Microsoft Intune is a Microsoft cloud-based unified endpoint management service for both corporate and BYOD devices. It extends some of the “on-premises” functionality of Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud
(It is important to remember that the filters are available for – • Managed Devices: Devices enrolled in Intune & •Managed Apps: Apps which are managed by Intune (suitable for unenrolled BYOD devices))
2. Click on Create > Managed apps
3. Input the Filter Name, Description and Select and Platform.
4. Click Next
5. In Rules, Select deviceManagementType property Equals to Unmanaged (For Unmanaged devices) like in the following screenshot:
(For Managed devices- Select deviceManagementType property Equal to Managed)
Click Next and Create the filter.
Once you have created the filter go to an App Protection Policy for that platform and assign the filter by clicking on edit filter.
Restrictions : There are some general restrictions when creating filters: • For each tenant, there can be up to 200 filters. • Each filter is limited to 3072 characters. • For managed devices, the devices must be enrolled in Intune. • For managed apps, filters apply to app protection policies and app configuration policies. They don’t apply to other policies, like compliance or device configuration profiles
An Apple MDM Push certificate is required for Intune to manage Apple devices (iOS/iPadOS & macOS). After we add the certificate to our Intune tenant, our users can enroll their devices using:
The Company Portal app or
Apple’s bulk enrollment methods like ADE
To Set up the MDM Push certificate –
Go to Devices -> Enroll devices -> Apple Enrollment
Click on Apple MDM Push Certificate
Tick the check box I agree (To give Microsoft permission to send data to Apple.) in Step 1.
Click on Download your CSR to download and save the request file locally (The file is used to request a trust relationship certificate from the Apple Push Certificates Portal) in Step 2.
(Record this ID as a reminder for when you need to renew this certificate.)
Click on Create yours now to create a new Apple ID, if you don’t have one already.
Note: Make sure to use or create an Enterprise account rather than a personal Apple ID. Keep in mind that the account you use should be one that is easily shared or transferred in the case that the person setting up the MDM push Certificate leaves the company or moves teams.
Click on Create a Certificate.
Tick the check box I have read and agree to these terms and conditions.
And click on Accept button.
Select Choose File and browse to the CSR (certificate signing request) file downloaded in step 2.
and then choose Upload.
On the Confirmation page, choose Download to download the certificate (.pem) file and save the file locally.
Now Go to Intune portal again and Enter the Apple ID (used to create your Apple MDM push certificate) in step 4.
Now go to step 5, Click on Select a file under “Browse to your Apple MDM push certificate to upload” section, select the certificate (.pem) file, choose Open, and then choose Upload.
And your MDM Push certificate Setup is complete.
You can check the certificate details by Clicking on Apple MDM Push certificate.
Now you see, all the enrollment methods and options are available to configure.
Note:
1.The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS/iPadOS and macOS device management. If your certificate expires, enrolled Apple devices cannot be contacted.
2. When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices.
Renew Apple MDM Push Certificate
In Intune Portal, go to Devices -> Enroll devices -> Apple Enrollment
Click on Apple MDM Push Certificate
Click on Download your CSR to download and save the request file locally in Step 2.
Sign in with the same Apple ID that you used when you first created the push certificate.
Find the certificate you want to renew and select Renew.
On the Renew Push Certificate screen, provide notes to help you identify the certificate in the future, select Choose File to browse to the new request file you downloaded, and choose Upload.
On the Confirmation screen, select Download and save the .pem file locally.
Now Go to Intune portal again and Enter the Apple ID (used to create your Apple MDM push certificate) in step 4.
In step 5, Click on Select a file under “Browse to your Apple MDM push certificate to upload” section, select the certificate (.pem) file, choose Open, and then choose Upload.
Your Apple MDM push certificate appears Active and has 365 days until expiration.
Note: A Certificate can be identified by its UID. Examine the Subject ID in the certificate details to find the GUID portion of the UID.
Or on an enrolled iOS/iPadOS device, go to Settings > General > DeviceManagement > Management Profile > More Details > Management Profile. The second line item, Topic, contains the unique GUID that you can match up to the certificate in the Apple Push Certificates portal.
APNS is a notification service used to push notifications on Apple devices.
APNs workflow:
iOS requests a device token from Apple Push Notification Service (APNS).
The app receives the token, which functions as the address to send a push notification to.
The app sends the token of the device to your server.
When prompted, the server will send a push notification with a device token to the APNS.
APNS will send a push notification to the user’s device.
APNS hosts and ports
If you use a firewall or private Access Point Name for cellular data, your Apple devices must be able to connect to specific ports on specific hosts:
TCP port 5223 to communicate with APNs.
TCP port 443 or 2197 to send notifications to APNs.
TCP port 443 is used during device activation, and afterwards for fallback if devices can't reach APNs on port 5223.
IP range- 17.0.0.0/8
An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you add the certificate to Intune, your users can enroll their devices using:
• The Company Portal app.
• Apple's bulk enrollment methods like ADE
The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS/iPadOS and macOS device management. If your certificate expires, enrolled Apple devices cannot be contacted.
When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices. Steps to get your certificate
choose Devices > Enroll devices > Apple enrollment > Apple MDM Push Certificate
Select I agree. to give Microsoft permission to send data to Apple.
Select Download your CSR to download and save the request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
Select Create your MDM push Certificate to go to the Apple Push Certificates Portal. Sign in with your company email address Apple ID, and then click Create a Certificate. Select Choose File and browse to the certificate signing request file, and then choose Upload. On the Confirmation page, choose Download to the download the certificate (.pem) file, and save the file locally.
(Record this ID as a reminder for when you need to renew this certificate.)
Now Go to Endpoint portal again and Enter the Apple ID used to create your Apple MDM push certificate and click on Select a file under “Browse to your Apple MDM push certificate to upload” section , select the certificate (.pem) file, choose Open, and then choose Upload.
Renew Apple MDM push certificate
1. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Apple enrollment > Apple MDM Push Certificate.
2. Choose Download your CSR to download and save the request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
3. Select Create your MDM push Certificate to go to the Apple Push Certificates Portal. Find the certificate you want to renew and select Renew.
4. On the Renew Push Certificate screen, provide notes to help you identify the certificate in the future, select Choose File to browse to the new request file you downloaded, and choose Upload.
5. On the Confirmation screen, select Download and save the .pem file locally.
6. In Intune, select the Apple MDM push certificate browse icon, select the .pem file downloaded from Apple, and choose Upload.
Your Apple MDM push certificate appears Active and has 365 days until expiration.
Note: A Certificate can be identified by its UID. Examine the Subject ID in the certificate details to find the GUID portion of the UID. Or, on an enrolled iOS/iPadOS device, go to Settings > General > Device Management > Management Profile > More Details > Management Profile. The second line item, Topic, contains the unique GUID that you can match up to the certificate in the Apple Push Certificates portal.
