Skip to main content
Matrix42 Self-Service Help Center

Apple Deployment Programs II: Configure Deployment Programs

Configure Business Manager Basics

Before you start here you must have completed chapter Apple Deployment Programs I: Create Managed Apple ID

Add Admin Accounts

  • Login to your Apple Business Manager 
  • Navigate to Accounts
  • Click Add Accounts Icon 
  • Add the following information
    • First Name
    • Middle Name (optional)
    • Last Name
    • Username for Managed Apple ID
    • Choose a Role (The Organization will be filled automatically with your Master Location)
    • Email Address 
  • Click Save

Add Device Purchases

  • Navigate to Settings
  • Open Device Purchases
  • Add a DEP Reseller ID or Apple Customer Number
  • If you want to add more then 1 DEP Reseller UDs use the + button
  • Click Save

 

Configure Deployment Programs

Apple Business Manager combines Device Enrollment Program and Volume Purchase Program in one console. Depending on your preferences configure either Device Enrollment Program or Volume Purchase Program or both. Both has a part that needs to be done in Business Manager and a part for Silverback. 

Device Enrollment Program (optional)

Apple's Device Enrollment Profile (DEP) program automates mobile device management (MDM) enrollment. Using DEP, you can configure enterprise devices without touching them. To configure the Device Enrollment Program we will need to create a public key, add your Silverback Server in Apple Business Manager and import the trusted server token into Silverback. 

Create your Public Key

For creation of  a Public Key for your Device Enrollment Program you'll need the following: 

  • Mac Computer with latest macOS and
    • Apple macOS Keychain application (built-in)
    • Apple macOS Terminal application (built-in)
    • Apple macOS TextEdit application (built-in)

Matrix42 supports this process by using the Apple’s macOS Keychain application and build-in Openssl tool. If your organization should not have an Apple macOS computer, please contact Matrix42 Support or your Matrix42 Partner Consultant.

Create Unique Certificate
  • Log into your Mac Computer, and open the "Keychain Access" Application. This can be done by going to Launchpad and typing in ‘Keychain’.
  • From the top left, ensure “Login” is selected and then “My Certificates at the bottom
  • Click the Keychain Access Menu from the top of your screen
  • Click Certificate Assistant
  • Click Create a Certificate
  • Enter your Company Name
  • Ensure that Identity Type is “Self Signed Root” and that Certificate Type is set to “S/MIME (Email)”
  • Click the Create button.
  • Click "Continue" when prompted
  • Click "Done" to confirm
Export Certificate
  • Once the ‘Certificate Assistant’ has completed your Certificate, your certificate should now be visible, without expanding it, right click on  it and select “Export “CompanyName”.
  • When prompted, name the file Certificates and choose the location to save it to. Ensure that “Personal Information Exchange (.p12)” is selected,
  • Click Save.

For the purposes of this document, we will call the file “Certificates.p12”, this is referenced in some commands later in the document. If you name the file differently, you will need to adjust the commands appropriately.

  • You will now enter a password to secure the certificates. This will be required again later, so keep it in your memory.
  • You might also be prompted to enter your computer’s password to export the items, this will be the password you use to log into the computer. Enter this if prompted and click “Always Allow”.
Change Certificate Format

Using the Terminal application within macOS, navigate to the directory that contains your Exported Certificate and execute the following command:

  • openssl pkcs12 -in Certificates.p12  -out Certificates.pem -nodes

You will be asked for the Export Password you set during 

If you copy and paste the text from this document, the command might fail, please type out this command manually if you receive errors.

Create the Keys
  • Open the certificates.pem file with TextEdit

Alternatively, you can use any other text editor. You need to ensure that you edit the file in a plain-text editor mode because rich-text editor might add special characters.

  • Endsure to switch the text file into plain-text mode. You find the “Make Plain Text” option in the menu bar / Format section.

