# Lone Star Electrical — Apple MDM Setup Reference

**Compiled:** 2026-05-27 (GURU-5070) for upcoming work on the Mac
**Goal:** Enroll Lone Star's Apple devices (iPhone + iPads) into the **existing ManageEngine MDM (Zoho)** tenant — the same MDM already managing their Android tablets. Not Apple Business Manager.

---

## Syncro reference (pulled 2026-05-26/27)

- **Customer:** Lone Star Electrical Systems LLC — Syncro ID `33809612`
- **Contract:** Prepaid hour block — **17.25 hrs** remaining (live-check `GET /customers/33809612` before billing)
- **Address:** 3774 North Warren Avenue, Tucson, AZ 85719
- **Main phone:** 520-248-8436
- **Primary contact:** Robin Eneix — robine@lonestarelectrical.net, 520-248-8436 (AZ ROC #318060 CR-11). Office manager / billing + scheduling contact.
- **On-file Syncro asset (1):** Dell XPS 8940 desktop, Service Tag `1599kd3` (not Apple — listed for completeness)

---

## Apple device fleet (derived from tickets — Syncro asset records are incomplete)

| Device | Source ticket | Status / notes |
|---|---|---|
| iPhone (1) — field phone | #32251 (open, Customer Reply) | Dropped off **2026-05-05** to "set up for use in the field." **Their first iPhone** — prior field phones were Android, which is why standard setup stalled. Ticket #32292 ("Cell Phone") merged in. **This is the trigger for Apple MDM.** |
| iPads | #31696 (2025-12-01, resolved) | iPad setup completed Dec 2025. Count/models [verify]. |
| Tablets | #31585 (2025-10-27), #32015 (2026-03, PDF-edit issue) | "Set up new tablets" + later PDF-editing trouble. Whether these are the iPads or Android [verify]. |

**[verify] before enrollment:** exact iPhone model + iOS version + serial/IMEI; iPad count, models, serials, iPadOS versions; which are company-owned (supervised candidates) vs BYO.

---

## Existing MDM context (already in place)

- **Platform:** ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
- **Admin:** mike@azcomputerguru.com (Zoho account, Super Admin)
- **Already enrolled:** 2 Android company tablets ("Zach", "JOSE"), QR-code enrolled 2025-12-04, fully managed (direct enrollment).
- **Identity backend:** Google Workspace `lonestarelectrical.net` (admin sysadmin@lonestarelectrical.net). NOT M365.

---

## CRITICAL prerequisites for Apple in ManageEngine

### 1. APNs certificate (mandatory — no Apple MDM without it)
ManageEngine cannot manage any iOS/iPadOS device until an **Apple Push Notification service (APNs) certificate** is uploaded.
- Flow: download the CSR from the ManageEngine console (Apple/iOS enrollment settings) → sign it at the **Apple Push Certificates Portal** (https://identity.apple.com) → upload the resulting `.pem` back into ManageEngine. [verify exact console path]
- **Use a dedicated company/managed Apple ID** to generate it — never a personal Apple ID. Record which Apple ID is used.
- **Renews annually.** Renew with the **SAME Apple ID** every year — renewing under a different Apple ID invalidates the cert and forces re-enrollment of every Apple device. Add a renewal reminder.
- **[decide] Which Apple ID** owns the APNs cert (a Lone Star company Apple ID, or an ACG-managed one). Capture this before generating.

### 2. Enrollment method — mind the 2026-03-24 self-enrollment fix
**Self-enrollment in ManageEngine was deliberately DISABLED on 2026-03-24** to stop personal Android phones from being prompted to enroll when a Lonestar Google account was added (and ManageEngine was also removed as the GWS third-party EMM). See `wiki/clients/lonestar-electrical.md`.
- **Do not simply re-enable blanket self-enrollment** — that reopens the exact problem that was fixed.
- Prefer a **targeted enrollment** for the known company Apple devices: invite-based enrollment (per-device enrollment link/QR to the specific device), matching how the Android tablets were QR-enrolled. Keeps BYO personal phones out of scope.
- Do **not** re-add ManageEngine as a Google Workspace third-party EMM provider.

### 3. Supervision (optional but recommended for company-owned)
- Company-owned iPhone/iPads can be **supervised** for fuller control. Without Apple Business Manager + ADE, supervision requires Apple Configurator (a Mac app) to prepare each device, which wipes it. The field iPhone (#32251) is already in-hand at the shop — if supervision is wanted, do it now via Apple Configurator on the Mac before handing it back. Otherwise, unsupervised invite enrollment is fine for basic MDM.

---

## Suggested setup sequence (ManageEngine, existing tenant)

1. Confirm/choose the company Apple ID for APNs; generate + upload the APNs cert in ManageEngine. (One-time; covers all Apple devices.)
2. Decide supervised vs unsupervised per device. If supervising the field iPhone, use **Apple Configurator on the Mac** while it's in-hand (#32251).
3. Build/confirm an Apple device profile/group in ManageEngine (passcode, restrictions, Wi-Fi, app deployment as needed) — mirror the policy applied to the Android tablets where it makes sense.
4. Enroll via **targeted invite/QR per device** (not blanket self-enrollment).
5. Verify the iPhone checks in, then close #32251 and bill against the prepaid block (17.25 hrs).
6. Repeat invite enrollment for the existing iPads once their inventory is confirmed.

---

## Open items / data to gather on the Mac

- [ ] iPhone model, iOS version, serial/IMEI (#32251 device, in-hand at shop)
- [ ] iPad inventory: count, models, serials, iPadOS versions
- [ ] Decide + record the Apple ID used for the APNs certificate
- [ ] Decide supervised vs unsupervised for the field iPhone (Configurator-on-Mac decision must happen before the device leaves)
- [ ] Confirm enrollment method (targeted invite/QR) and document it so self-enrollment stays off

---

## Source references

- Syncro: customer 33809612; tickets #32251 (iPhone, open), #31696 (iPads), #31585 (tablets), #32015 (tablet PDF)
- Wiki: `wiki/clients/lonestar-electrical.md` (MDM/EMM history + the dual-EMM self-enrollment trap)
- Vault: `clients/lonestar-electrical/google-workspace.sops.yaml`; GWS service account `ACG-MSP-Access (Google Workspace)` (vault MSP Tools)
- ManageEngine MDM: https://mdm.manageengine.com/webclient (admin mike@azcomputerguru.com)
- Apple Push Certificates Portal: https://identity.apple.com