← ABM Guides

Apple Business β€” Manually Adding a Device with Apple Configurator (Working Draft)

Companion to Doc 2 β€” the full drill-down on On-ramp 2

Guide set β€” Apple Business device management. You are here: Configurator companion. Three enrollment guides plus this hands-on companion:

  1. Account-Driven Enrollment β€” BYOD + OOD β€” enroll a device already in use, from Settings.
  2. Automated Device Enrollment β€” new or erased org devices via Setup Assistant.
  3. Lifecycle & Offboarding β€” un-enroll, release, transfer, erase/reassign.

Companion (this doc): Manual Add with Apple Configurator β€” the step-by-step On-ramp 2 drill-down that feeds Doc 2.

Scope: This doc covers only the manual on-ramp: taking a used/existing device that isn't in your inventory and getting it into Apple Business with Apple Configurator, then through management assignment, Blueprint, and first setup. It's the detailed version of Doc 2's "On-ramp 2" β€” pulled out so Doc 2 doesn't get bloated.

Once the device is in Apple Business and assigned, it rejoins the normal Automated Device Enrollment flow in Doc 2 β€” this doc just gets it to that point, drilled all the way down.

Status: draft built from Apple's official docs (Apple Business User Guide, Apple Configurator for Mac User Guide, April 2026) and corrected against David's real walkthrough β€” the errors he hit are written up in Troubleshooting. Items still needing confirmation are flagged inline.


The one thing to get right: ORDER

Almost every failure in this process is an ordering problem. The device must be fully staged in Apple Business before you ever swipe through Setup Assistant on the phone. If you proceed on the device too early, it has nothing to download and setup errors out.

The correct sequence is four phases, in this order:

Phase Where What happens
1 Mac β€” Apple Configurator Erase/prepare the device and add it to Apple Business (it lands in an "Apple Configurator" group)
2 Apple Business (web) Assign the device to a management service (Built-in or Jamf)
3 Apple Business (web) Assign a Blueprint (Built-in path) or confirm a Jamf PreStage (Jamf path)
4 The device Run Setup Assistant β€” only now β€” and it pulls its configuration

⚠️ Do not touch Setup Assistant on the device until Phases 1–3 are done. This is the single most common cause of "Configuration for your iPhone could not be downloaded from the organization."


⚠️ Two sign-in prompts people confuse (this bites everyone)

There are two completely different "sign in" moments with the same managed admin account, and they are not interchangeable:

Prompt Where it lives What it's for Use it here?
Account > Sign In (Configurator menu bar) Apple Configurator app menu Signing in to get apps & books for content distribution No β€” not part of adding a device
Device Management Service sign-in Inside the Prepare > Manual Configuration wizard Authorizes adding this device to Apple Business Yes β€” this is the one

⚠️ Account > Sign In is a dead end for enrollment. It only loads your apps-and-books content. Signing your managed admin account in there can throw AMSErrorDomain error 100 and gets you nowhere toward adding a device. The credential that matters is entered later, inside the Prepare wizard. See Troubleshooting.


Requirements & what Configurator can add

⚠️ macOS / Configurator version (check the Mac first). Apple Configurator for Mac needs a current macOS β€” 2.20 requires macOS 15.7+, 2.19 requires macOS 15.6+. It runs only on a Mac.

You want to add… Use Notes
iPhone, iPad, Apple TV (HD or later) Apple Configurator for Mac The path this doc covers
Mac (Apple silicon or T2) Apple Configurator for iPhone Different app β€” not covered here

Account/role you need: a Managed Apple Account with the Administrator or Device Enrollment Manager role (permission to add devices with Apple Configurator). The apps-and-books permission is a different permission and is not what this process needs.


Phase 0 β€” Stage the Mac and the device

Two separate computers are involved β€” don't mix them up: - The admin Mac = the Mac running Apple Configurator (your workstation). Steps 1–2 are about this Mac. - The target device = the iPhone/iPad being enrolled. Step 3 is about this device.

On the admin Mac (the one running Apple Configurator):

  1. Confirm the macOS/Configurator versions above and install Apple Configurator.
  2. Your Mac's own Apple Account doesn't matter β€” leave it signed in. Whatever account you use for iCloud on this Mac (even if it's the same email as your ABM admin) is irrelevant to Apple Configurator; the app never uses the Mac's iCloud login to add devices. The only macOS requirement is that your user is a local administrator (you authenticate as the Mac admin during Prepare). The ABM admin account is entered only inside the Prepare wizard (Phase 1) β€” never in System Settings, never on the iPhone. (Managed Apple Accounts aren't OS-level/iCloud logins in the first place.)

