Use Intune MDM with iOS devices registered in ABM/ASM for Automated Device Enrollment, in conjunction with iMazing Configurator for local provisioning

💡iMazing 3
This guide is not yet complete or updated for iMazing 3. An update will be available soon.

The purpose of this guide is to assist you in configuring Automated Device Enrollment in Intune MDM so that devices remain locally manageable with iMazing Configurator.

1. Create your supervising organization with iMazing Configurator

To begin, create your supervising identity in iMazing Configurator. This identity will be used in Intune for Automated Device Enrollment at step 2.

1. In the iMazing menu bar, under Configurator, choose Organizations:

2. Click on the '+' button located at the lower left corner:

3. In New Organization enter information about your organization. In Supervision Identity select Generate New and click Create:
4. Enter your macOS user credentials and click Update Settings:
5. Review your new organization and click Done:
6. Open the macOS Keychain app, select the login keychain, go to the My Certificates tab and with the search bar, look for your freshly created organization certificate (here we use Intune Test Organization). Select it and right-click to display the contextual menu:
7. Select Export "your organization certificate name":
8. Name your certificate and select .cer as file format. Once ready click Save:

2. Prepare your Intune MDM account for Automated Device Enrollment to work in conjunction with iMazing Configurator for local provisioning

Follow these steps to use the supervising certificate exported from iMazing Configurator in step 1 to create a new Intune Enrollment Program token.

The procedures may vary slightly depending on whether you use Automated Device Enrollment (ADE) or manually onboard your devices in Intune.

⚠ Important: Please note that several aspects of your overall Microsoft Azure tenant configuration may impact your migration. This guide will not cover the configuration of Azure. Additionally, we will not cover prerequisite steps, such as installing your Apple Push certificate.

1. Log in to your Microsoft Intune console.
2. Select Devices > Enroll Devices > Apple enrollment:
3. Select Enrollment program tokens, choose your own and double-click on it:
4. Click on Profiles > Create a profile > iOS/iPadOS:
5. Create a profile with a clear name, such as "ADE Enrollment," and add a description:
6. In User affinity select Enroll without User Affinity (enrollment based on user accounts are not taken in consideration is this guide but are also supported):
7. In Supervise choose Yes.
8. In Locked Enrollment, choose "Yes" if you do not want the end-user to be able to manually remove the management profile from the device's settings, otherwise select “No”.
9. In a Shared iPad, select according to your needs.
10. In Sync with computers select Allow Apple Configurator by certificate.
11. In Apple Configurator certificates upload your Supervision certificate previously exported as .cer format (in our example Intune Test Organization).
12. Select the other options according to your scenario and click on Next:
13. In the Setup Assistant window, provide the requested information and choose the appropriate options for your scenario. Review your choices, and when you are ready to proceed, click on Create:
14. To set your ADE Enrollment profile as the default profile, return to the Enrollment program tokens panel and click Set default profile. Then, select your ADE Enrollment profile in the iOS/iPadOS Enrollment Profile field and click Save:
15. To enroll devices registered in ABM/ASM in Intune using ADE, first select the devices in the Devices section, then click Assign profile:
16. Confirm your chosen Enrollment Profile and click Assign:
17. To finish, click the Sync (ADE/DEP) button. As a result, the MDM server will communicate with Apple's servers to retrieve and update ADE/DEP-related information and configurations.

Once the device has been started and automatically enrolled, your local IT staff can interact with it using iMazing or iMazing Configurator. For example, they can back up sensitive local data for legal or compliance purposes, apply iMazing Configurator blueprints, and more.