The new unified Apple Business portal is live — here’s everything that changed and what IT admins need to do right now.
If you logged into Apple Business Manager today and found yourself staring at a completely new portal — you’re not alone. Apple has officially retired Apple Business Manager (ABM), Apple Business Essentials (ABE), and Apple Business Connect (ABC) and merged them into a single, unified platform simply called Apple Business.
This isn’t just a facelift. It’s a fundamental rethink of how Apple wants businesses to interact with its ecosystem. Let me walk you through every section of the new portal, what’s changed, and what you need to do as an IT admin.
First things first — before you can do anything in the new portal, you’ll be prompted to accept the updated Terms & Conditions. This is mandatory. Until you do, you won’t be able to access any features. Portal URL: business.apple.com
So What Exactly is Apple Business?
Apple is positioning this as two sides of the same coin — Run your business and Grow your business — all from one portal.
The “Run” side is what IT admins have been doing in ABM for years, but expanded. Device management, Automated Device Enrollment, app and book distribution, Managed Apple Accounts, identity provider integration — it’s all here. But Apple has added layers on top: built-in MDM with Blueprints and Configurations, professional email on your own domain, calendar services, an organization directory, iCloud storage for employees, and AppleCare+ for Business — all managed from the same dashboard.
The “Grow” side is what used to live in Apple Business Connect, now absorbed into the same portal. Brand identity management, Maps place cards, showcases, Tap to Pay on iPhone, Branded Mail, and location insights. This is the customer-facing, marketing-adjacent side of the platform.
For IT admins, the “Run” side is home turf. The “Grow” side is the new neighbour you didn’t ask for but need to acknowledge — because someone in your org is going to need access to it, and they’ll be coming through the same portal you manage.
What Devices Are Covered?
The full Apple fleet: iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro. Yes — Vision Pro is now part of the managed device family in Apple Business.
What’s Actually New vs. Migrated?
Let’s be clear about what’s genuinely new versus what’s just been relocated:
Genuinely new:
- Built-in MDM with Blueprints and Configurations (previously a paid ABE feature, now free)
- Professional email, calendar, and directory services on your own domain
- Ads on Apple Maps (U.S. and Canada)
- Unified brand management across Maps, Wallet, Mail, and Payments in one place
Migrated (same capability, new home):
- Automated Device Enrollment (ADE) — your tokens and server assignments carry over
- App and book license management (formerly VPP/Apps & Books)
- Managed Apple Accounts and IdP federation (Entra ID, Google Workspace, etc.)
- Device assignments and supplier management
- Brand profiles and location data from Business Connect
No longer charged:
- Built-in device management was a paid subscription under ABE. That monthly fee is gone as of April 14.
The Welcome Modal
When you first land on the portal, a welcome modal pops up summarising three things Apple Business helps you do:
- Reach and Engage Customers — Manage and promote locations on Maps and display your brand across Apple
- Manage and Secure Devices — Set up devices, distribute apps, and get IT support for your team
- Assign and Configure Accounts — Provide employees with access to the services they need
Hit Continue, accept the T&Cs, and you’re in.
What’s Next
In the following parts of this series, I’ll walk through each section of the portal with configuring the new features — Home, People, Devices, Apps & Services, Brands, and Ads.
Apps & Services: What’s Actually New
I’m going to skip covering the ABM setup process, federation with Microsoft Entra ID, and Managed Apple Account configuration in this post — there are no major changes there, and I’ve covered those extensively in previous blog posts. If you need a refresher, check out my earlier write-ups on intuneirl.com.
Let’s talk about what’s changed in Apps & Books — and what hasn’t.
Your App Workflow Isn’t Broken
If you’ve been buying app licenses through ABM and pushing them via Intune (or any MDM), breathe easy. The core workflow is intact: purchase licenses, assign to devices or users, MDM handles installation. Revoke, reassign, repeat. Your existing licenses and assignments have migrated.