On the target device (the iPhone/iPad being enrolled):

  1. If it's already in use: sign out of iCloud, turn off Find My, and be ready to erase. Activation Lock must be clear or it can't be set up as new.
  2. Plug the device into the Mac by USB and keep it connected for the entire process.

Phase 1 β€” Add the device to Apple Business (Apple Configurator, on the Mac)

Mode that pairs with the rest of this doc: leave "Activate and Complete Enrollment" unchecked. That leaves the device parked at Setup Assistant so the user (you) completes it in Phase 4 β€” which is exactly what we want, because the config isn't ready until Phases 2–3 are done.

  1. In Apple Configurator, select the connected device, then Prepare (toolbar, Actions > Prepare, or right-click > Prepare).
  2. Choose Manual Configuration and select Add to Apple Business Manager.
  3. Deselect "Activate and Complete Enrollment." Click Next.
  4. Under Device Management Services, choose New Server. Click Next.
  5. Name the server (e.g., "Apple Business Manager"). Leave the Device Management Service URL unchanged (it won't verify β€” that's expected). Click Next.
  6. Don't add a certificate. Click Next.
  7. Select your organization (or New Organization). Click Next.
  8. Sign in with your Managed Apple Account (Administrator or Device Enrollment Manager). ← This is the real enrollment sign-in β€” not Account > Sign In. Click Next.
  9. Complete sign-in, then Generate a new supervision identity.
  10. Choose which Setup Assistant panes to skip. Click Next.
  11. Select a Wi-Fi configuration profile (so the device can reach Apple Business). Click Next.
  12. Authenticate with your macOS administrator account, then Update Settings.
  13. Unlock the device if prompted. If it says the device is already set up, click Erase. β†’ Result: the device is wiped and left at Setup Assistant, and its serial is now in Apple Business under an "Apple Configurator" group.

⚠️ 30-day provisional period. Devices added via Configurator can be released by the user from Apple Business / supervision / management within 30 days of enrollment. Purchased devices have no such escape hatch.


Phase 2 β€” Assign the device to a management service (Apple Business, web)

This is a fork, and it's where the Blueprint-vs-Jamf confusion comes from. A device pulls its setup config from whichever service you assign it to β€” either Apple's Built-in Device Management or Jamf. Not both. The next phase depends on which one you pick here.

  1. Sign in to business.apple.com as Administrator or Device Enrollment Manager.
  2. Go to Devices and open the device. A Configurator-added device shows Device Management Service: "Devices Added by Apple Configurator" until you assign it. (If you can't find it, filter Source > "Manually Added" / "Apple Configurator" and refresh.)

ABM device detail page β€” the iPhone is in Apple Business but still sitting in the "Devices Added by Apple Configurator" group, with the Assign Device Management button at the top.

  1. Click Assign Device Management. In the dialog, open the Device Management Service menu.

The Assign Device Management dialog with the Device Management Service menu still empty.

  1. Choose your service β€” here, Built-in device management β€” then click Continue.

Built-in device management selected in the menu; the Continue button becomes active.

  1. Confirm the change. Read the dialog's own wording: "Assignment changes will take effect the next time the device uses Automated Device Enrollment in Setup Assistant." That sentence is exactly why you stage everything before running Setup Assistant on the phone.

Confirmation dialog warning that the assignment change takes effect at the next Setup Assistant run.

  1. You'll get a success confirmation β€” the device is now assigned.

Device management service assignment updated β€” 1 Completed, the device was successfully updated.

If you assign to… Then the config comes from… Next phase
Built-in Device Management An ABM Blueprint Phase 3A
Jamf A Jamf PreStage enrollment Phase 3B

⚠️ Order still matters: assigning the service is not optional and must happen before Setup Assistant. An unassigned device = no config = the download error.


Phase 3A β€” Assign a Blueprint (Built-in Device Management path)

Blueprints exist only in Built-in Device Management. Because a test device has no assigned user, you assign the Blueprint directly to the device by serial number.

