Skip to main content
Matrix42 Self-Service Help Center

Apple Deployment Programs II: Configure Deployment Programs

Configure Business Manager Basics

Before you start here you must have completed chapter Apple Deployment Programs I: Create Managed Apple ID

Add Admin Accounts

  • Login to your Apple Business Manager 
  • Navigate to Accounts
  • Click Add Accounts Icon 
  • Add the following information
    • First Name
    • Middle Name (optional)
    • Last Name
    • Username for Managed Apple ID
    • Choose a Role (The Organization will be filled automatically with your Master Location)
    • Email Address 
  • Click Save

Add Device Purchases

  • Navigate to Settings
  • Open Device Purchases
  • Add a DEP Reseller ID or Apple Customer Number
  • If you want to add more then 1 DEP Reseller UDs use the + button
  • Click Save

Add Device Enrollment & Volume Purchase Program

Apple Business Manager combines Device Enrollment Program and Volume Purchase Program in one console. Depending on your preferences configure either Device Enrollment Program or Volume Purchase Program or both. Both has a part that needs to be done in Business Manager and a part for Silverback. 

Device Enrollment Program

Apple's Device Enrollment Profile (DEP) program automates mobile device management (MDM) enrollment. Using DEP, you can configure enterprise devices without touching them. To configure the Device Enrollment Program we will need to create a public key, add your Silverback Server in Apple Business Manager and import the trusted server token into Silverback. 

Create your Public Key

For creation of  a Public Key for your Device Enrollment Program you'll need the following: 

  • Mac Computer with latest macOS and
    • Apple macOS Keychain application (built-in)
    • Apple macOS Terminal application (built-in)
    • Apple macOS TextEdit application (built-in)

If your organization should not have an Apple macOS computer, please contact Matrix42 Support or your Matrix42 Partner Consultant.

Create Unique Certificate

  • Log into your Mac Computer
  • Open Keychain Access Application. Go to Launchpad and type Keychain
  • From the top left, ensure “Login” is selected and then “My Certificates at the bottom
  • Click the Keychain Access Menu from the top of your screen
  • Click Certificate Assistant
  • Click Create a Certificate
  • Enter your as Name e.g. Imagoverum
  • Ensure that Identity Type is “Self Signed Root” and that Certificate Type is set to “S/MIME (Email)”
  • Click the Create button
  • Click Continue
  • Click Done

Export Certificate

  • Right Click your created certificate
  • Select Export 
  • Give the Certificate as friendly name, e.g silverback
  • Ensure that Personal Information Exchange (.p12) is selected
  • Choose the Downloads folder to store the silverback.p12 file there
  • Click Save

For the purposes of this document, we will call the file “silverback.p12”, this is referenced in some commands later in the document. If you name the file differently, you will need to adjust the commands appropriately.

  • Enter a Password, e.g. Pa$$w0rd and keep it in your memory
  • Click OK
  • Enter your MacOS Login password
  • Click Always Allow

Change Certificate Format

  • Open Terminal Application
  • Enter cd downloads
  • Enter ls to see you silverback.p12 file list
  • Now enter the following command 
    • openssl pkcs12 -in silverback.p12  -out silverback.pem -nodes
  • Enter the your created password, e.g. Pa$$w0rd
  • Press Enter
  • To ensure the silverback.pem is listed use again ls command

If you copy and paste the text from this document, the command might fail, please type out this command manually if you receive errors.

Create the Keys

  • Now navigate to Finder
  • Click Go
  • Click Downloads
  • Right click your certificate.pem file
  • Select Open with
  • Choose other
  • Select TextEdit
  • Click Open 

Read Instructions

When you have opened the pem file with TextEdit, the displayed content will have the structure shown in the table.  We need to copy & paste the Certificate Part and the Public Key Part into two different new text files with the ending .key .

  • certificatepublic.key: Will be used to register your Server on Apple
  • certificateprivate.key: Will be used for Decrypt the Token from Apple and creating your unique Silverback DEPToken. 

Please ensure that you will copy the part of your text on your file, do not copy and paste the displayed one in the table below

  • Read the table and proceed with steps below
Value Action to take

Bag Attributes

 friendlyName: CompanyName

 localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1

subject=/CN=CompanyName/C=AU

issuer=/CN=CompanyName/C=AU

No action

-----BEGIN CERTIFICATE-----

MIIC6TCCAdGgAwIBAgIBATALBgkqhkiG9w0BAQswIzEUMBIGA1UEAwwLQ29tcGFu

eU5hbWUxCzAJBgNVBAYTAkFVMB4XDTE1MDMwNjAwNTgyN1oXDTE2MDMwNTAwNTgy

gVglG0SWc/QzJfIcyRXUEW4rFJ9joEBnyeN4jibKPWvB5RKqh5lly/5H5nljp+6

pX7EwM63aVmsd5MxEVMT8isAXDVi+DWkzBHc4fQ=

-----END CERTIFICATE-----

Save this text part in a separate file named certificatepublic.key

(Certificate Area)

Bag Attributes

    friendlyName: CompanyName

    localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1

Key Attributes: <No Attributes>

No action

-----BEGIN PRIVATE KEY-----

MIIEpAIBAAKCAQEA7marEWleBfTWC1nF8uf2PRputQJeAEnyZfP/D0TO22W2TIzT

jd4NWETfehzq3e/W5WcjQ79NNNAq9KwxsPPNq5OEJFzDEgdZGV0enHaEfi4i7YSK

j9BSH3ECgYAYcXHzjg5tcTQVaHfkI8X/hd9w56iSJC3gEdEC7WnGOiSeqhp/ZeP8

iXZVp66EuajK4QwMYHE2lpzqxTAieWYYmA3sic+uLU3zBdjjBNmWKcUE/soqzel9

ySfNSOx+SHxE+fCOw19udZapVwHyt93lehjkImMJqhgEJRd6QMcIwg==

-----END PRIVATE KEY-----

  • Save this text part in a separate file named certificateprivate.key

(Private Key Area)