But the section has a new name, a new home, and some significant new capabilities worth understanding.
What’s Changed
1. It’s “Apps & Services” now — not just “Apps & Books”
In the old ABM, app license management was its own world. Now it sits under the broader Apps & Services tab in the top navigation, alongside email setup, iCloud storage, and AppleCare+. Apple has bundled everything your employees consume into one section.
The navigation path to get to app licenses is now Apps & Services → Apps and Books → App Store. Minor, but worth knowing so you’re not hunting around the new UI.
2. “Content Tokens” replace “VPP Tokens”
Same mechanism, new name. Your VPP tokens from ABM are now called content tokens. They should have migrated automatically, but go verify — a lapsed or broken token means your app deployments silently stop working. If you’re using Intune, check your Apple VPP token status in the Intune admin center and cross-reference with what shows in Apple Business.
3. Organizational Unit Assignment at Purchase Tim
When you buy app licenses in the Store, you now choose which Organizational Unit to assign them to via a dropdown. In my case, the options are “Apple Business”, “AURICLE TECHNOLOGIES PRIVATE LIMITED”, and “IRL”.
This matters because where you assign the license determines which management path the app takes. Assign to an OU linked to your external MDM (Intune) and the licenses flow through Intune’s app management. Assign to “Apple Business” and the app appears in Apple’s built-in MDM under Managed Apps.
The Manage Licenses section below the purchase area also shows you per-OU breakdowns — how many licenses are In Use vs. Available, with a Transfer option to move licenses between OUs.
4. Managed Apps — A New Section Under Devices
This is new and easily missed. Managed Apps lives under Devices → Built-in Management → Managed Apps — not under Apps & Services. Apps only show up here when they’re assigned to “Apple Business” (the built-in MDM) at purchase time.
When you select a managed app, you get four tabs:
- Overview: a summary dashboard showing Blueprint status, install status (Installed / Updates Pending / Failed), and license counts (Assigned / Available / Needed). The overview also surfaces rich app metadata: Source, Developer, Price, Bundle ID, File Size, Latest Version, System Requirements, and even Login and Background Items behaviour — flagging whether the app is configured to prevent users from disabling background items.
- Install Status — real-time tracking of app installations across your fleet. This is the native monitoring capability I mentioned earlier — your second source of truth alongside Intune’s reporting. Useful when troubleshooting app deployment failures and figuring out whether the issue is on the Apple side or the MDM side.
- Configuration — this is where you choose how the app gets installed on devices. This only affects organization-owned devices assigned to users through Blueprints.
- Automatic — the app installs silently as soon as it’s assigned to a device. Important: on iPhone and iPad, users cannot remove automatically installed apps. Use this when you need to guarantee the app stays on the device.
- Manual — the app becomes available for users to download themselves through the Apple Business companion app.
- Licenses — track license assignments per device and per user. Until the app is added to a Blueprint, this tab shows an empty state directing you to Blueprints.
5. Blueprints Are Central to Everything
Every tab in Managed Apps points back to Blueprints. App configuration, license tracking, deployment — it all flows through Blueprints. If you’re using Apple’s built-in MDM, Blueprints aren’t optional — they’re the deployment vehicle. There are limits: up to 1,000 licenses per purchase and up to 100 apps per Blueprint. For most organisations this won’t be an issue, but if you’re heavy on app deployment, plan your Blueprint structure around this cap.
I’ll cover Blueprints in detail in a later part of this series.
What Hasn’t Changed
The fundamentals are the same: device vs. user assignment logic, books only assignable to users (and non-revocable), in-app purchases still incompatible with volume purchasing, Custom Apps workflow unchanged, free apps still require acquiring a $0 license, and apps are still removed when a user unenrolls from device management.
The in-app purchase gap is the one that never closes. If an app relies on a subscription to unlock full functionality, you still can’t buy that centrally. Some developers offer a separate enterprise version as a Custom App — worth asking your vendors.
