Prevents users from setting up the location service on the device.
    • Touch ID: Prevents users from setting up Touch ID or Face ID on iOS devices.
    • Passcode lock: Prevents users from setting up a passcode for the device. If no passcode exists, users can’t use Touch ID or Apple Pay.
    • Set up as new or restore: Prevents users from setting up the device as new or from an iCloud or Apple App Store backup.
    • Move from Android: Prevents users from transferring data from an Android device to an iOS device. This option is available only when Set up as new or restore is selected (that is, the step is skipped).
    • Apple ID: Prevents users from setting up a Managed Apple ID account for the device.
    • Terms and conditions: Prevents users from reading and accepting terms and conditions for use of the device.
    • Apple Pay: Prevents users from setting up Apple Pay. If this setting is cleared, users must set up Touch ID and Apple ID. Make sure that those settings are cleared.
    • Siri: Prevents the user from configuring Siri.
    • App analytics: Prevents users from setting up whether to share crash data and usage statistics with Apple.
    • Display zoom: Prevents users from setting up the display resolution (either standard or zoomed) on iOS devices.
    • True Tone: Prevents users from setting up four-channel sensors to dynamically adjust the white balance of the display.
    • Home button: Prevents users from setting up the Home button style of feedback.
    • New feature highlights: Prevents users from seeing screens that display information about new features of Apple software.
    • Privacy: Prevent users from seeing the data and privacy pane. For iOS 11.3 and later.
    • Software update: Prevents users from updating iOS to the latest version. For iOS 12.0 and later.
    • Screen Time: Prevents users from enabling Screen Time. For iOS 12.0 and later.
    • SIM setup: Prevents users from setting up a cellular plan. For iOS 12.0 and later.
    • iMessage & FaceTime: Prevents users from enabling iMessage and FaceTime. For iOS 12.0 and later.
    • Appearance: Prevents users from selecting the appearance mode. For iOS 13.0 and later.
    • Welcome: Prevents the user from seeing the Get Started screen. For iOS 13.0 and later.
    • Restore completed: Prevents users from seeing whether a restore completes during setup. For iOS 14.0 and later.
    • Update completed: Prevents users from seeing whether a software update completes during setup. For iOS 14.0 and later.

    The ABM account appears on Settings > Apple Deployment Program.

  7. In macOS Setup Assistant Options, select the steps that the macOS Setup Assistant skips when users start their devices the first time. When a screen is skipped, the related feature uses default settings. Users can configure the skipped features after setup completes unless you restrict access to those features completely. For more information about restricting access to features, see Restrictions device policy. The default for all items is cleared. The following descriptions explain what occurs when a setting is selected.

    Apple Deployment Program Account settings screen

    • Set up as new or restore: Prevents users from setting up the device as new or from a Time Machine backup or do a system migration.
    • Location services: Prevents users from setting up the location service on the device. For macOS 10.11 and later.
    • Apple ID: Prevents users from setting up a Managed Apple ID account for the device.
    • Terms and conditions: Prevents users from reading and accepting terms and conditions for use of the device.
    • Siri: Prevents the user from configuring Siri. For macOS 10.12 and later.
    • FileVault: Use FileVault to encrypt the startup disk. XenMobile only applies the FileVault setting if the system has a single local user account and that account is signed into iCloud.

      You can use the macOS FileVault Disk Encryption feature to protect the system volume by encrypting its contents (https://support.apple.com/en-us/HT204837). If you run the Setup assistant on a late-model portable Mac that doesn’t have FileVault turned on, you might be prompted to turn on this feature. The prompt appears on both new systems and systems upgraded to OS X 10.10 or 10.11, but only if the system has a single local administrator account and that account is signed into iCloud.