⚠️ Requirement: a Blueprint assigned by serial number requires Automated Device Enrollment as the enrollment method β€” which is exactly what a Configurator-added device uses. βœ”

Create a Blueprint and add the device to it:

  1. In Apple Business, sign in with a role that can manage Blueprints.
  2. Devices > Blueprints > Add (+).
  3. Choose a type: - Blueprints for service devices β€” right choice for a test / kiosk / shared device with no user. (Recommended for your test iPhone.) - Create your own Blueprint β€” full custom. - (Blueprints for users β€” for devices tied to a person.)
  4. Continue, then set up default configurations, add apps if desired, and β€” key step β€” open the Devices section and add your iPhone's serial number.
  5. Add Blueprint to save.

Assigning an existing Blueprint instead: Devices > Blueprints β†’ select the Blueprint β†’ Devices β†’ add the serial β†’ Save.


Phase 3B β€” Confirm the Jamf PreStage (Jamf path)

If you assigned the device to Jamf in Phase 2, there is no Blueprint. Instead, in Jamf make sure the device's serial is scoped to a PreStage Enrollment with the desired settings. Without a matching PreStage, the device hits the same "couldn't download" error in Phase 4.

⚠️ To validate against David's Jamf setup: exact PreStage scoping path and whether the device auto-appears in Jamf after ABM assignment or needs a sync.


Phase 4 β€” Run Setup Assistant on the device (only now)

  1. If the device already failed a setup attempt, Erase All Content and Settings first β€” a poisoned setup session won't retry on its own.
  2. Power on; connect to Wi-Fi / internet.
  3. Proceed through Setup Assistant. At Remote Management, the device checks Apple Business, finds its assigned service + Blueprint (or Jamf PreStage), and downloads the configuration.
  4. Finish setup. The device is now supervised and fully managed. - Built-in + Blueprint-to-device: no Managed Apple Account sign-in required; a personal Apple Account may optionally be added later in Settings.

βœ… Verified: on the real test run the Blueprint pulled down automatically at Remote Management, with no Apple Business app involved β€” because the Blueprint was assigned to the device by serial, not to a user.

Aside β€” when you do see the Apple Business app. If a Blueprint is assigned to a user (Fork 1) rather than a device serial, the Apple Business app appears on the device as the per-user storefront for assigned apps. That's a different path from this guide's device-by-serial flow, but here's what it looks like so the distinction is concrete:

The Apple Business app on iPhone showing assigned apps under the Apps tab, with Apps / Devices / Search tabs at the bottom.


Retrying a failed setup β€” erase, DON'T re-Prepare

If the device is already in Apple Business, assigned to Built-in, and on a Blueprint, you do not re-run the full Prepare wizard to try again β€” that just repeats the add-to-ABM steps you've already done. The serial stays enrolled in ABM through an erase, so all you need is a clean wipe so Setup Assistant runs fresh.

Easiest β€” erase through Apple Configurator: connect the device, select it, Actions > Advanced > Erase All Content and Settings. (This is "Erase," not "Prepare.") The device stays enrolled in ABM and re-runs Setup Assistant.

Alternative (no Mac needed): on the phone, Settings > General > Transfer or Reset iPhone > Erase All Content and Settings.

Then on the device: go through Setup Assistant and join WiFi when the "Choose a Wi-Fi Network" screen appears (or use a phone hotspot). Once online, Remote Management reaches Apple and pulls the Blueprint.

Only re-run the full "Prepare" if you specifically want to bake in a Wi-Fi profile (so the device comes up online by itself) or change which Setup Assistant panes are skipped. If you're there to tap the WiFi network by hand, a plain Erase is enough.

Fastest retry test: Erase All Content & Settings (via Configurator) β†’ on setup, join WiFi / hotspot β†’ let Remote Management run. If it still hangs after the phone is confirmed online, the problem is the network filtering Apple's hosts/ports, not your ABM/Blueprint setup.


How the configuration actually reaches the device (network, NOT the cable)

This is the part that's easy to get wrong, so read it carefully.

Apple Configurator does not push the Blueprint to the device. The USB cable's only job was back in Phase 1: erase the device and register its serial number in Apple Business with a pointer to your org. After that, Configurator and the Mac are completely out of the picture. You could unplug the cable and throw the Mac in a drawer β€” it changes nothing.

The Blueprint/MDM configuration is pulled by the device itself, over the internet (WiFi or cellular), from Apple's cloud. Here's the actual sequence at the Remote Management screen:

  1. The phone is already on WiFi (see below for how it got there).
  2. It contacts Apple's activation/MDM servers and effectively asks, "Who do I belong to?"
  3. Apple's cloud answers, "Org X β€” your management service is Built-in Device Management," and hands over the enrollment profile.
  4. The phone then downloads its Blueprint configuration over the network and applies it.