Built-in Device Management: Apple’s Own MDM
What We’re Skipping
Device workflow, enrollment methods, device suppliers, viewing device information, order progress reports, and Apple Configurator enrollment all work largely the same way as in ABM. If you’ve been using those, carry on.
One distinction Apple now makes explicit in the new docs:
- Device Enrollment — devices enrolled by the user after Setup Assistant completes
- Automated Device Enrollment (ADE) — devices enrolled at Setup Assistant automatically
Your ADE workflow and token relationship with Intune hasn’t changed. What HAS changed is the addition of Apple’s own MDM alongside it.
What’s Actually New: Built-in Device Management
Apple Business now ships with a built-in device management service — native to the portal, free, and available in 200+ countries. This is essentially ABE’s capabilities folded into the core platform.
A detail worth calling out from Apple’s docs: it’s powered by Declarative Device Management (DDM). Apple explicitly frames DDM as giving “organizations more confidence that devices are in the desired state and that essential data is kept secure, even without internet connectivity.” For those of us who’ve been watching DDM mature since WWDC ’21, this is Apple putting its own MDM forward as a first-class DDM citizen.
Turning It On
Built-in Device Management is opt-in. It doesn’t activate automatically when you log into Apple Business. The flow:
- Go to Devices → Management Services
- Select Add new device management service
- Choose Turn on included device management → Continue
- Optionally, create your first Blueprint right there, or skip and come back to it later
Turning It Off (Gotchas)
You can turn it off via the same Management Services screen. Two things to know:
- If you have an AppleCare+ for Business plan, you must remove it before turning off Built-in MDM.Something to be aware of if you’re evaluating Built-in as a pilot and planning to revert.
- When turning off, you choose: reassign devices to another service (external MDM), or unassign them entirely before the service is deleted
External MDM — Still Fully Supported
Apple Business supports connecting to more than one external MDM and assigning devices to different services as needed. Useful for mixed environments — maybe Intune for corporate-owned iPhones, Jamf Pro for your creative team’s Macs. Both coexist in the same Apple Business account.
Linking an External MDM
The flow from Apple’s docs:
- Devices → Management Services
- If this is your first service: Get Started. If you already have one: Connect external device management → Continue
- Enter a unique name for the service (can’t be “Unassigned” or “Reassigned”)
- Upload the public key certificate file (.pem or .der) — get this from your MDM vendor
- Click Download Service Token
- Upload that token into your MDM (follow your MDM vendor’s docs)
- Repeat for any additional MDMs
Apple calls out an important scenario in the docs: if an external MDM goes offline (network issue) rather than being deleted, devices continue using the last known management configuration until you assign them to a new service OR erase and reactivate them. So a dead MDM doesn’t immediately unmanage devices — but it does leave them in limbo until you act.
Configurations Deep Dive: Intro, Security & Core Admin
Configurations is Apple’s new take on configuration profiles. Instead of hand-crafting .mobileconfig files, Apple ships a curated library directly in the portal.
The Configurations screen is organised into five tabs:
- Recommended — the starter set (Application Layer Firewall, FileVault, Password and Screen Unlock, Software Update, VPN, Wi-Fi)
- Security — encryption, firewall, password, authentication
- Network — Wi-Fi, VPN, AirPrint, Content Caching, Web Filter
- Personalization — Apple Intelligence & Siri, Lock Screen, Web Clips, Energy Saver
- All Configurations — the full catalogue
Each card clearly shows which platforms it applies to — macOS, iOS, tvOS, visionOS. Wi-Fi applies to all four. FileVault is Mac-only. Password and Screen Unlock covers macOS, iOS, and visionOS.
