Skip to main content

Apple Business Automated Device Enrollment (ADE, formerly DEP/ABM) Verification— Setup Guide

Updated

 

This guide walks an Apple Business (formerly Apple Business Manager/ABM) Administrator through the one-time setup required to enable Firstbase ABM Verification for your organization. Setup has three parts: creating a least-privilege API role in Apple Business, creating an API account and generating credentials, and submitting those credentials to Firstbase.

 

Who needs to complete this: An account with the Organization Administrator role in Apple Business (formerly Apple Business Manager/ABM). Regular users and IT staff without this role cannot create API accounts or custom roles in Apple Business.

Note: Verification currently supports organizations with a single ABM/DEP number (ADE — Automated Device Enrollment). If your organization uses multiple numbers, please contact your CSM before proceeding to discuss your setup and provide feedback for a future release.

 

Step 1: Create the API Role in Apple Business

You will create a custom role that grants Firstbase read-only access to verify ADE (Automated Device Enrollment, formerly DEP) status. Only one permission is needed.

 

  1. Sign in to Apple Business at business.apple.com using an account with the Organization Administrator role.
  2. In the top-right corner, click your organization name to open the menu, then click Settings.
  3. In the Settings sidebar, under the Settings section, click Roles & Permissions. (Do not confuse this with Access Management further down the sidebar, which manages sign-in methods for human users.)
  4. Create a new custom role with the following details:
    • Role name: Firstbase Verification
    • Description: Read-only role for Firstbase Verification. Used to query enrollment status only.
  5. In the role editor, open the Devices tab.
  6. Under Device Management, enable exactly one permission: "View device management services and add devices with Apple Configurator." Every other permission in Device Management must remain unchecked.
  7. Leave all permissions under Organization, People, Apps & Services, and Brands unchecked.
  8. Save the role.

 

Sanity check: If your role shows any checkmarks beyond the single Devices permission above, uncheck them before continuing. Over-granting permissions is the most common configuration issue and widens the scope of what a compromised credential could access.

 

For Apple's official instructions on creating a new API role, see:

Create an API account in Apple Business — Apple Support

 

Step 2: Create the API Account and Generate Credentials

The API account is the service identity Firstbase uses to query Apple Business. It is not a regular user account — it does not consume a Managed Apple ID and cannot sign into the Apple Business web UI.

 

  1. Still in Settings, navigate to the Integrations section in the sidebar and click API.
  2. Select Add API Account and provide the following details:
    • Account name: Firstbase Verification
    • Description: Read-only API account used by Firstbase to verify ADE (Automated Device Enrollment) status.
  3. When prompted to assign a role, select the Firstbase role you created in Step 1. Do not select Administrator or any other built-in role.
  4. Select Generate & Download to generate and download the private key. The file is a .pem file and is shown only once.
  5. Before navigating away, note down or copy the following values — you will need all three in Step 3:
    • Key ID — a public identifier for the API key.
    • Client ID (sometimes labeled Issuer ID) — the API account identifier.
    • Private Key — the .pem file you downloaded.

 

Important: Save the .pem file to a secure location (such as your organization's password manager) before navigating away. Apple Business does not allow you to re-display an existing private key. If you lose it, you must delete the API account and create a new one.

 

Treat the .pem file like a password. Do not email it, paste it into chat or ticket systems, or commit it to source control. Only share it with Firstbase through the secure submission step below.

 

Step 3: Submit Credentials to Firstbase

Once you have the Key ID, Client ID, and .pem file, submit them to Firstbase through the Firstbase platform.

 

  1. Sign in to the Firstbase platform.
  2. Navigate to API & Integrations > Apple ABM API.
  3. Enter your Key ID and Client ID in the respective fields.
  4. For the private key, you have two options:
    • Upload the file: Use the file upload button to select your downloaded .pem file directly.
    • Paste the contents: Open the .pem file in a text editor, copy the entire contents, and paste into the PEM field.
  5. Click Submit.

 

Firstbase encrypts all three values at rest (AES-256-GCM). Once submitted, the values are masked in the UI. You can update them later by re-entering new values, but the existing values cannot be re-displayed. Firstbase uses the credentials only to query Apple Business for ADE enrollment status and never to add, modify, or remove devices.

 

Rotating or Revoking Credentials

  • To revoke access: Delete the API account in Apple Business (Settings > Integrations > API). This immediately prevents Firstbase from querying Apple Business.
  • To rotate credentials: Create a new API account in Apple Business using the same Firstbase role, generate new credentials, submit the new credentials to Firstbase, then delete the previous API account.

Firstbase recommends rotating credentials annually, or whenever an administrator with access to the original .pem file leaves your organization.

 

How We Protect Your Data

Apple Business controls the device deployment chain for your fleet, so the credentials Firstbase holds on your behalf are sensitive. Verification is designed with the following safeguards:

 

  • Read-only access. The Firstbase role grants only the "View device management services and add devices with Apple Configurator" permission. The service cannot release, retire, reassign, or otherwise modify any device in your Apple Business organization.
  • Least-privilege role. The role you create has exactly one permission enabled. Every other device-management permission is disabled.
  • Encrypted credentials at rest. Your Key ID, Client ID, and .pem file are encrypted at rest using AES-256-GCM. They are decrypted only in memory at the moment a query runs and are never written to application logs or displayed in the dashboard.
  • No write-back to Apple Business. The audit service never creates, modifies, or deletes records in your Apple Business organization. All remediation actions are performed by you or by Firstbase Operations directly in Apple Business.
  • Internal-only tool. Verification is an internal Firstbase Operations tool. Access is restricted to authorized Firstbase staff via SSO with role-based permissions. Your stored credentials are never displayed in the UI, even to Firstbase staff.
  • Audit trail. Every audit run is logged with a timestamp and the operator (or "system" for automated runs), supporting operational accountability and incident review.
  • Encrypted infrastructure. The service runs on managed cloud infrastructure with encryption in transit (TLS) and at rest. Secrets are stored in an encrypted configuration store, not in source code.

 

Need Further Assistance?

If you have questions about the setup process, contact your Customer Success Manager (CSM) or Operations Success Manager (OSM). For technical issues with Apple Business enrollment or to request an on-demand audit, reach out via your normal Firstbase support channel.

Related articles

Comments

0 comments

Article is closed for comments.