So the config travels: Apple's cloud β†’ WiFi β†’ device. Never through the cable. If the device can't reach Apple's servers over the network, nothing downloads β€” and you get a Remote Management timeout, even though everything in Apple Business is set up perfectly.


At what point does the device get WiFi? (the likely cause of a timeout)

Because the config arrives over the network, the device must have working internet at the Remote Management screen. There are only two ways it gets WiFi, and an admin controls both:

Way 1 β€” A Wi-Fi profile baked in during Configurator Prepare. Back in Phase 1, step 11, Configurator asked you to "Select a Wi-Fi configuration profile." If a valid profile was attached there, the device installs it during preparation and comes up already online at Remote Management β€” no one has to type a WiFi password on the phone. If that step was left blank/skipped, the device has no baked-in WiFi.

Way 2 β€” Joined by hand during Setup Assistant. Normally a "Choose a Wi-Fi Network" pane appears before Remote Management. Whoever is setting up the phone taps the network and enters the password, and the device is online from that point.

⚠️ The trap that causes a silent timeout. In Phase 1, step 10 you chose which Setup Assistant panes to skip. If the "Choose a Wi-Fi Network" pane was skipped and no Wi-Fi profile was attached (Way 1), the phone reaches Remote Management with no network path at all. It then tries to contact Apple, can't, and times out β€” with no obvious "you have no internet" message. This single misconfiguration explains a Remote Management timeout perfectly.

If you don't know what was done (someone else ran it, days ago)

You don't need the history β€” just verify it cleanly on the next attempt. Erase the phone and watch the setup screens yourself:

  1. Did a "Choose a Wi-Fi Network" screen appear, and did you connect to a network? - No screen appeared and it went straight toward Remote Management β†’ WiFi was skipped and no profile was attached. That's the timeout cause. Fix: re-Prepare in Configurator and attach a valid Wi-Fi profile, or make sure the WiFi pane is NOT in the skip list so you can join by hand. - A screen appeared and you joined a network β†’ the device has internet, so the timeout is not a "no WiFi" problem β€” move to the network-filtering check below.
  2. Confirm the network actually has internet β€” open Safari on a different device on the same WiFi. A captive-portal / sign-in WiFi (hotel/guest style) will look connected but block the phone.
  3. Confirm the network isn't filtering Apple's servers (next section).
  4. Re-confirm Apple Business is staged: device assigned to Built-in, and its serial is in the Blueprint's Devices list. Then erase and retry.

Fastest isolation test: run the setup on a known-open network or an iPhone personal hotspot from another phone. If it enrolls there but fails on the office WiFi, the problem is the office network filtering Apple's hosts/ports, not your ABM setup.


How to build a Wi-Fi configuration profile in Apple Configurator (Way 1 detail)

A Wi-Fi profile is a small settings file you make once that holds your network name + password. Attach it during Prepare and Configurator installs it on the device during preparation, so the phone comes up already online at Remote Management β€” nobody types anything on the phone. (No device needs to be plugged in to build the profile.)

Build it:

  1. In Apple Configurator, choose File > New Profile.
  2. In the General pane, set a Name (e.g., "Office WiFi") and an Identifier (e.g., net.ccvb.wifi).
  3. In the payload list on the left, select Wi-Fi, click Configure, and enter: - SSID (Service Set Identifier) β€” the network name, exactly (case-sensitive). - Security Type β€” for a normal password network, WPA2/WPA3 Personal. - Password β€” the network password. - Turn on Auto Join.
  4. File > Save, name it, and save it somewhere easy to find. (Signing is optional β€” skip it.)

Use it: in the Prepare wizard at "Select a Wi-Fi configuration profile" (Phase 1, step 11), choose this saved profile.

⚠️ Two ways it silently fails to connect: the SSID doesn't match exactly, or the Security Type doesn't match the real network. If your WiFi is 802.1X / Enterprise (username + certificate rather than a shared password), use the Enterprise Wi-Fi settings instead β€” a Personal profile won't join an Enterprise network.

When it's worth it: a Wi-Fi profile pays off for hands-off setups or multiple devices. For a single device you're standing in front of, joining WiFi by hand during Setup Assistant is faster.


