To turn on macOS, iOS, and iPadOS MDM features, follow the instructions on this page to connect Fleet to Apple Push Notification service (APNs).
To use automatic enrollment (aka zero-touch) features on macOS, iOS, and iPadOS, follow instructions to connect Fleet with Apple Business Manager (ABM).
To turn on Windows MDM features, head to this Windows MDM setup article.
Apple uses APNs to authenticate and manage interactions between Fleet and hosts.
To connect Fleet to APNs or renew APNs, head to the Settings > Integrations > Mobile device management (MDM) page.
Apple requires that APNs certificates are renewed annually.
- If your certificate expires, you will have to turn MDM off and back on for all macOS hosts.
- Be sure to use the same Apple ID from year-to-year. If you don't, you will have to turn MDM off and back on for all macOS hosts.
Available in Fleet Premium
To connect Fleet to ABM, you have to add an ABM token to Fleet. To add an ABM token:
When one of your uploaded ABM tokens has expired or is within 30 days of expiring, you will see a warning banner at the top of page reminding you to renew your token.
To renew an ABM token:
After connecting Fleet to ABM, set Fleet to be the MDM for all Macs:
macOS, iOS, and iPadOS hosts listed in ABM and associated to a Fleet instance with MDM enabled will sync to Fleet and appear in the Hosts view with the MDM status label set to "Pending".
Hosts that automatically enroll will be assigned to a default team. You can configure the default team for macOS, iOS, and iPadOS hosts by:
If no default team is set for a host platform (macOS, iOS, or iPadOS), then newly enrolled hosts of that platform will be placed in "No team".
A host can be transferred to a new (not default) team before it enrolls. In the Fleet UI, you can do this under Settings > Teams.
Available in Fleet Premium
To connect Fleet to Apple's VPP, head to the guide here.
Most organizations only need one ABM token and one VPP token to manage their macOS, iOS, and iPadOS hosts.
These organizations may need multiple ABM and VPP tokens:
For MSPs, the best practice is to have one ABM and VPP connection per client.
The default teams in Fleet for each client's ABM token in Fleet will look like this:
Client A's VPP token will be assigned to the above teams.
For enterprises that acquire, the best practice is to add a new ABM and VPP connection for each acquisition.
These will default teams in Fleet:
Enterprise ABM token:
The enterprises's VPP token will be assigned to the above teams.
Acquisition ABM token:
The acquisitions's VPP token will be assigned to the above teams.
Fleet uses SCEP certificates (1 year expiry) to authenticate the requests hosts make to Fleet. Fleet renews each host's SCEP certificates automatically every 180 days.