The full list of configuration types Apple ships: AirDrop, AirPlay, AirPrint, App Access, Apple Intelligence & Siri, Application Layer Firewall, Certificate, Content Caching, Custom, Data Management, Energy Saver, FileVault, Gatekeeper, iCloud, Lock Screen, Password and Screen Unlock, Software Update, VPN, Web Clip, Web Filter, Wi-Fi. The Custom option is the escape hatch for advanced use cases where you need to push a raw profile payload not covered by the built-in templates.
Intro to Configurations
Configurations are Apple Business’s take on configuration profiles — pushed through Blueprints to devices enrolled in Built-in Device Management. Each configuration targets specific operating systems: iOS (includes iPadOS), macOS, tvOS, visionOS, or a combination.
Two important concepts:
Multiple configurations — some configuration types allow you to deploy more than one to a device through Blueprints. Example: you can have one Wi-Fi configuration for your head office and another for your remote site, and users who travel between them get both.
Single configurations — others, like Application Layer Firewall, allow only one active configuration per device. You can still create multiple, but you must set a priority before they’ll save. This is Apple’s way of saying “two firewalls with conflicting rules can’t both win — pick a winner.”
All configurations follow the same creation path: Devices → Configurations → All Configurations → Add [configuration type] → name it → pick platforms → set options → Save.
Let’s dig into the Security-focused and core admin configurations.
FileVault
FileVault is macOS’s built-in full-disk encryption, and Apple Business’s FileVault configuration gives you centralised enforcement AND centralised recovery key escrow. This is one of the most operationally important configurations in the entire platform, so it deserves its own section.
What FileVault Actually Does
FileVault encrypts everything at rest on a Mac. Once enabled, a user’s credentials are required at startup. Combined with Mac hardware security, it delivers four key outcomes:
- Requires user password for decryption
- Protects the OS from brute-force attacks against storage media physically removed from the Mac
- Enables swift secure wipe via deletion of cryptographic material (not the actual files)
- Lets users change passwords without re-encrypting the entire volume
That last one matters more than it sounds. Without FileVault’s cryptographic abstraction, a password change would mean re-encrypting hundreds of gigabytes. With it, only the key protecting the volume gets re-encrypted — a near-instant operation.
The Recovery Key Model — Know This Before You Deploy
Apple Business uses asymmetric encryption for FileVault recovery keys. Here’s the mental model:
- You generate an encryption certificate (public key) + a matching RSA private key
- Upload the certificate to Apple Business
- When a Mac enables FileVault, its recovery key is encrypted using your public key before being stored in Apple Business
- To recover a device, you download the encrypted recovery key, then decrypt it locally using your private key
The critical implication: Apple Business stores encrypted recovery keys but cannot read them. The private key lives with you. Lose the private key, lose the ability to recover any device encrypted with its matching certificate.
Apple explicitly recommends using a password manager to share the private key with other Organization Administrators. Do not email it. Do not drop it in a shared network folder. Treat it like the root CA private key it effectively is.
Certificate Rotation Nuances
Two things you need to internalise:
Old keys still matter. When you upload a new encryption certificate, recovery keys created from that point forward are encrypted with the new certificate. But existing recovery keys are NOT re-encrypted. To decrypt an old recovery key, you still need the old private key. Archive old private keys indefinitely — don’t throw them away on rotation.
Only one certificate is “active.” Once you upload a new cert, the previous one stops being used for new encryption operations. But it’s still needed for historical decryption.
Creating an Encryption Certificate
Apple provides a terminal one-liner in the docs. The script generates both the certificate and the private key in ~/Documents/, with a random 8-character ID to distinguish pairs:
Two files drop into Documents:
FileVaultKeyEncryptionCert_[id].pem— the certificate (upload to Apple Business)FileVaultKeyEncryptionPrivateKey_[id].pem— the private key (keep SAFE)
Note: the certificate is valid for 36,500 days (100 years). That’s effectively “never expires.” Your private key safety matters more than certificate rotation.
Bring-your-own certificate: if you prefer generating your own, Apple requires a PEM-encoded certificate with an RSA public key of at least 2048 bits.