When you have opened the pem file with TextEdit, the displayed content will have the structure shown in the table.  We need to copy & paste the Certificate Part and the Public Key into two different new text files with the ending .key .

  • CertificatePublic.key: Will be used to register your Server on Apple
  • CertificatePrivate.key: Will be used for Decrypt the Token from Apple and creating your unique Silverback DEPToken. 

Please ensure that you will copy the part of your text on your file, do not copy and paste the displayed one in the table below

 

Value Action to take

Bag Attributes

 friendlyName: CompanyName

 localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1

subject=/CN=CompanyName/C=AU

issuer=/CN=CompanyName/C=AU

No action

-----BEGIN CERTIFICATE-----

MIIC6TCCAdGgAwIBAgIBATALBgkqhkiG9w0BAQswIzEUMBIGA1UEAwwLQ29tcGFu

eU5hbWUxCzAJBgNVBAYTAkFVMB4XDTE1MDMwNjAwNTgyN1oXDTE2MDMwNTAwNTgy

gVglG0SWc/QzJfIcyRXUEW4rFJ9joEBnyeN4jibKPWvB5RKqh5lly/5H5nljp+6

pX7EwM63aVmsd5MxEVMT8isAXDVi+DWkzBHc4fQ=

-----END CERTIFICATE-----

Save this text part in a separate file named CertificatePublic.key

  • When you have selected the text, copy it to a new TextEdit, click cmd and S (for save) - Make sure it is displayed as plain text 
  • Uncheck If no extension is provided, use ".txt".
  • Enter under Save as: CertificatePublic.key and click Save

Bag Attributes

    friendlyName: CompanyName

    localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1

Key Attributes: <No Attributes>

No action

-----BEGIN PRIVATE KEY-----

MIIEpAIBAAKCAQEA7marEWleBfTWC1nF8uf2PRputQJeAEnyZfP/D0TO22W2TIzT

jd4NWETfehzq3e/W5WcjQ79NNNAq9KwxsPPNq5OEJFzDEgdZGV0enHaEfi4i7YSK

j9BSH3ECgYAYcXHzjg5tcTQVaHfkI8X/hd9w56iSJC3gEdEC7WnGOiSeqhp/ZeP8

iXZVp66EuajK4QwMYHE2lpzqxTAieWYYmA3sic+uLU3zBdjjBNmWKcUE/soqzel9

ySfNSOx+SHxE+fCOw19udZapVwHyt93lehjkImMJqhgEJRd6QMcIwg==

-----END PRIVATE KEY-----

  • Save this text part in a separate file named CertificatePrivate.key
    • When you have selected the text, copy it to a new TextEdit, click cmd and S (for save) - Make sure it is displayed as plain text
    • Uncheck If no extension is provided, use ".txt".
    • Enter under Save as: CertificatePrivate.key and click Save

Add MDM Server

  • Navigate back to Apple Business Manager
  • Navigate to MDM Servers
  • Click Add
  • Enter a display name for your MDM Server Information (e.g. Company EMM)
Upload Public Key
  • Click Upload File
  • Select the CertificatePublic.key file with the included Public Key that you created
  • Proceed with Choose
  • Click Save
Download Server Token
  • Now Click Get Token
  • Confirm with Download Server Token
  • Now we need to decrypt that Server Token
Decrypt Server Token
  • Copy the downloaded token in into the same directory as you rCertificatePrivate.key file
  • Open using Apple’s macOS Terminal application to execute the following command. It will create your DEP Token for Silverback 

openssl smime -decrypt -in encryptedToken.p7m -inkey CertificatePrivate.key > DEPToken.json

If you copy and paste the text from this document, the command might fail,  so better type this command manually.

