Set up company-owned iOS device management

Supported editions for this feature: Enterprise; Education Standard and Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can manage company-owned iPhones and iPads in the Google Admin console alongside other devices you manage there. To do so, you connect Apple Business Manager or Apple School Manager with your Google Workspace or Cloud Identity subscription.

How the Apple Device Enrollment integration works

You integrate Apple Business Manager or Apple School Manager with your Admin console by providing an authorization key or token to each entity. These tokens allow Google endpoint management to push configuration settings from Admin console to the devices through a mobile device management configuration profile and the Google Device Policy app.

The server token you get from Apple expires annually. You must renew the token for devices to sync work data. However, unlike the Apple push notification certificate, you can renew the token after it expires.

Before you begin

  1. Review the device requirements.
  2. Get an account to sign in to your organization's Apple Business Manager or Apple School Manager.
  3. For easiest management, buy iOS devices for your organization through an authorized Apple retailer. To find an authorized Apple retailer, contact Apple Support. The devices are automatically linked to your Apple Business Manager or Apple School Manager.
  4. Turn on advanced mobile management for the organizational unit that will use the devices.

Note: The following steps require that you complete actions in both the Google Admin console and in Apple Business Manager or Apple School Manager with your business or school Apple ID. Make sure you have access to both before you continue.

Step 1: Set up Apple Enrollment

You must be signed in as a super administrator for this task. Admins who have the Mobile Device Management privilege but aren't super admins always see the setup flow, even if your organization is already set up. If they try to download the public key, they get an error message.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Settingsand theniOS settingsand thenApple certificates.
  4. Click Set Up Enrollment.
  5. Click Get public key. The public key downloads to your device.
  6. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID. In the Device Enrollment Program section:
    1. Click Manage Servers.
    2. If you already set up an MDM Server to use for these devices, click it. Otherwise, create a server.
    3. When prompted, upload the public key you downloaded from the Admin console.
    4. Download the server token from Apple.
  7. Return to the Admin console.
  8. Under Business Apple ID, enter the Apple ID you used to get the token. This entry helps you track which admin did the setup.
  9. Click Upload Server Token, select the token you downloaded from Apple, and click Open.
  10. Click Save & Continue.
  11. The token and its expiration date are now listed on the settings page. Set a calendar reminder to renew the token before it expires.

Step 2: Configure device setup settings

You can control how company-owned iOS devices are set up when a user first signs in. These settings apply to your entire organization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click  Settingsand theniOS settingsand thenCompany-owned iOS device setup.
  4. Click Device enrollment settings. To learn more about the settings, see the iOS settings reference.
  5. Click Save.
Changes typically take effect in minutes, but can take up to 24 hours. For details, go to How changes propagate to Google services.  

Step 3: Configure iOS device restrictions

In addition to the settings available to all iOS devices under advanced management, for supervised devices you can control user access to more apps and settings. You can configure these management settings by organizational unit. For example, you can allow users in some organizational units to install apps, but block app installation for other organizational units.

For details on the settings that apply only to supervised devices, see the iOS settings reference.

Step 4: Enroll and distribute company-owned iOS devices for management

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. Assign the devices to the MDM Server you connected to Google endpoint management. The serial numbers of the devices you want to manage through Google endpoint management must already be in the system (entered by your authorized Apple retailer).
    • To assign all devices to the server by default, set the default assignment.
    • To bulk enroll devices, download a CSV file of their serial numbers, then upload the CSV file.
    • To assign devices individually, enter the serial number.

    For details, see the Apple Device Enrollment documentation.

    Note: It can take up to 24 hours for a device to be ready to use after you assign it to the MDM server.

  3. Distribute devices to your users. When users first sign in, they follow an easy setup flow. Learn more

Manage company-owned iOS devices

Add a company-owned device to Apple Device Enrollment
To add more devices later, use the same process as in step 4 of the preceding section. For details, see the Apple Device Enrollment documentation.
Note: We strongly recommend that you add devices through a certified reseller and Apple Business Manager or Apple School Manager. When you manually add a device to Apple Business Manager or Apple School Manager, users have the option to leave remote management for 30 days after they enroll. If a user leaves, the device is removed from the company-owned inventory within 24 hours and settings that require supervision are no longer applied. The device is then listed as user owned in the Devices list.
Remove a company-owned device from Google endpoint management
To remove a device from the Devices list in the Google Admin console, go to Apple Business Manager or Apple School Manager and remove the device. On the next sync with Google, the devices list in the Admin console is updated and the device is removed. 
If you delete a device from the devices list, the management profile is removed from the device. When a user adds their work account to the device again without a factory-reset, the device is enrolled as unsupervised. You have the management capabilities of advanced mobile management, but settings that only apply to supervised devices aren't enforced.
Wipe a device
As with other iOS devices managed with Google endpoint management, you can remove corporate data from the device by using the Admin console. For instructions, see Remove corporate data from a device.
Note: Account wipe behaves the same as device wipe for company-owned iOS devices. The device is reset to factory settings for both actions.

Reassign a device

iOS devices support only one management profile at a time.
To reassign a device:
  1. Delete the device from the devices list.
  2. Factory reset the device.
  3. Have the new user sign in to the device.
To let a user who has a Google Workspace license that doesn't support Apple Device Enrollment use a device that was enrolled, remove the device from Apple Business Manager or Apple School Manager and factory reset it. Then the new user can sign in.

Related articles

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue