SAB Enroll Hub
User & Admin Guide
This guide covers system requirements, first-run setup, ABM and ASM credentials, device inventory, DMS server workflows, bulk operations, export, diagnostics, security, and troubleshooting.
Downloads and Help
1. System Requirements
What you need before you start.
| Requirement | Minimum |
|---|---|
| macOS | macOS 26 (Tahoe) or later |
| Architecture | Apple Silicon or Intel |
| Network | Internet access to Apple ABM or ASM APIs |
| Account Role | Admin or Device Enrollment Manager role |
2. First-Run Setup
Start with one organization, then grow from there.
Welcome flow
- Understand what SAB Enroll Hub does: multi-org ABM and ASM management
- Review what Apple Business Manager or Apple School Manager credentials are needed
- Gather Client ID, Team ID, Key ID, and the P-256 private key
- Add your first organization and validate the connection before saving
After the first org
Once at least one organization exists, the welcome screen is replaced by the main dashboard and the app becomes your working inventory view.
3. ABM / ASM API Credentials
The four values you need from Apple.
Where to get them
Sign in to business.apple.com or school.apple.com as an administrator and navigate to the API access area in Settings.
| Credential | Purpose |
|---|---|
| Client ID | Shown when you create or view an API key |
| Team ID | Your organization’s Apple-assigned identifier |
| Key ID | Assigned when you generate a key pair |
| Private Key (PEM) | Downloaded `.p8` file shown only once by Apple |
Important
Download and securely store the private key as soon as you generate it. Apple does not display it again.
When you paste the key into SAB Enroll Hub, include the full PEM header and footer lines.
4. Organizations
Add, edit, test, and remove orgs safely.
Adding an organization
- Click the add button in the sidebar or toolbar
- Enter a friendly name
- Choose Business or School
- Paste Client ID, Team ID, Key ID, and the PEM key
- Use Test Connection before saving
Editing and removing
You can edit an existing organization without re-entering the private key unless it changes. Deleting an organization removes the record and deletes the private key from the macOS Keychain.
5. Devices and DMS Servers
The main day-to-day workspace.
Devices tab
Sync devices from Apple, then filter and search by status, DMS, model, storage, source, and order. Select a row to inspect serial number, model, enrollment status, DMS assignment, purchase data, and activation lock status.
DMS Servers tab
The DMS Servers tab shows the Device Management Service servers registered in the organization and their current device counts. It is a read-only view designed to support assignment work and validation.
6. Search, Bulk Actions, and Export
Built for real admin throughput.
Cross-portal search
Use indexed search for speed or live search to query each organization directly. This is useful when you know the serial, IMEI, model, order, org, or DMS clue but not the tenant that contains the device.
Bulk operations
Paste or import serial numbers, then assign or unassign them in batches. SAB Enroll Hub automatically excludes obvious duplicates and short invalid values.
Export to CSV
Build a CSV with exactly the fields you need, including serial number, model, status, assigned DMS, date added, and hardware identifiers.
Diagnostics
Review per-organization sync metrics, inspect the audit log, and export an encrypted diagnostics archive if support needs more detail.
7. Updates and Diagnostics
Know what the app is doing and when it needs help.
Checking for updates
SAB Enroll Hub uses Sparkle for update delivery. The update command may remain unavailable until a valid public appcast URL is configured.
Rate limiting and etiquette
- Let large syncs finish before starting another
- Prefer bulk operations over many small requests
- Avoid repeated rapid refreshes
- Stagger syncs if you manage many organizations
8. Security Model
Designed to keep credentials local and controlled.
| Data | Storage |
|---|---|
| Organization name, Client ID, Team ID, Key ID | SwiftData, local and sandboxed |
| Private Key PEM | macOS Keychain, device-bound |
| Device cache, sync metrics, audit log | SwiftData, local and sandboxed |
| API tokens | In-memory only, never persisted to disk |
- Private keys are not written to disk in plain text
- The app uses the macOS App Sandbox with network and user-selected file access
- All API traffic uses HTTPS to Apple endpoints
9. Troubleshooting
The most common issues and what to check first.
401 Unauthorized
- Confirm Client ID, Team ID, and Key ID all match the private key
- Make sure the PEM includes the full header and footer
- Verify the key has not been revoked in ABM or ASM
Unassign fails with HTTP 409
Sync the organization first so SAB Enroll Hub has the current DMS relationship, then retry the unassign action.
DMS counts or names look wrong
Refresh the device cache with Sync. DMS counts come from the local cache, and live lookup may be needed if names are stale.
Logs and support bundles
Use Help > Open Logs Folder for raw logs and Export Diagnostics for a support-friendly encrypted archive.