Getting Started with Apple Business Manager: What IT Teams Actually Need to Know

Apple Business Manager (ABM) is the control plane that connects Apple hardware purchases, identity, and mobile device management. It does not manage devices itself — all configuration and security enforcement happens in your MDM. ABM provides the infrastructure that makes automated, scalable device management possible. Note: Apple Business Manager is for organizations. Educational institutions use Apple School Manager, which provides the same core capabilities tailored for schools. This guide covers Apple Business Manager only. It offers three core services: Automated Device Enrollment (formerly DEP) links new devices to your MDM solution automatically. When a user powers on a device for the first time, it contacts Apple's activation servers, gets directed to your MDM, receives its configuration, and is ready to use. No IT hands-on required. Apps and Books (formerly VPP) lets you purchase and distribute apps in volume. Licenses can be assigned to users or devices and revoked when someone leaves or a device is redeployed. Managed Apple Accounts provide your users with organization-owned Apple identities, federated with your identity provider such as Microsoft Entra ID or Google Workspace. These accounts are yours — when an employee leaves, you retain control of the account and its data. This is fundamentally different from personal Apple IDs, which belong to the user. All three services are free and available to any organization with a D-U-N-S number.

Registration requires a D-U-N-S number, a corporate email domain, and verification of your organization's identity. The process takes 1-5 business days. Once approved: 1. Link your MDM server. Generate an MDM server token in ABM and upload it to your MDM. Set it as the default server so new devices are assigned automatically. This token expires annually — set a calendar reminder the day you generate it. 2. Configure identity federation. Connect Microsoft Entra ID or Google Workspace to provision Managed Apple Accounts. Do this before users create personal Apple IDs with their work email — domain claiming and Apple ID takeover conflicts are painful to resolve after the fact. 3. Verify your Apple Customer Number. Work with your authorized Apple reseller to ensure your Apple Customer Number is linked to your ABM instance. This is what makes devices appear in ABM automatically after purchase. Without this link, devices arrive unassigned. 4. Set up Apps and Books. Generate the Apps and Books token (also annual renewal) and connect it to your MDM. Purchase any required app licenses. Existing devices not purchased through authorized channels can be added using Apple Configurator on a Mac, but this requires a USB connection and wipes the device. For this reason, it is best to enroll devices in ABM at time of purchase through an authorized reseller.

Managed Apple Accounts (formerly Managed Apple IDs) give your users access to iCloud Drive, collaboration features, and Shared iPad without mixing personal and corporate data. The accounts are owned by your organization and can be provisioned automatically through federation with Microsoft Entra ID or Google Workspace. However, Managed Apple Accounts intentionally disable several consumer Apple ID features to keep corporate and personal identity separate. They cannot use Apple Pay, make personal App Store purchases, or access certain iCloud features. This is by design — the separation protects both the organization and the employee. The critical decision is federation timing. If you federate on day one, Managed Apple Accounts are provisioned automatically using existing corporate credentials. If you delay, users may create personal Apple IDs with their work email addresses. Reclaiming those domains later triggers Apple ID takeover conflicts that require each affected user to migrate their personal data off the corporate domain. On a fleet of hundreds, this is weeks of support overhead.

ABM authenticates all connections via tokens, and the operational reality of token management is the most commonly overlooked aspect of ABM administration. MDM server token: Expires annually. If it lapses, new devices stop enrolling automatically. Existing managed devices are not immediately affected, but any device that powers on for the first time will not receive its enrollment profile. ABM's expiry warnings are easy to overlook — set your own calendar reminders. Apps and Books token: Also expires annually. When it lapses, app license assignments fail silently — apps stop being distributed to new devices, and license revocation and reassignment stop working. Device assignment permanence: Once a device serial number is associated with your ABM instance through an authorized purchase, it is tied to your organization. Devices can be released from ABM by administrators, but once released they cannot be re-added through normal purchase channels. Plan for this in device lifecycle and resale scenarios. A proper MDM implementation addresses all of these from the outset.

Buying devices outside authorized channels. Devices purchased from unauthorized resellers, second-hand, or through consumer retail do not appear in ABM and cannot use Automated Device Enrollment. There is no API or bulk method to add them retroactively without wiping each device via Apple Configurator. For organizations building a large Mac fleet, this mistake is expensive. Skipping identity federation. Every week you delay federation is a week where users might create personal Apple IDs with their work email. Domain claiming conflicts are the single most common source of ABM deployment pain. Not setting a default MDM server. If you add an MDM server but don't set it as the default, new devices appear in ABM but are not assigned to any server. They sit unmanaged until someone manually assigns them. Ignoring token renewal. Both the MDM server token and the Apps and Books token expire annually, and ABM's expiry warnings are easy to overlook. When they lapse, the corresponding service stops working silently. Set calendar reminders the day you generate each token.

Apple Authorized Enterprise Resellers in Switzerland automatically register purchased device serial numbers in ABM when your Apple Customer Number is linked to the reseller account. Verify this link with your reseller before your first order — not after devices arrive unassigned. For organizations in Liechtenstein, the same ABM instance covers both countries. Organizations operating across Switzerland and the EU face an additional consideration: Managed Apple Account federation must cover all identity domains used across jurisdictions. If your Swiss entity uses a different email domain than your EU entities, each domain must be verified and claimed in ABM separately. For regulated industries — healthcare, finance, public sector — ABM's identity federation and device supervision capabilities are prerequisites for meeting Swiss and EU compliance requirements around device management and data separation. If you are transitioning from a consumer Apple setup to enterprise management, registering for ABM and configuring your reseller link is the essential first step.

ABM is the starting point, not the destination. Combined with MDM automation, devices can be shipped directly from Apple to the employee and configured automatically on first boot — zero-touch deployment. The full chain works like this: Apple ships the device to the employee. The device powers on and contacts Apple's activation servers. Apple redirects the device to ABM. ABM assigns it to your MDM server. The MDM pushes configuration, apps, and security policies. The user signs in with their Managed Apple Account. The device is ready. No IT hands-on. No staging area. No shipping devices to headquarters first. This is what ABM enables when configured correctly — and why getting the foundation right matters.