From 1c17bbbb984aa19df9aba476e0a10564797d9fa1 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Tue, 26 May 2026 17:15:07 -0700
Subject: [PATCH] docs(lonestar): Apple MDM setup reference from Syncro data

Reference doc for enrolling Lone Star's iPhone (#32251) + iPads into the
existing ManageEngine (Zoho) MDM. Pulled Syncro customer/ticket data,
flagged APNs cert prerequisite and the 2026-03-24 self-enrollment caveat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../docs/apple-mdm-setup-reference.md         | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 clients/lonestar-electrical/docs/apple-mdm-setup-reference.md

diff --git a/clients/lonestar-electrical/docs/apple-mdm-setup-reference.md b/clients/lonestar-electrical/docs/apple-mdm-setup-reference.md
new file mode 100644
index 0000000..e27d8fd
--- /dev/null
+++ b/clients/lonestar-electrical/docs/apple-mdm-setup-reference.md
@@ -0,0 +1,87 @@
+# Lone Star Electrical — Apple MDM Setup Reference
+
+**Compiled:** 2026-05-27 (GURU-5070) for upcoming work on the Mac
+**Goal:** Enroll Lone Star's Apple devices (iPhone + iPads) into the **existing ManageEngine MDM (Zoho)** tenant — the same MDM already managing their Android tablets. Not Apple Business Manager.
+
+---
+
+## Syncro reference (pulled 2026-05-26/27)
+
+- **Customer:** Lone Star Electrical Systems LLC — Syncro ID `33809612`
+- **Contract:** Prepaid hour block — **17.25 hrs** remaining (live-check `GET /customers/33809612` before billing)
+- **Address:** 3774 North Warren Avenue, Tucson, AZ 85719
+- **Main phone:** 520-248-8436
+- **Primary contact:** Robin Eneix — robine@lonestarelectrical.net, 520-248-8436 (AZ ROC #318060 CR-11). Office manager / billing + scheduling contact.
+- **On-file Syncro asset (1):** Dell XPS 8940 desktop, Service Tag `1599kd3` (not Apple — listed for completeness)
+
+---
+
+## Apple device fleet (derived from tickets — Syncro asset records are incomplete)
+
+| Device | Source ticket | Status / notes |
+|---|---|---|
+| iPhone (1) — field phone | #32251 (open, Customer Reply) | Dropped off **2026-05-05** to "set up for use in the field." **Their first iPhone** — prior field phones were Android, which is why standard setup stalled. Ticket #32292 ("Cell Phone") merged in. **This is the trigger for Apple MDM.** |
+| iPads | #31696 (2025-12-01, resolved) | iPad setup completed Dec 2025. Count/models [verify]. |
+| Tablets | #31585 (2025-10-27), #32015 (2026-03, PDF-edit issue) | "Set up new tablets" + later PDF-editing trouble. Whether these are the iPads or Android [verify]. |
+
+**[verify] before enrollment:** exact iPhone model + iOS version + serial/IMEI; iPad count, models, serials, iPadOS versions; which are company-owned (supervised candidates) vs BYO.
+
+---
+
+## Existing MDM context (already in place)
+
+- **Platform:** ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
+- **Admin:** mike@azcomputerguru.com (Zoho account, Super Admin)
+- **Already enrolled:** 2 Android company tablets ("Zach", "JOSE"), QR-code enrolled 2025-12-04, fully managed (direct enrollment).
+- **Identity backend:** Google Workspace `lonestarelectrical.net` (admin sysadmin@lonestarelectrical.net). NOT M365.
+
+---
+
+## CRITICAL prerequisites for Apple in ManageEngine
+
+### 1. APNs certificate (mandatory — no Apple MDM without it)
+ManageEngine cannot manage any iOS/iPadOS device until an **Apple Push Notification service (APNs) certificate** is uploaded.
