How to Set Up Zero-Touch Deployment for Apple Devices

Apple’s Zero-Touch Deployment feels counterintuitive at first. Once you've set it up, you naturally want to do something else. You want to click a box, or make a request, or do something else to trigger Zero-Touch.

But the beauty of Zero-Touch Deployment is that it really is zero-touch.

Yes, there are a lot of steps to take when setting it up, but once it's set up, you really don't need to do anything else: Unless something's not working as expected, Zero-Touch really does mean one and done.

The tricky part, then, is knowing how to set up Zero-Touch Deployment for Apple devices properly. This means taking the right actions, in the correct sequence.

Read on to learn how.

Don't want to read the article? Watch the full recording below.
Be sure to register here for the "Ntiva Live: Apple for Business" webinar series!

Step 1: Purchase From the Right Place

Purchasing from the right seller means that seller must be authorized to sell Apple products and they must be enrolled in the Zero-Touch workflow.

Why does this matter?

Apple must know you’re authorized to make the purchase that starts the Zero-Touch workflow. This means if you visit any random big-box store or online retailer and buy a Mac, there's no way Apple will know you’re part of an organization that’s enrolled in the Zero-Touch workflow.

As such, you need to find an eligible Apple reseller ahead of time, and you must link the reseller’s unique reseller ID into your unique Apple Business Manager — which is the next step.

Step 2: Connect Apple Devices to Apple Business Manager

Depending on where you buy your Apple devices, they can automatically be connected to Apple Business Manager before they arrive. Devices purchased from ecommerce.apple.com, for example, get attached to your Apple Business Manager account within a week after purchase and always before they arrive.

This is a handy feature because you can verify enrollment before unboxing any computers. You go into Apple Business Manager to see if your newly purchased devices are in the system. If they are, great. If they’re not, Zero-Touch isn’t going to work.

You must manually enroll any device that isn’t automatically enrolled in Apple Business Manager. Remember: Once you unbox, that’s the only opportunity you have to get the Zero-Touch experience. Here is an overview of the Zero-Touch experience:

• When the device arrives, ask the user to unbox it.
• Connect the device to the internet. You cannot postpone this step; otherwise, the device will fail to have the Zero-Touch conversation with Apple’s servers.
• The device asks Apple if anybody owns it. Apple looks at Apple Business Manager and confirms that your organization owns the device.
• The device then talks to the company’s Mobile Device Management server and starts receiving instructions.

Historically, you or your Managed Service Provider manually enrolled devices using a mobile config file. And they had to be an administrator to approve the enrollment profile. Zero-Touch means all of this is now done automatically, as long as you’re online and the device knows who owns it.

Step 3: Set Up the Device

Once Zero-Touch recognizes a new device, it immediately and automatically acts upon the machine. If there's software you've configured to install on the computer, it starts trying to do that. Zero-Touch also starts applying settings, and, in a lot of organizations today, it starts applying security settings.

For example, if you've got firewall settings that need to be applied to a device, or if you've got 802.1X settings that need to be applied to a device right out of the box for it to be compliant on a network, Zero-Touch takes care of these configuration steps.

By getting these things in place immediately and automatically, Zero-Touch gets users up and running — securely — in the shortest timeframe possible.

Once Zero-Touch pulls the right software and implements the correct settings, it allows users to proceed to user account creation while the rest of this is churning around in the background. Users can use this time to continue downloading and installing larger software packages, such as the Microsoft Office or Adobe Creative Cloud suite of apps.

Step 4: Authenticate with Google or Microsoft and Forget Apple IDs

The final step we recommend to make the Zero-Touch workflow even better is to configure new Macs to look to either Microsoft 365 or Google Workspace for authentication. With this set up new users can enter their company email and password on their Mac — right out of the box — and a new macOS account will get created on the fly. This greatly simplifies the onboarding of new employees.

When you use Zero-Touch, if you also leverage the Apps and Books feature of Apple Business Manager, you really don't need Apple IDs anymore. Your employees don't need to worry about entering Apple ID credentials to apply App Store updates, especially for Keynote, Numbers, and Pages. Apple ships these office productivity apps on each computer. Your users will no longer get prompted to enter an Apple ID to update and patch these apps. You can make this step go away through the Zero-Touch workflow.

Apple Zero-Touch as Easy as 1-2-3-4

With Zero-Touch deployment, you set up and configure every Apple device automatically. This eliminates the need for your IT staff to handle each device individually. And Apple Business Manager makes it easy to automate device deployment, purchase apps and distribute content, and reduce the need for Apple IDs for employees.

By the way, Ntiva specializes in helping enterprises like yours operate smarter and more securely with Apple technology. Learn more about our Apple Enterprise Management services.