Required network access (for filtered/corporate WiFi)

If the device is online but still times out, the WiFi is almost certainly blocking Apple's deployment endpoints. The network the phone enrolls on must allow outbound access to:

Purpose Hosts Ports
Apple Push Notification service (the core of MDM) *.push.apple.com TCP 5223 (primary), TCP 443 (fallback), 2197 (server side)
Activation / enrollment & Apple Business *.apple.com, incl. albert.apple.com, gdmf.apple.com, axm-adm-enroll.apple.com, axm-adm-scep.apple.com, mdmenrollment.apple.com, business.apple.com TCP 443
Apps & content / software updates *.itunes.apple.com, *.mzstatic.com, *.apps.apple.com, swcdn.apple.com, gs.apple.com TCP 443

Apple publishes the authoritative, maintained list β€” give it to whoever runs the firewall/WiFi: "Use Apple products on enterprise networks" (Apple Support 101555). Notes: APNs must have TCP 5223 open (it falls back to 443 but is less reliable); you can scope these to Apple's 17.0.0.0/8 IP block; and content filters / TLS-inspection proxies that intercept these connections will break enrollment β€” Apple's endpoints should be bypassed from SSL inspection.


Troubleshooting (real errors from the walkthrough)

Remote Management screen times out / spins and fails. The device reached Setup Assistant but couldn't pull its config over the network. In order of likelihood: (1) the device has no WiFi because the WiFi pane was skipped and no Wi-Fi profile was attached (see "At what point does the device get WiFi?" above) β€” most common; (2) the WiFi it's on is filtering Apple's hosts/ports (see "Required network access"); (3) ABM assignment hadn't propagated yet β€” wait ~15 min, erase, retry; (4) Built-in service off or Blueprint serial not attached. Isolate fast by retrying on an open network / personal hotspot.

The operation couldn't be completed. (AMSErrorDomain error 100.) on Account > Sign In. You're in the wrong menu. Account > Sign In is for apps & books, not enrollment. It can throw error 100 with a managed admin account and is irrelevant to adding a device. Ignore it; do the enrollment sign-in inside the Prepare > Manual Configuration wizard (Phase 1, step 8). If you do need apps-and-books content there later, confirm the account has that permission, set the Mac's date/time/zone correctly, and re-try β€” error 100 is often an Apple-side media-services hiccup.

Configuration for your iPhone could not be downloaded from the organization. The device reached Remote Management but had nothing to pull. Almost always one of: - The device wasn't assigned to a management service yet (Phase 2), or - It's assigned to Built-in but has no Blueprint with its serial (Phase 3A), or - It's assigned to Jamf but has no matching PreStage (Phase 3B), or - You ran Setup Assistant too early (before Phases 2–3). Fix the missing piece, then erase and re-run Setup Assistant.

Device shows in ABM and Configurator but won't finish setup. Expected if Phases 2–3 aren't complete. Being in ABM only means Phase 1 succeeded. Finish service assignment and Blueprint/PreStage, then erase and retry.

"User not authorized" / can't sign in during Prepare. The account lacks the right role. Use Administrator or Device Enrollment Manager (permission to add devices with Apple Configurator).


Quick reference β€” the whole flow on one line

Plug in β†’ Configurator Prepare (Manual, uncheck Activate) β†’ device in ABM "Apple Configurator" group β†’ ABM: assign to service (Built-in/Jamf) β†’ ABM: Blueprint-to-serial (or Jamf PreStage) β†’ erase β†’ Setup Assistant downloads config β†’ managed.


βœ… Verified on a real device β€” June 30, 2026

The full four-phase flow was run end-to-end on David's test iPhone and worked: Configurator add β†’ assign to Built-in Device Management β†’ Blueprint assigned to the device by serial β†’ Erase All Content & Settings (via Configurator) β†’ join WiFi by hand during Setup Assistant β†’ Remote Management pulled the Blueprint automatically and the device supervised itself. Confirmed along the way: - [x] Four-phase order is correct β€” staging in ABM before touching Setup Assistant is what makes it work. - [x] WiFi must be live at Remote Management β€” joining WiFi manually during Setup Assistant was enough; the earlier failures were the device reaching Remote Management with no/blocked network. - [x] Blueprint-to-serial (service-device Blueprint) is the right path for a device with no assigned user, and it applies without the Apple Business app (that app only appears for Blueprint-to-user app delivery). - [x] Erase, don't re-Prepare β€” a plain Erase All Content & Settings re-runs Setup Assistant while the serial stays enrolled in ABM. - [x] Mac's own Apple Account is irrelevant β€” no need to sign the admin Mac out of iCloud.

Open items to resolve before publishing

Apple documentation index

Apple Business Manager admin guide Β· CoderTricks Β· referenced from Apple’s official documentation