Guide

Managed Preferences

ABM Warranty supports deployment and configuration through managed preferences (MDM) to enable secure, scalable administration in enterprise environments. Managed preferences are primarily used to distribute and manage Apple Business Manager API credentials and to control specific application behavior during managed rollouts.

This document describes how managed preferences interact with ABM Warranty. For a complete, always-up-to-date reference — including preference keys, payload formats, and examples — refer to the official documentation:

• ABM Warranty Utilities Repository
  https://github.com/breelabs/ABM-Warranty-Utilities
• Managed Preferences Wiki
  https://github.com/breelabs/ABM-Warranty-Utilities/wiki/Managed-Preferences

Credential Management via MDM

Managed preferences are used to deliver managed Apple Business Manager credentials to ABM Warranty. Each managed credential corresponds to a single ABM tenant and results in a dedicated tenant environment inside the app.

Managed credentials include encrypted private key material and metadata (Client ID, Key ID, scope, and display name). Private keys are never stored in plain text and are decrypted locally only after user authorization.

Managed credentials are imported into the app through a guided user experience. Users are prompted to approve and unlock managed credentials before they become active.

Behavior of Managed Credentials

Managed credentials follow explicit rules to ensure predictable behavior:

• Additions — New managed credentials delivered via MDM are detected automatically and queued for import.
• Removals — When a credential is no longer managed, it becomes a normal (user-owned) credential and may be removed manually by the user.
• Updates — Changes to an existing managed credential do not overwrite user state. Managed preferences are treated as authoritative only for initial delivery.

This design prevents silent credential rotation, unexpected data loss, or background key replacement.

Multi-Tenancy and Managed Preferences

ABM Warranty enforces a strict relationship between credentials and tenants:

• One credential equals one tenant
• One tenant equals one database

When multiple managed credentials are deployed, ABM Warranty creates independent tenant environments. Device data, diagnostics, health status, and logs are isolated per tenant and do not overlap.

For details on tenant isolation, database layout, and logging behavior, see:

• Multi-Tenancy Documentation

Security Model

ABM Warranty is designed with intentional security boundaries:

• Private keys are never written to logs
• Credentials are stored using the macOS Keychain
• Tenant databases are isolated and scoped by credential
• No write operations are ever performed against Apple Business Manager

Managed preferences control delivery of credentials, not ongoing runtime behavior. All imports, retries, and API access remain user-visible and auditable through the Status Dashboard and Logs.