claudetools/clients/lonestar-electrical/docs/apple-mdm-setup-reference.md

Lone Star Electrical — Apple MDM Setup Reference

Compiled: 2026-05-27 (GURU-5070) for upcoming work on the Mac Goal: Enroll Lone Star's Apple devices (iPhone + iPads) into the existing ManageEngine MDM (Zoho) tenant — the same MDM already managing their Android tablets. Not Apple Business Manager.

---

Syncro reference (pulled 2026-05-26/27)

• Customer: Lone Star Electrical Systems LLC — Syncro ID 33809612
• Contract: Prepaid hour block — 17.25 hrs remaining (live-check GET /customers/33809612 before billing)
• Address: 3774 North Warren Avenue, Tucson, AZ 85719
• Main phone: 520-248-8436
• Primary contact: Robin Eneix — robine@lonestarelectrical.net, 520-248-8436 (AZ ROC #318060 CR-11). Office manager / billing + scheduling contact.
• On-file Syncro asset (1): Dell XPS 8940 desktop, Service Tag 1599kd3 (not Apple — listed for completeness)

---

Apple device fleet (derived from tickets — Syncro asset records are incomplete)

Device	Source ticket	Status / notes
iPhone (1) — field phone	#32251 (open, Customer Reply)	Dropped off 2026-05-05 to "set up for use in the field." Their first iPhone — prior field phones were Android, which is why standard setup stalled. Ticket #32292 ("Cell Phone") merged in. This is the trigger for Apple MDM.
iPads	#31696 (2025-12-01, resolved)	iPad setup completed Dec 2025. Count/models [verify].
Tablets	#31585 (2025-10-27), #32015 (2026-03, PDF-edit issue)	"Set up new tablets" + later PDF-editing trouble. Whether these are the iPads or Android [verify].

[verify] before enrollment: exact iPhone model + iOS version + serial/IMEI; iPad count, models, serials, iPadOS versions; which are company-owned (supervised candidates) vs BYO.

---

Existing MDM context (already in place)

• Platform: ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
• Admin: mike@azcomputerguru.com (Zoho account, Super Admin)
• Already enrolled: 2 Android company tablets ("Zach", "JOSE"), QR-code enrolled 2025-12-04, fully managed (direct enrollment).
• Identity backend: Google Workspace lonestarelectrical.net (admin sysadmin@lonestarelectrical.net). NOT M365.

---

CRITICAL prerequisites for Apple in ManageEngine

1. APNs certificate (mandatory — no Apple MDM without it)

ManageEngine cannot manage any iOS/iPadOS device until an Apple Push Notification service (APNs) certificate is uploaded.

• Flow: download the CSR from the ManageEngine console (Apple/iOS enrollment settings) → sign it at the Apple Push Certificates Portal (https://identity.apple.com) → upload the resulting .pem back into ManageEngine. [verify exact console path]
• Use a dedicated company/managed Apple ID to generate it — never a personal Apple ID. Record which Apple ID is used.
• Renews annually. Renew with the SAME Apple ID every year — renewing under a different Apple ID invalidates the cert and forces re-enrollment of every Apple device. Add a renewal reminder.
• [decide] Which Apple ID owns the APNs cert (a Lone Star company Apple ID, or an ACG-managed one). Capture this before generating.

2. Enrollment method — mind the 2026-03-24 self-enrollment fix

Self-enrollment in ManageEngine was deliberately DISABLED on 2026-03-24 to stop personal Android phones from being prompted to enroll when a Lonestar Google account was added (and ManageEngine was also removed as the GWS third-party EMM). See wiki/clients/lonestar-electrical.md.

• Do not simply re-enable blanket self-enrollment — that reopens the exact problem that was fixed.
• Prefer a targeted enrollment for the known company Apple devices: invite-based enrollment (per-device enrollment link/QR to the specific device), matching how the Android tablets were QR-enrolled. Keeps BYO personal phones out of scope.
• Do not re-add ManageEngine as a Google Workspace third-party EMM provider.

3. Supervision (optional but recommended for company-owned)

• Company-owned iPhone/iPads can be supervised for fuller control. Without Apple Business Manager + ADE, supervision requires Apple Configurator (a Mac app) to prepare each device, which wipes it. The field iPhone (#32251) is already in-hand at the shop — if supervision is wanted, do it now via Apple Configurator on the Mac before handing it back. Otherwise, unsupervised invite enrollment is fine for basic MDM.

---

Suggested setup sequence (ManageEngine, existing tenant)

1. Confirm/choose the company Apple ID for APNs; generate + upload the APNs cert in ManageEngine. (One-time; covers all Apple devices.)
2. Decide supervised vs unsupervised per device. If supervising the field iPhone, use Apple Configurator on the Mac while it's in-hand (#32251).
3. Build/confirm an Apple device profile/group in ManageEngine (passcode, restrictions, Wi-Fi, app deployment as needed) — mirror the policy applied to the Android tablets where it makes sense.
4. Enroll via targeted invite/QR per device (not blanket self-enrollment).
5. Verify the iPhone checks in, then close #32251 and bill against the prepaid block (17.25 hrs).
6. Repeat invite enrollment for the existing iPads once their inventory is confirmed.

---

Open items / data to gather on the Mac

• iPhone model, iOS version, serial/IMEI (#32251 device, in-hand at shop)
• iPad inventory: count, models, serials, iPadOS versions
• Decide + record the Apple ID used for the APNs certificate
• Decide supervised vs unsupervised for the field iPhone (Configurator-on-Mac decision must happen before the device leaves)
• Confirm enrollment method (targeted invite/QR) and document it so self-enrollment stays off

---

Source references

• Syncro: customer 33809612; tickets #32251 (iPhone, open), #31696 (iPads), #31585 (tablets), #32015 (tablet PDF)
• Wiki: wiki/clients/lonestar-electrical.md (MDM/EMM history + the dual-EMM self-enrollment trap)
• Vault: clients/lonestar-electrical/google-workspace.sops.yaml; GWS service account ACG-MSP-Access (Google Workspace) (vault MSP Tools)
• ManageEngine MDM: https://mdm.manageengine.com/webclient (admin mike@azcomputerguru.com)
• Apple Push Certificates Portal: https://identity.apple.com