Create and Save Files

  • Now Select the Certificate Area
  • Press cmd + c to copy the content in your clipboard
  • Click File
  • Click New
  • Click Format
  • Click Make Plain Text
  • Press cmd + v to paste the content
  • click cmd + s to open Save Wizard
  • Enter as name certificatepublic.key
  • Select your Downloads folder to store the key
  • Uncheck If no extension is provided, use ".txt".
  • Click Save
  • Repeat the steps for the private key Area and save it as certificateprivate.key
  • Your Download folder should now have both files listed
    • certificateprivate.key
    • certificatepublic.key

Add MDM Server

  • Login or open to Apple Business Manager or navigate back if already logged in
  • Navigate to MDM Servers
  • Click Add New MDM Server
  • Enter a display name e.g. Silverback 

Upload Public Key

  • Click Upload File
  • Select the certificatepublic.key file with the included Public Key that you created
  • Proceed with Choose
  • Click Save

Download Server Token

  • Now Click Get Token
  • Confirm with Download Server Token
  • Now we need to decrypt that Server Token
  • The token file should be stored under Downloads
  • Check your Downloads Folder for a .p7m file
  • Copy the name of the complete file into your clipboard

Decrypt Server Token

  • Navigate back to Terminal Application
  • Type openssl smime -decrypt -in and press cmd + v 
  • Add now -inkey and add certificateprivate.key
  • Add at the End >DEPToken.json 
  • Press Enter

The complete command should look similar to this:

openssl smime -decrypt -in Filename.p7m -inkey certificateprivate.key > DEPToken.json

If you copy and paste the text from this document, the command might fail,  so better type this command manually.

  • Check your Downloads folder, there should be now the DEPToken.json file listed

Edit Server Token

  • Right Click the DEPToken.json file
  • Open with TextEditor (check if it still displayed in plain-text editor mode)
  • Remove the header & footer information as shown in the table below
  • Save the file 
  • Proceed with Import Server Token
Before After

Content-Type: text/plain;charset=UTF-8

Content-Transfer-Encoding: 7bit

-----BEGIN MESSAGE-----

{"consumer_key":"CK_e568c2688a621bb0400247fd7cf05ef19be58cba1cb26a0ec35c","consumer_secret":"CS_0a9a300f00","access_token":"AT_O8190583125113472c01f6cO1425861731668","access_secret":"AS_968be8277c0694d27df040d4765","access_token_expiry":"2016-03-08T00:42:11Z"}

-----END MESSAGE-----

{"consumer_key":"CK_e568c2688a621bb0400247fd7cf05ef19be58cba1cb26a0ec35c","consumer_secret":"CS_0a9a300f00","access_token":"AT_O8190583125113472c01f6cO1425861731668","access_secret":"AS_968be8277c0694d27df040d4765","access_token_expiry":"2016-03-08T00:42:11Z"}

Import Server Token

  • Open your Silverback Management Console
  • Login as Administrator
  • Navigate to Admin
  • Navigate to Device Enrollment Program
  • Click Enabled
  • Click Choose File 
  • Upload the DEPToken.json file.
  • Click Save
  • Click Ok
  • Wait a few moment for the system to connect and update with Apple
  • Refresh the Browser Page or navigate to another section and switch back to Device Enrollment Program
  • Congratulations. Silverback is now linked with Apple Device Enrollment Program

Next Steps

Volume Purchase Program

Volume Purchase Program provides IT Administrators an easy way to find, purchase, and distribute Apps and Books in volume for the entire organization.

Before your start

Before you start please note the following criteria:

  • If you previously used a VPP token with a different product, you must generate a new one 
  • A VPP token is only supported for use in one MDM System at time. Do not reuse the same VPP token for multiple MDM Systems
  • Tokens are valid for one year
  • Before you start to use Apple VPP with Silverback, remove any existing VPP user accounts created with other mobile device management (MDM) vendors. 
  • We recommend to use the Device only  as VPP Operation mode.  When you assign VPP apps using the user licensing model to users or devices (with user affinity), each user needs to be associated with a unique Apple ID or an email address when they accept the Apple terms and conditions on their device. Ensure that when you set up a device for a new Silverback user, you configure it with that user's unique Apple ID or email address. The Apple ID or email address and Silverback user form a unique pair and can be used on up to five devices.
  • By default, Silverback synchronizes with the Apple VPP service in a given period to refresh.  A manual sync is possible at any time.

Get Token

Depending of where you stated, you may have face a different user experience

  • Open Apple Business Manager
  • Login with your Apple Business Manager Apple ID
  • Enter your Two-Factor Authentication Code
  • Click Trust this browser
  • Navigate to Apps and Books
  • Choose Tax-Status 
  • Proceed with Continue 
  • Click Get Started
  • Accept Terms and Conditions
  • Navigate to Settings
  • Click Apps and Books
  • Download your Server Token

If you do not find your server, add first a new Location under Locations

  • Open Downloaded File with any Text Editor
  • Copy the complete content of the text file into clipboard

Import Token

  • Navigate to Silverback
  • Login as Administrator
  • Navigate to Admin
  • Navigate to Volume Purchase Program
  • Enable Volume Purchase Program
  • Paste the token into Company Token field
  • Click Save token
  • Wait a couple of seconds
  • Click Refresh

Change VPP Operation Mode

  • Change VPP Operation Mode to Device Preferred

Enable Logs

It may take a while until vpp logs are visible

Next Steps

  • Was this article helpful?