    • App analytics: Prevents users from setting up whether to share crash data and usage statistics with Apple.
    • Privacy: Prevent users from seeing the Data and privacy pane. For macOS 10.13 and later.
    • iCloud Analytics: Prevent users from choosing whether to send diagnostic iCloud data to Apple. For macOS 10.13 and later.
    • iCloud Documents and Desktop: Prevent users from setting up the iCloud Desktop and Documents. For macOS 10.13 and later.
    • Appearance: Prevents users from selecting the appearance mode. For macOS 10.14 and later.
    • Accessibility: Prevents the user from hearing Voice Over automatically. Only available if the device is connected to Ethernet. For macOS 11 and later.
    • Biometric: Prevents the user from setting up Touch ID and Face ID. For macOS 10.12.4 and later.
    • True Tone: Prevents users from setting up four-channel sensors to dynamically adjust the white balance of the display. For macOS 10.13.6 and later.
    • Apple Pay: Prevents users from setting up Apple Pay. If this setting is cleared, users must set up Touch ID and Apple ID. Make sure that the Apple ID and Biometric settings are cleared. For macOS 10.12.4 and later.
    • Screen Time: Prevents users from enabling Screen Time. For macOS 10.15 and later.

    • Local account setup options: Specify the settings to create an administrator account on the device. Users log in to their macOS device with this information. XenMobile creates the account, using the specified information.
      • Create primary account as a standard user: Instead of granting this user administrator privileges on the device, XenMobile creates the user with standard permissions. Because macOS requires an administrator account, XenMobile creates an administrator account first, then makes a new standard account and sets it as primary.
      • Admin full name: Type the name that the system displays for the administrator account.
      • Admin short name: Type the name that the device displays for the home folder and in the shell.
      • Admin password: Type a secure password for the administrator account.
      • Show administrator account in Users and Groups: If cleared, the administrator account doesn’t appear in Users and Groups in the macOS settings. If you create the primary account as a standard user, enable this setting to hide the administrator account XenMobile creates first.

Order Deployment Program enabled devices

You can order Deployment Program enabled devices directly from Apple or Deployment Program enabled authorized resellers or carriers. To order from Apple, provide your Apple Customer ID in the Apple Deployment Program Portal. Your Customer ID enables Apple to associate your purchased devices with your Apple Deployment Program account.

To order from your reseller or carrier, contact your Apple reseller or carrier to check if they participate in the Apple Deployment Program. Ask for the Apple Deployment Program ID of the reseller when purchasing devices. Apple requires that information when you add your Apple Deployment Program reseller to your Apple Deployment Program account. After you add the Apple Deployment Program ID for the reseller, you receive a Deployment Program customer ID. Provide the Deployment Program customer ID to the reseller, who uses the ID to submit information about your device purchases to Apple. For more information, see this Apple Use Device Enrollment site.

Manage Deployment Program enabled devices

After your order ships, you can associate iOS, iPadOS, and macOS devices with your XenMobile Server.

  1. Sign in to Apple Business Manager using an administrator or device enrollment manager account.
  2. In the sidebar, click Devices. Devices you purchased directly from Apple appear automatically. To assign devices from Apple Configurator 2 to Apple Business Manager, see Apple Business Manager User Guide.
  3. In the list, select a device or the total number of devices and click Edit Device Management. You have two options:
    • To assign a device to an MDM server, under Assign to Server, choose the name of your XenMobile Server. Click Continue.

      To assign new devices to the Apple Business Manager in bulk, set a default XenMobile Server for deployment. For more information, see Set a default server for bulk enrollment.

    • To unassign a device from the XenMobile Server, choose Unassign.

Your Apple Deployment Program devices are now associated with the selected XenMobile Server.

If you send in an iOS, iPadOS, or macOS device for servicing, you need to remove the device from the Apple Business Manager. When you receive the serviced device back, you must reassign the device to the XenMobile Server. When you replace the device, you can assign a new device to the XenMobile Server using an order number.

To review the history of assigned devices:

  1. Sign in to Apple Business Manager using an administrator or device enrollment manager account.
  2. In the sidebar, click Assignment History. Then choose an assignment to view more information.
  3. Click Download to download a CSV file with the serial numbers of all assigned and unassigned devices.

You can remove iOS, iPadOS, and macOS devices from the Apple Business Manager if the device has been sold, stolen, or can’t be repaired.

  1. Sign in to Apple Business Manager using an administrator or device enrollment manager account.
  2. In the sidebar, click Devices and search for a device.
  3. Select a device and click Release Device. In the dialog box, confirm your changes to remove the device from the program. To add iOS and iPadOS devices back, use Apple Configurator 2. You can’t add macOS devices back with Apple Configurator 2.
Deploy devices through the Apple Deployment Program