Install iOS Roaming Client using Intune and Apple Business Manager

Prerequisites

Before proceeding, complete the following:

Enroll devices in the M365 tenant, including initial Intune enrollment and device access setup. Consult Microsoft's documentation for current Intune enrollment processes
Test any deployment on a small number of devices before deploying to an entire environment

From business.apple.com, locate and deploy DNSFilter – Roaming Client from ABM VPP. Select a number of licenses to meet current and expected future needs. There is no charge for this action. Licensing is assigned later in the DNSFilter dashboard
Define a deployment plan. One approach is to create a small set of test devices using an Entra group for device assignments. When testing is complete, expand using dynamic assignment rules such as:

(device.deviceOwnership -eq "Company") -and ((device.deviceOSType -contains "iPhone") -or (device.deviceOSType -contains "iPad"))

From intune.microsoft.com, select Tenant Administration from the left navigation pane
Select Connectors and Tokens
Select Apple VPP Tokens, locate the VPP token, and select the … button
Select Sync from the context menu to accelerate the 12-hour scheduled sync cycle
Locate the DNSFilter app under Home > Apps > Monitor > By Platform > iOS/iPadOS Apps and confirm it appears before proceeding

Download the DNSFilter .mobileconfig file
Save the file to a version control system such as Git
Create a copy of the file for each deployment Site (for example, one file for iPhones and another for iPads). If planning more than one mobile site, use a descriptive file name such as .mobileconfig-iPads
Using a text editor, edit the following section of the file:
```
<dict>
    <key>site_key</key>
    <string>YOUR SITE KEY HERE</string>
    <key>host_name</key>
    <string>{{SERIALNUMBER}}</string>
    <key>dns_over_tls_enabled</key>
    <false />
</dict>
```
- Replace YOUR SITE KEY HERE with the Site Key from the DNSFilter dashboard
- SERIALNUMBER must be entered in all uppercase. Refer to Intune Device Attribute Settings on Microsoft's site, paying close attention to capitalization requirements. Not all asset tag variables have been tested as replacements for SERIALNUMBER
⚠️ Important: If the file is deployed with incorrect capitalization, spelling, or if the variable needs to change after deployment, the administrator must remove DNSFilter from the device and from the DNSFilter dashboard before redeploying.
Validate the file using an XML validator before saving

From intune.microsoft.com, navigate to Devices > iOS/iPadOS > Configuration
Select Create
Set Profile Type to Templates and select Custom
Enter a name and description for the profile
Select the applicable .mobileconfig file and enter a profile name
Save and assign the profile

✍️ If the configuration profile reports a Check-in Status of Error with error code -2016341112, the device may be busy and will likely accept the profile later, assuming there are no syntax errors in the file.
Navigate to the DNSFilter app in Intune under Apps
Assign DNSFilter to the target devices, most likely the test group. Set the license type to Device

✍️ To prevent users from uninstalling DNSFilter and bypassing filtering policies, set Install as Removable to No. If choosing this configuration, remove the app from devices using the uninstall assignment option before deleting the application from Intune.
Sync the test devices from the Devices main grid to force deployment
Monitor deployments in Intune and in the DNSFilter dashboard. When satisfied, proceed with a broader rollout