Uploading the Certificate
The upload isn’t where you’d expect it. It lives under Devices → Management Services → Built-in device management → Upload File, not inside the FileVault configuration itself. Select the cert .pem, upload, Save.
Gotcha: if you’ve already assigned a FileVault configuration through a Blueprint before uploading your first encryption certificate, the configuration applies to all assigned users and Macs immediately when the certificate goes live. Plan the certificate upload BEFORE you roll FileVault out broadly, unless you want a fleet-wide trigger.
- Step 1 — Configurations catalogue. Navigate to Devices → Built-in Management → Configurations → All Configurations → Select FileVault
- Step 2 — Choose Type → Configure. Rename it to something meaningful right here (e.g. “FileVault — Corporate Macs”).
- Step 3 — Save.
That Blueprints message is important — creating a configuration doesn’t deploy anything. Until you add this configuration to a Blueprint and apply that Blueprint to devices, nothing happens on any Mac. Configurations are inert on their own.
Intune Admin Reality Check
If you’re running Intune for your Macs today, you’re escrowing FileVault keys to Intune. Do not run FileVault policies in BOTH Intune and Apple Business’s Built-in MDM simultaneously — that’s a recipe for one of them silently failing. Pick one MDM per device for FileVault enforcement.
If you’re evaluating Built-in MDM as a potential replacement or for a subset of your fleet (kiosks, retail, executive devices), FileVault’s model here is cleaner than Intune’s in some ways:
- Apple Business never sees your keys unencrypted (zero-knowledge model)
- Certificate rotation is straightforward
- CSV export for fleet-wide recovery is a real time-saver for bulk operations
But: the private key management is entirely on you. Intune handles this for you transparently. This is a trade-off — more control, more responsibility.
Gatekeeper
Gatekeeper ensures only trusted software runs on Mac. Your Gatekeeper configuration locks down the app source policy across your fleet.
Options:
- App Store only — only apps downloaded from the App Store can run
- App Store and identified developers — apps from the App Store plus developers registered and notarized by Apple
- Apps from anywhere — any app can launch, regardless of origin
You can also choose whether to allow users to use the Finder contextual menu to open apps that Gatekeeper would normally block — the “Right-click → Open” bypass. For most organisations, disable this.
Permission note: the Gatekeeper configuration requires the Organization Administrator role to create. Most other configurations allow a lesser “create, edit, and delete device configurations” permission, but Gatekeeper is elevated.
Application Layer Firewall (macOS only)
Turns on the macOS firewall at application level.
Two options:
- Block all incoming connections — blocks everything except basic network/internet services (DHCP, Bonjour, IPsec). Disables connections to sharing services.
- Stealth mode — Mac won’t respond to probing requests. Authorised apps still work, but unauthenticated requests like ping get no response.
This is why Application Layer Firewall is a single-configuration-per-device type — you can create multiple, but only one can be active, and conflicts get resolved by priority.
Password and Screen Unlock
Sets passcode/password requirements across iOS/iPadOS, macOS, and visionOS.
Certificate
Push root or intermediate certificates to devices (iOS/iPadOS, macOS, visionOS).
Important:
- Apple Business accepts certificates in PEM (.pem) format only
- Certificates generally expire after one year — Apple explicitly recommends setting a reminder for 11 months after certificate creation to renew or replace
- Certificates are used for FileVault recovery key encryption, website validation, network access, signing and encrypting mail, and more
Real-world note: if you’ve been managing certs through Intune SCEP/PKCS profiles, this gives you a parallel path for Built-in MDM environments. Don’t try to run both in parallel on the same device — you’ll create cert collisions.
Certificate is a multiple configuration type, so you can deploy a chain of root + intermediates as separate configurations.
