In Apple Business Manager, navigate to Settings > MDM Servers, create a new MDM server entry, and download the encrypted server token (.p7m file)
Upload the server token to your MDM solution (Intune, Jamf, Workspace ONE, etc.) to establish the ADE trust relationship
Assign devices to the MDM server in Apple Business Manager under Devices; devices can be assigned individually or in bulk by order number
In the MDM console, create an enrollment profile specifying supervision level, Setup Assistant panes to skip, and whether the MDM profile is mandatory or removable
Push the enrollment profile assignment to the MDM server; when an assigned device is activated or erased and reactivated, it fetches the profile automatically from Apple's activation servers
Renew the server token before its annual expiry; downloading a new token from ABM and re-uploading it to the MDM console re-establishes the connection without re-enrolling devices
Known gotchas
Server tokens expire after one year from download; the MDM solution cannot sync device assignments once the token expires — set a calendar reminder well in advance of the expiry date
Only the most recently downloaded token for a given MDM server entry in ABM is valid; if the token is downloaded again (e.g., for troubleshooting), the previous token immediately becomes invalid and must be replaced in the MDM console
Devices must be assigned to an MDM server in ABM before they are activated; activating a device before assignment means ADE enrollment will not trigger automatically and a manual enrollment or factory reset is required
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp