Pro ACSPBlog

MDM for the ACSP Exam: Everything You Need to Know

Pro ACSP Team9 min read
Close-up of open textbook on a desk
Photo by Lum3n on Pexels

Why MDM Matters for the ACSP Exam

Mobile Device Management has become one of the most heavily weighted topics on the Apple Device Support exam. This reflects the reality of modern Apple device management: organisations no longer configure devices manually one at a time. Instead, they use MDM solutions to deploy, configure, secure, and manage entire fleets of Macs, iPhones, and iPads from a central console.

If you are preparing for the ACSP exam, you cannot afford to treat MDM as a secondary topic. Understanding how Apple's management framework works, from Apple Business Manager through to configuration profiles and managed app deployment, is essential for passing the exam and for working effectively as an Apple IT professional.

The Apple Management Framework

Apple's approach to device management is built on a layered architecture that connects several services and technologies. Understanding how these pieces fit together is critical for the exam.

Apple Business Manager

Apple Business Manager (ABM) is the web-based portal that serves as the foundation of Apple's enterprise management ecosystem. Through ABM, organisations can:

  • Purchase and assign apps and books using volume licensing (formerly VPP, now integrated into ABM)
  • Register devices for Automated Device Enrolment
  • Create and manage Managed Apple IDs for employees
  • Assign devices to MDM servers so they are automatically enrolled when first set up

For the exam, you should understand that ABM is not itself an MDM solution. It is the portal through which organisations connect their devices to an MDM solution and manage content licences. Think of ABM as the registration and assignment layer, while the MDM server handles the actual configuration and policy enforcement.

Automated Device Enrolment

Automated Device Enrolment (formerly DEP, the Device Enrolment Programme) allows organisations to automatically enrol new or wiped devices into their MDM solution during the initial setup process. When a device that has been assigned to an MDM server through ABM is powered on for the first time (or after a factory reset), it automatically:

  1. Contacts Apple's enrolment servers
  2. Receives the MDM server assignment
  3. Enrols in the MDM solution
  4. Downloads and applies configuration profiles
  5. Installs assigned apps

This is the foundation of zero-touch deployment, where IT administrators can ship a device directly to an end user without ever physically touching it. The device configures itself automatically when the user turns it on.

Key exam points about Automated Device Enrolment:

  • Devices must be purchased through Apple or an authorised reseller to be eligible, or manually added using Apple Configurator
  • Enrolment can be configured as mandatory (the user cannot skip it) or optional
  • Supervision can be applied during Automated Device Enrolment, enabling additional management capabilities
  • The MDM profile installed through Automated Device Enrolment is non-removable by default on supervised devices

MDM Servers and Solutions

An MDM server is the software platform that actually manages devices. Popular third-party MDM solutions for Apple devices include Jamf Pro, Mosyle, Kandji, Hexnode, and Microsoft Intune. Apple also provides a basic, open-source MDM server called Profile Manager as part of macOS Server, though it is primarily intended for small deployments and testing.

The MDM server communicates with devices using the Apple Push Notification service (APNs). When an administrator makes a change, such as installing an app or updating a restriction, the MDM server sends a push notification to the device via APNs. The device then contacts the MDM server to download and apply the change.

For the exam, understand this communication flow:

  1. Administrator makes a change in the MDM console
  2. MDM server sends a push notification via APNs
  3. Device receives the notification and contacts the MDM server
  4. Device downloads and applies the configuration or command

This means that devices must have internet connectivity to receive MDM commands, and APNs must not be blocked by network firewalls or proxy servers. This is a common troubleshooting scenario on the exam.

Configuration Profiles

Configuration profiles are XML files (with a .mobileconfig extension) that contain settings and restrictions for Apple devices. They are the primary mechanism through which MDM solutions configure device behaviour. Configuration profiles can contain payloads for a wide range of settings, including:

  • Wi-Fi: Automatically configure network connections, including SSID, security type, and certificates
  • VPN: Set up VPN connections with various protocols
  • Email: Configure mail accounts with server addresses and authentication
  • Restrictions: Disable features such as the camera, AirDrop, iCloud backup, or the App Store
  • Passcode policy: Require minimum passcode length, complexity, and auto-lock timing
  • FileVault: Enable and manage disk encryption on macOS
  • Certificates: Install certificates for authentication and secure communications
  • Web content filter: Restrict access to specific websites or categories

Profile Scope and Removal

Configuration profiles can be applied at the device level (affecting all users on the device) or the user level (affecting only a specific user). On the exam, understand that:

  • Device-level profiles are applied regardless of which user is signed in
  • User-level profiles follow the user and apply only to their session
  • On supervised devices, profiles installed by MDM cannot be removed by the user
  • On unsupervised devices, users may be able to remove MDM profiles (depending on the profile's removal policy setting)

Supervision

Supervision is a state that grants MDM solutions enhanced management capabilities over a device. Supervised devices support additional restrictions and commands that are not available on unsupervised devices, including:

  • Preventing the user from removing the MDM profile
  • Silently installing and removing apps without user interaction
  • Restricting which apps can be used (app allow-lists and block-lists)
  • Enabling Single App Mode (kiosk mode)
  • Configuring global HTTP proxy settings
  • Controlling device name and wallpaper

For the exam, remember that supervision can be applied through:

  • Automated Device Enrolment (the most common method for organisations)
  • Apple Configurator (for manually preparing devices)

Managed Apple IDs

Managed Apple IDs are Apple IDs created and controlled by an organisation through Apple Business Manager. Unlike personal Apple IDs, Managed Apple IDs are:

  • Created by the organisation, not the individual
  • Typically formatted as the user's name at the organisation's domain (e.g., [email protected])
  • Limited in functionality compared to personal Apple IDs (no App Store purchases, limited iCloud features)
  • Managed and reset by the organisation's IT administrators
  • Able to be federated with identity providers such as Microsoft Azure AD or Google Workspace

On the exam, understand the differences between Managed Apple IDs and personal Apple IDs, particularly regarding which iCloud services are available with each type. Managed Apple IDs support iCloud Drive, Notes, Reminders, and other productivity features, but do not support App Store purchases or some consumer-oriented services.

App Management Through MDM

MDM solutions can deploy apps to managed devices in several ways:

Volume-Purchased Apps

Through Apple Business Manager, organisations can purchase app licences in volume and assign them to devices or users through MDM. Apps deployed this way:

  • Can be installed silently on supervised devices
  • Can be revoked and reassigned when an employee leaves
  • Do not require users to have personal Apple IDs to install work apps

Custom Apps

Organisations can distribute custom-built apps (developed internally or by a third-party developer specifically for that organisation) through Apple Business Manager without publishing them on the public App Store.

Managed App Configuration

MDM solutions can push configuration data to managed apps, pre-configuring settings such as server addresses, default preferences, and authentication tokens. This allows apps to be ready for use immediately after installation.

Troubleshooting MDM Issues

The exam frequently presents MDM troubleshooting scenarios. Common issues include:

Device Not Enrolling

  • Verify the device is assigned to the correct MDM server in Apple Business Manager
  • Check that the device has internet connectivity
  • Ensure the MDM server's APNs certificate is valid and not expired
  • Confirm the device is not already enrolled in another MDM solution

Profiles Not Being Applied

  • Verify APNs connectivity (the device must be able to reach Apple's push notification servers)
  • Check that the profile is assigned to the correct device group or user group
  • Review the profile for errors or conflicts with existing profiles
  • On macOS, check System Settings > Profiles to see which profiles are installed

Apps Not Installing

  • Confirm that app licences are available in Apple Business Manager
  • Verify the device meets the app's minimum OS version requirements
  • Check that the device has sufficient storage space
  • Ensure the device is supervised if silent app installation is required

Study Tips for MDM Topics

Set Up a Test Environment

If possible, set up a free or trial MDM solution and practise enrolling test devices. Many MDM vendors offer free tiers or trial periods. This hands-on experience is invaluable for understanding the enrolment flow, profile management, and troubleshooting process.

Know the Terminology

The exam uses Apple's current terminology. Make sure you are using the correct terms: "Apple Business Manager" (not "DEP" or "VPP"), "Automated Device Enrolment" (not "DEP"), "volume content" (not "VPP apps"). Using outdated terminology in your study materials can cause confusion on the exam.

Understand the Complete Flow

Practice tracing the complete lifecycle of a managed device: from purchase and registration in ABM, through Automated Device Enrolment, to profile application, app deployment, and eventual retirement. Understanding this end-to-end flow helps you answer scenario-based questions that span multiple MDM concepts.

Focus on Supervised vs Unsupervised

Many exam questions hinge on whether a device is supervised. Know which management capabilities require supervision and which do not. When a question describes a management action that fails, consider whether the device being unsupervised could be the root cause.

MDM is not just an exam topic. It is the foundation of professional Apple device management. Investing time in understanding these concepts thoroughly will serve you well on the exam and throughout your career.