It’s beyond scope of this blog to include all Configurations. Apple Business ships with 21 configuration types across four categories:
Security — FileVault (covered in depth above), Gatekeeper (app source policy, Org Admin gated), Application Layer Firewall (macOS firewall, doesn’t apply to personal devices), Password and Screen Unlock, Certificate (PEM only, 1-year expiry reminder), Software Update, Apple Intelligence & Siri, Data Management, App Access
Network — Wi-Fi (Pre-shared key or EAP-TTLS), VPN (L2TP over IPsec or Cisco IPsec), AirPrint, Content Caching, Web Filter (up to 100 blocked URLs, doesn’t apply to personal devices)
Personalization — AirDrop, AirPlay (including Conference Room Display for Apple TV), Energy Saver, iCloud, Lock Screen, Web Clip
Custom — .mobileconfig upload for payloads not covered by built-in templates (under 1MB)
Each configuration is either Single (one active per device — like FileVault, Gatekeeper, Firewall) or Multiple (stack several — like Wi-Fi, VPN, Certificate, Custom).
Two things worth flagging for Intune admins:
- Apple Intelligence & Siri is brand new and important for GenAI governance — covers Genmoji, Image Playground, Writing Tools, Mail/Safari summaries, Private Cloud Compute reports, and on-device-only translation enforcement. If you have data residency concerns, this is where you lock it down.
- Software Update has a legacy warning: any Software Update configuration created before February 15, 2024 is supported but can’t be edited. Old ABE/VPP-era policies are effectively frozen — you’ll need to recreate.
Now the interesting part: configurations do nothing on their own. They need Blueprints.
Blueprints: Where It All Comes Together
The Core Concept
A Blueprint is a bundle of apps + configurations that gets assigned to users, user groups, or devices. This is Apple’s deployment vehicle — think of it like an Intune assignment group crossed with a configuration policy set.
The key insight “If a user replaces their Mac, the app is pushed down again and the firewall configuration is configured on their new Mac.” Blueprints follow the user (or group), not the device. Replace hardware, the Blueprint re-applies automatically.
Three Blueprint Templates
When you create a new Blueprint, Apple offers three starting points:
- Blueprints for users — manage user devices with recommended defaults
- Blueprints for service devices — set up kiosks, conference rooms, shared iPads, sign-in stations
- Create your own Blueprint — start from scratch, customise everything
The first two are templates with sensible presets. The third is a blank canvas.
Assignment Targets
Three ways to assign:
- User groups — all users in the group get the Blueprint across all their devices
- Individual users — Blueprint follows the user
- Devices directly — for unassigned devices like iPad kiosks, shared sign-in stations, or Apple TV in a conference room (supported on iPhone, iPad, Mac, Apple TV)
When a user leaves a group or a Blueprint is removed: apps associated with the Blueprint are removed, and configurations revert to default state. Clean removal, no manual cleanup.
Conflict Resolution — The Critical Part
This is where Blueprints get tricky, and it’s where you’ll spend real time as an admin.
Case 1 — Single-configuration conflicts. You can only have one Application Layer Firewall configuration active on a device. If you add a second Firewall configuration to a Blueprint that already has one, Apple Business asks you to resolve the conflict before the Blueprint saves. If a device ends up with multiple Blueprints carrying conflicting single-configurations, you set a priority to decide which wins.
Case 2 — Blueprint-level conflicts. Two Blueprints with opposing settings — one says “firewall on,” another says “firewall off” — get flagged at Blueprint update time. You must resolve before saving.
Combined Configurations — Where Behaviour Stacks
For multiple-configuration types (Wi-Fi, VPN, Certificate, Custom, AirPrint, Web Clip), Blueprints combine instead of conflicting. Example from the docs: a user in two Blueprints, each with a different Wi-Fi configuration, sees both Wi-Fi networks on their device. Useful for travel — home office + remote site Wi-Fi both get deployed.
This behaviour also applies to app assignments. User in two groups, both Blueprints push the same app? Apple Business deploys it once and consumes one license. No double-licensing, no duplicate installs.