Edit Server Token
  • Open the created DEPToken.json with TextEditor (check if it still displayed in plain-text editor mode
  • Remove the header & footer information as shown in the table below
  • Save the file 
  • Proceed with Silverback Part
Before After

Content-Type: text/plain;charset=UTF-8

Content-Transfer-Encoding: 7bit

-----BEGIN MESSAGE-----

{"consumer_key":"CK_e568c2688a621bb0400247fd7cf05ef19be58cba1cb26a0ec35c","consumer_secret":"CS_0a9a300f00","access_token":"AT_O8190583125113472c01f6cO1425861731668","access_secret":"AS_968be8277c0694d27df040d4765","access_token_expiry":"2016-03-08T00:42:11Z"}

-----END MESSAGE-----

{"consumer_key":"CK_e568c2688a621bb0400247fd7cf05ef19be58cba1cb26a0ec35c","consumer_secret":"CS_0a9a300f00","access_token":"AT_O8190583125113472c01f6cO1425861731668","access_secret":"AS_968be8277c0694d27df040d4765","access_token_expiry":"2016-03-08T00:42:11Z"}
Import Server Token
  • Log in to your Silverback  console as a user with Administrator privileges and navigate to the Admin Tab > Device Enrollment Program section:
  • Now check the “Enabled” checkbox at the top of the page, and then click Choose File, and upload the DEPToken.json file.

For an explanation of the other settings on this page, see the Silverback Admin Guide.

  • Wait a few minutes for the system to connect and update with Apple and then click the “Overview” button, and you should see your DEP account information.
  • If you don’t have any devices listed on this page, you can assign these by logging into the Apple Deployment Programs website again, then click on “Manage Devices”. From here you can enter the device serial numbers or order number, and then choose to associate them with the server.
Configuration

All settings for the Device Enrollment Program  are covered here:  Apple Deployment Programs IV: Device Enrollment Program

Volume Purchase Program (optional)

Volume Purchase Program provides IT Administrators an easy way to find, purchase, and distribute Apps and Books in volume for the entire organization.

Before your start

Before you start, you need to get a VPP token from Apple and upload it to Silverback. Additionally, please note the following criteria:

  • If you previously used a VPP token with a different product, you must generate a new one 
  • A VPP token is only supported for use in one MDM System at time. Do not reuse the same VPP token for multiple MDM Systems
  • Tokens are valid for one year
  • Before you start to use Apple VPP with Silverback, remove any existing VPP user accounts created with other mobile device management (MDM) vendors. 
  • We recommend to use the Device only  as VPP Operation mode.  When you assign VPP apps using the user licensing model to users or devices (with user affinity), each user needs to be associated with a unique Apple ID or an email address when they accept the Apple terms and conditions on their device. Ensure that when you set up a device for a new Silverback user, you configure it with that user's unique Apple ID or email address. The Apple ID or email address and Silverback user form a unique pair and can be used on up to five devices.
  • By default, Silverback synchronizes with the Apple VPP service in a given period to refresh.  A manual sync is possible at any time.

Get Token

  • Open Apple Business Manager
  • Enter your Apple Business Manager Apple ID
  • Enter your Password
  • Enter your Two-Factor Authentication Code
  • Click Trust this browser
  • Navigate to Apps and Books (only at first time)
  • Choose Tax-Status (only at first time)
  • Proceed with Continue (only at first time)
  • Click Get Started (only at first time)
  • Accept Terms and Conditions (only at first time)
  • Navigate to Settings
  • Click Apps and Books
  • Download your Server Token
  • Open Downloaded File with any Text Editor
  • Copy the complete content of the text file into clipboard

Import Token

  • Navigate to Silverback
  • Login as Administrator
  • Navigate to Admin
  • Navigate to Volume Purchase Program
  • Enable Volume Purchase Program
  • Paste the token into Company Token field
  • Click Save token
  • Wait a couple of seconds
  • Click Refresh

Change VPP Operation Mode

  • Change VPP Operawtion Mode to Device Preferred

Enable Logs

It may take a while until vpp logs are visible

NEXT STEPS

  • Was this article helpful?