Set up company-owned iOS device management

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition

As an administrator, you can manage company-owned iPhones and iPads in the Google Admin console alongside other devices you manage there. To do so, you connect Apple Business Manager or Apple School Manager with your Google Workspace or Cloud Identity subscription.

How the Apple Device Enrollment integration works

You integrate Apple Business Manager or Apple School Manager with your Admin console by providing an authorization key or token to each entity. These tokens allow Google endpoint management to push configuration settings from Admin console to the devices through a mobile device management configuration profile and the Google Device Policy app.

The server token you get from Apple expires annually. You must renew the token for devices to sync work data. However, unlike the Apple push notification certificate, you can renew the token after it expires.

Before you begin

  1. Review the device requirements.
  2. Get an account to sign in to your organization's Apple Business Manager or Apple School Manager.
  3. For easiest management, buy iOS devices for your organization through an authorized Apple retailer. To find an authorized Apple retailer, contact Apple Support. The devices are automatically linked to your Apple Business Manager or Apple School Manager.
  4. Turn on advanced mobile management for the organizational unit that will use the devices.

Note: The following steps require that you complete actions in both the Google Admin console and in Apple Business Manager or Apple School Manager with your business or school Apple ID. Make sure you have access to both before you continue.

Step 1: Set up Apple Enrollment

You must be signed in as a super administrator for this task. Admins who have the Mobile Device Management privilege but aren't super admins always see the setup flow, even if your organization is already set up. If they try to download the public key, they get an error message.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Apple certificatesand thenSet Up Enrollment.
  4. Click Get public key. The public key downloads to your device.
  5. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID. In the Device Enrollment Program section:
    1. Click Manage Servers.
    2. If you already set up an MDM Server to use for these devices, click it. Otherwise, create a server.
    3. When prompted, upload the public key you downloaded from the Admin console.
    4. Download the server token from Apple.
  6. Return to the Admin console.
  7. Under Business Apple ID, enter the Apple ID you used to get the token. This entry helps you track which admin did the setup.
  8. Click Upload Server Token, select the token you downloaded from Apple, and click Open.
  9. Click Save & Continue.
  10. The token and its expiration date are now listed on the settings page. Set a calendar reminder to renew the token before it expires.

Step 2: Configure device setup settings

You can control how company-owned iOS devices are set up when a user first signs in. These settings apply to your entire organization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Company-owned iOS device setupand thenDevice enrollment settings. To learn more about the settings, see the iOS settings reference.
  4. Click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 3: Configure iOS device restrictions

In addition to the settings available to all iOS devices under advanced management, for supervised devices you can control user access to more apps and settings. You can configure these management settings by organizational unit. For example, you can allow users in some organizational units to install apps, but block app installation for other organizational units.

For details on the settings that apply only to supervised devices, see the iOS settings reference.

Step 4: Enroll and distribute company-owned iOS devices for management

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. Assign the devices to the MDM Server you connected to Google endpoint management. The serial numbers of the devices you want to manage through Google endpoint management must already be in the system (entered by your authorized Apple retailer).
    • To assign all devices to the server by default, set the default assignment.
    • To bulk enroll devices, download a CSV file of their serial numbers, then upload the CSV file.
    • To assign devices individually, enter the serial number.

    For details, see the Apple Device Enrollment documentation.

    Note: It can take up to 24 hours for a device to be ready to use after you assign it to the MDM server. 

  3. (Optional) To use the device sooner, manually sync devices in the Admin console. Follow the steps in Manually sync devices

  4. Distribute devices to your users. When users first sign in, they follow an easy setup flow. For details, see Set up a company-owned device.

Manage company-owned iOS devices

Add a company-owned device to Apple Device Enrollment
To add more devices later, use the same process as in step 4 of the preceding section. For details, see the Apple Device Enrollment documentation.
Note: We strongly recommend that you add devices through a certified reseller and Apple Business Manager or Apple School Manager. When you manually add a device to Apple Business Manager or Apple School Manager, users have the option to leave remote management for 30 days after they enroll. If a user leaves, the device is removed from the company-owned inventory within 24 hours and settings that require supervision are no longer applied. The device is then listed as user owned in the Devices list.
Remove a company-owned device from Google endpoint management

If you delete a device from the devices list

The management profile is removed from the device. When a user adds their work account to the device again without a factory-reset, the device is enrolled as unsupervised. You have the management capabilities of advanced mobile management, but settings that only apply to supervised devices aren't enforced.

Wipe a device
As with other iOS devices managed with Google endpoint management, you can remove corporate data from the device by using the Admin console. For instructions, see Remove corporate data from a device.
Note: Account wipe behaves the same as device wipe for company-owned iOS devices. The device is reset to factory settings for both actions.
Reassign a device
iOS devices support only one management profile at a time.
To reassign a device:
  1. Delete the device from the devices list.
  2. Factory reset the device.
  3. Have the new user sign in to the device.
To let a user who has a Google Workspace license that doesn't support Apple Device Enrollment use a device that was enrolled, remove the device from Apple Business Manager or Apple School Manager and factory reset it. Then the new user can sign in.
Manually sync devices
Devices enrolled with Apple Business Manager or Apple School Manager can take up to 24 hours to sync with Google mobile management. However, you can manually initiate a sync any time. This sync can take up to 30 minutes.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Apple certificatesand thenSync DEP Devices.

Related articles

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
1109301052795492500
true
Search Help Center
true
true
true
true
true
73010
false
false