License Awareness
Apple Business alerts you if a Blueprint’s app assignments exceed your license count, but doesn’t block the assignment. You can still assign — you just need to get more licenses before the apps actually install. Worth monitoring as your user groups grow.
The Core Workflow
- Creating a Blueprint (Devices → Blueprints → Add):
- Set default configurations
- Add apps
- Add user groups, users
- Create Blueprint
Editing: select Blueprint → edit People / Devices / Configurations / Apps tabs individually → Save.
Deleting: deletion removes all associated apps from devices and reverts configurations to default state. Apple requires you to tick “I understand that this cannot be undone” before confirming. This is a destructive action — plan carefully.
Intune Admin Translation
If you’re coming from Intune, here’s a rough mental mapping:
The biggest philosophical difference: Blueprints are explicit bundles. In Intune, you assign individual profiles and apps to groups separately, and they get delivered based on group membership. In Apple Business, you explicitly package apps + configurations together into a named Blueprint, then assign that bundle.
Whether that’s better or worse depends on your org. For small/mid businesses, the bundling is simpler to reason about. For complex enterprises with dozens of overlapping policies, the Intune model gives you finer granularity.
Practical Patterns
Some patterns I’d suggest testing:
- Baseline Blueprint — applies to everyone: basic security configs (Password & Screen Unlock, Software Update), org root certificate, corporate Wi-Fi
- Role-based Blueprints — Marketing gets design apps + Adobe root cert; Finance gets restricted apps + stricter password policy
- Service Device Blueprints — conference room Apple TV with AirPlay + Conference Room Display; retail iPads with App Access in Allowed Apps mode
- FileVault Blueprint — separate Blueprint for Macs requiring encryption, assigned to corporate-owned Mac user group (not BYOD)
Keep Blueprint count manageable. The docs don’t publish a hard limit, but every Blueprint assigned to the same user stacks configurations — too many and you’ll end up debugging priority conflicts instead of managing devices.
Wrapping Up
That’s the end of this post. To recap what we’ve covered:
- Part 1 — the new Apple Business portal, what it replaces (ABM + ABE + Business Connect), and the unified Run/Grow split
- Part 2 — Apps & Services (renamed from Apps & Books), Content Tokens, Managed Apps, plus new neighbours like Email, iCloud Storage, and AppleCare+
- Part 3 — Built-in Device Management, the new free Apple-native MDM powered by DDM, and how it coexists with external MDMs like Intune
- Part 4 — Configurations: the 21 types across Security, Network, Personalization, with a full deep-dive on FileVault (recovery key model, certificate rotation, decryption workflow)
- Part 5 — Blueprints: how configurations, apps, and assignments come together
What’s Coming in the Next Post
I’ll cover the remaining pieces:
- Managed Apps — install status, license tracking across Blueprints
- macOS Packages — the new native package deployment engine
- People section and Shared iPad
- Apply Blueprints at scale — migration patterns from existing MDM
- Sign out, lock, erase flows
The Bottom Line for Intune Admins
Apple Business Built-in MDM isn’t replacing Intune for complex enterprises anytime soon. But the fact that it’s free, native, DDM-first, and available in 200+ countries changes the conversation for:
- Small/mid businesses evaluating their first MDM
- Enterprises piloting DDM patterns before rolling them into Intune
- Mixed environments where kiosks, retail, or executive fleets could move to Built-in while the main workforce stays on Intune
Apple’s signal is clear: they want Built-in MDM to be the default starting point for Apple device management. Whether you adopt it or not, understanding it matters — because your vendors, your auditors, and your users will all start expecting features parity around what Built-in offers.
Try it in a test tenant. See how Blueprints feel. Compare the FileVault recovery model to what you have today. Then decide what role, if any, Built-in MDM plays in your stack.
Stay tuned for Part 2 — Managed Apps, macOS Packages, and the rest.