+- Flow: download the CSR from the ManageEngine console (Apple/iOS enrollment settings) → sign it at the **Apple Push Certificates Portal** (https://identity.apple.com) → upload the resulting `.pem` back into ManageEngine. [verify exact console path]
+- **Use a dedicated company/managed Apple ID** to generate it — never a personal Apple ID. Record which Apple ID is used.
+- **Renews annually.** Renew with the **SAME Apple ID** every year — renewing under a different Apple ID invalidates the cert and forces re-enrollment of every Apple device. Add a renewal reminder.
+- **[decide] Which Apple ID** owns the APNs cert (a Lone Star company Apple ID, or an ACG-managed one). Capture this before generating.
+
+### 2. Enrollment method — mind the 2026-03-24 self-enrollment fix
+**Self-enrollment in ManageEngine was deliberately DISABLED on 2026-03-24** to stop personal Android phones from being prompted to enroll when a Lonestar Google account was added (and ManageEngine was also removed as the GWS third-party EMM). See `wiki/clients/lonestar-electrical.md`.
+- **Do not simply re-enable blanket self-enrollment** — that reopens the exact problem that was fixed.
+- Prefer a **targeted enrollment** for the known company Apple devices: invite-based enrollment (per-device enrollment link/QR to the specific device), matching how the Android tablets were QR-enrolled. Keeps BYO personal phones out of scope.
+- Do **not** re-add ManageEngine as a Google Workspace third-party EMM provider.
+
+### 3. Supervision (optional but recommended for company-owned)
+- Company-owned iPhone/iPads can be **supervised** for fuller control. Without Apple Business Manager + ADE, supervision requires Apple Configurator (a Mac app) to prepare each device, which wipes it. The field iPhone (#32251) is already in-hand at the shop — if supervision is wanted, do it now via Apple Configurator on the Mac before handing it back. Otherwise, unsupervised invite enrollment is fine for basic MDM.
+
+---
+
+## Suggested setup sequence (ManageEngine, existing tenant)
+
+1. Confirm/choose the company Apple ID for APNs; generate + upload the APNs cert in ManageEngine. (One-time; covers all Apple devices.)
+2. Decide supervised vs unsupervised per device. If supervising the field iPhone, use **Apple Configurator on the Mac** while it's in-hand (#32251).
+3. Build/confirm an Apple device profile/group in ManageEngine (passcode, restrictions, Wi-Fi, app deployment as needed) — mirror the policy applied to the Android tablets where it makes sense.
+4. Enroll via **targeted invite/QR per device** (not blanket self-enrollment).
+5. Verify the iPhone checks in, then close #32251 and bill against the prepaid block (17.25 hrs).
+6. Repeat invite enrollment for the existing iPads once their inventory is confirmed.
+
+---
+
+## Open items / data to gather on the Mac
+
+- [ ] iPhone model, iOS version, serial/IMEI (#32251 device, in-hand at shop)
+- [ ] iPad inventory: count, models, serials, iPadOS versions
+- [ ] Decide + record the Apple ID used for the APNs certificate
+- [ ] Decide supervised vs unsupervised for the field iPhone (Configurator-on-Mac decision must happen before the device leaves)
+- [ ] Confirm enrollment method (targeted invite/QR) and document it so self-enrollment stays off
+
+---
+
+## Source references
+
+- Syncro: customer 33809612; tickets #32251 (iPhone, open), #31696 (iPads), #31585 (tablets), #32015 (tablet PDF)
+- Wiki: `wiki/clients/lonestar-electrical.md` (MDM/EMM history + the dual-EMM self-enrollment trap)
+- Vault: `clients/lonestar-electrical/google-workspace.sops.yaml`; GWS service account `ACG-MSP-Access (Google Workspace)` (vault MSP Tools)
+- ManageEngine MDM: https://mdm.manageengine.com/webclient (admin mike@azcomputerguru.com)
+- Apple Push Certificates Portal: https://identity.apple.com