Connect existing Apple company devices to an MDM: A guide
Apple devices have established themselves as popular work tools due to their ease of use and many practical features. Accordingly, many companies already have a contingent of existing Apple devices, which, for example, may also be used by employees privately. But regardless of how Apple devices are used, they must be protected using a MDM (Mobile Device Management) system. In this article, we’ll show you how.
Connect Apple devices to MDM via Apple Business Manager
In addition to integrating existing Apple devices, companies can purchase Apple devices directly as corporate devices. These devices are then directly integrated into the Apple DEP program and assigned to the company. The connection to the MDM is then established via Apple Business Manager or Apple School Manager.
The MDM server is first assigned to the devices. The APNS certificate is then exchanged between the MDM and Apple Business Manager/School Manager so that the devices can receive commands from the MDM. Next, the DEP certificate, which is used to list the devices in the MDM, and the VPP token, which is used to distribute apps, are exchanged. Apple requires that these links be exchanged regularly. We have compiled detailed instructions for you on our YouTube channel.
Bringing existing Apple devices into MDM: Why is this necessary?
One might assume that there are hardly any companies that actually have the need to bring their Apple existing devices into an MDM. In practice, however, we frequently encounter such use cases, either because companies weren’t aware that Apple devices could be purchased directly as DEP devices, or because employees are expected to continue working with existing devices even after the introduction of MDM. The latter is especially true for smaller companies.
In addition, continuing to use existing Apple devices not only saves money but also resources. An MDM is generally used to protect devices against data and security breaches using guidelines. Certain apps and settings can also be specified for the devices. For this purpose, Apple creates a profile for the devices, which contains all restrictions and settings for the Apple device that were specified by the MDM. Each device can even have its own profile with individual settings. The big advantage is that this can be managed centrally, and users don’t have to configure anything on the device themselves, preventing errors or missing important settings.
If the settings change, these changes can also be sent centrally to the devices via MDM. This way, everything is always up to date. These advantages are therefore important not only for newly purchased devices, but also for existing Apple devices, which is why these should of course also be integrated into an MDM.
Different usage scenarios for existing Apple devices within the company
Similar to Android devices, there are also various usage scenarios for Apple devices. On the one hand, there are private devices that are also used for work (Bring Your Own Device/BYOD); company devices that can also be used privately; and pure work devices. If the existing devices are not integrated into Apple Business Manager and an MDM, the problem with all of these usage scenarios is that private data cannot be cleanly separated from company data. Accordingly, GDPR-compliant handling of company data cannot be assumed – a factor that should not be neglected, even for small businesses.
Before you can begin integrating devices into an MDM and managing them with Apple Business Manager, you must first purchase MDM licenses and register with Apple Business Manager. We have explained how to do this in a detailed tutorial.
Integrate Apple BYOD devices into the MDM
In practice, with BYOD devices, it’s often the case that employees can choose a device at the start of their employment with the company, which they can use primarily for personal purposes as a benefit. It’s less common for employees to then use the iPhone or iPad they were already using privately in a work context.
At IOTIQ, we do not recommend the latter option, as the requirements of the existing Apple device may not be sufficient for the task at hand, or the devices may not have been adequately maintained. The risk of a data breach is therefore high. Apple BYOD devices do not necessarily have to be purchased through a certified Apple reseller. Companies can also order them independently from a reseller of their choice. This is particularly helpful if you only want to equip a few employees, as the intermediate step through a system vendor is often not worthwhile. For this reason, BYOD devices are not connected to Apple Business Manager by default. The advantage of Apple BYOD devices is that they do not need to be converted to corporate devices in order to connect them to an MDM – which significantly simplifies the entire process.
Integrating existing Apple BYOD devices in four steps:
1. The user searches for the MDM client app, for example MobiVisor MDM, in the App Store and downloads it.
2. The user opens the app and logs in using the username and password or QR code from the MDM. To do this, the admin must have previously stored a user list in the MDM. Learn how to create new users on our Help page.
3. After successful login, the user is redirected to download the configuration profile. Once this is done, “Profile loaded” appears in the settings.
4. The user taps “Profile loaded” and selects “Install.”
The device is then successfully connected. A detailed tutorial can be found on our YouTube channel. This so-called “user enrollment” ensures that the devices remain private, and the company has no access to the private part of the device. The user also receives a managed work profile with managed apps and a separate iCloud Drive for work.
Bringing existing Apple devices into MDM for work devices used for private purposes
In addition to BYOD, companies may also purchase Apple devices for work purposes, but may then also use them for personal purposes. In this case, the device remains the property of the company and must be returned after the employment relationship ends. For Apple devices not integrated into an MDM, a possible setup would be that the Business Apple ID is used for iCloud, contacts, calendars, photos, and some iMessages. The private Apple ID can be used for the App Store, for example.
If such existing Apple devices are to be brought into MDM, the following must be done:
1. Reset the devices
2. Download “Apple Configurator 2” to an iPhone or MacBook.
3. Depending on the iPhone you want to convert, you may now need to connect it with a cable (iPhone with MacBook) or simply scan the code (iPhone with iPhone).
4. In Apple Configurator: Select device → “Prepare device”
5. Select the option “Add to Apple Business Manager”
6. Enter ABM Apple ID
7. Device is registered in ABM and linked to an MDM
8. Device is automatically switched to Supervised Mode (permanently)
9. Run the setup wizard again
When the device restarts, it will automatically be set up with all MDM profiles. Despite this procedure, a private Apple ID can still be stored, for example for the App Store, if provided for in the MDM.
Bring pure corporate devices into the MDM
Of course, it’s also possible to use Apple devices only for work and not allow private Apple IDs at all. The starting point is similar to the case described above: The existing Apple devices were manually set up with a corporate Apple ID. However, there is no private account on the devices; instead, the employee’s email address is used as the company Apple ID. Since this was not created via Apple Business Manager, it is not considered managed. Apple does not allow the direct transfer of already used Apple IDs into managed structures – instead, a new managed Apple ID is provided.
How do you bring existing Apple devices that are only intended for work use into an MDM?
1. In this case, too, an ABM account must first be created and linked to the MDM.
2. The devices must be manually integrated into Apple Business Manager. They can be reset in advance – otherwise the reset will occur during the conversion to a DEP device.
3. Download “Apple Configurator 2” to a MacBook or iPhone.
4. Depending on the case, you will need to connect the iPhone you want to convert with a cable (iPhone with MacBook) or simply scan the code (iPhone with iPhone)
5. In Apple Configurator: Select device → “Prepare device”
6. Select the “Add to Apple Business Manager” option
7. Enter ABM’s Apple ID
8. Device is registered in ABM and linked to an MDM
9. Device is automatically switched to Supervised Mode (permanently)
10. Run the setup wizard again
When the device is restarted, it is automatically set up with all MDM profiles. The Managed Apple ID is owned by the company and is not linked to a personal iCloud account. Furthermore, only company apps can be downloaded on such a company device.
Bring existing Apple devices into MDM: Apple supports professional use in companies
If Apple devices are to be used for work in the company, it is generally recommended to purchase them directly as DEP devices so that the conversion step with the Apple Configurator does not have to be carried out.
Apple is increasingly encouraging the use of iPhones and iPads for work, so some changes are being made to ABM to give companies even better options for managing their devices. For example, for the past six months, companies have been able to use the “Lock Domain” feature to prevent private Apple IDs from being created with the company email address. If you’d like to read more about the new features for Apple Business users, we recommend our article on the Apple Keynote 2025.
