Enroll Devices using Apple DEP

Apple Device Enrollment Program or Apple DEP, is a free program and the most preferred method for enrolling corporate iOS devices. DEP makes the enrollment process of corporate owned iOS devices automated and seamless for IT Admin. Using Apple DEP, IT Admin can enroll iOS devices into MDM without any direct contact with the devices and also enable supervision of devices during initial setup, including the possibility to ease the configuration process by skipping a few initial setup stages which are not mandatory for your organization. For detailed information about Apple DEP, you can refer to this. You can enroll devices not purchased directly from Apple or its reseller with DEP, through Apple Configurator as explained here. Also, the device needs to access the domains listed here.

  • How DEP Works?
  • Integrating Apple DEP with MDM
  • Assigning Devices to MDM
  • Device Activation Settings
  • Syncing Devices
  • Assigning Users to Devices
  • Remove Devices from DEP
  • Troubleshooting Tips

    How Apple DEP works?

     

    The process first starts, when your organization purchases iOS devices from Apple or from Apple authorised resellers. You have to login to your Apple Deployment Portal account or create a new account, by referring to steps given in Device Enrollment Program Guide. You have to register MDM with the Apple DEP Portal. Once you have registered the MDM server, secure communication is enabled between the MDM server and the Apple Portal. This is used to synchronize the details of devices, purchased using Apple DEP portal. When you find the devices synced from Apple portal, you can assign it to users. Whenever the devices are activated, all restrictions and configurations imposed using MDM are automatically installed on all your devices Over The Air (OTA). By configuring DEP, you can ensure all the devices purchased under DEP, are managed by MDM by default as soon as they are activated.

     

    Integrating Apple DEP with MDM

    After creating your organization’s Apple ID and Deployment Account by following the steps mentioned in the DEP program Guide, you need to carry out the steps outlined below, to seamlessly enroll and manage your organization’s corporate iOS devices using MDM.

    It is first necessary to link your MDM server to your organization’s Apple Deployment portal.

      1. Navigate to Enrollment -> iOS -> Apple Enrollment (DEP) on your MDM web console.
      2. Download MDM Public Key certificate which has to be uploaded on Apple Deployment portal while adding MDM Server.  
      3. Sign in to Apple’s DEP portal using the Apple ID of your organization.
      4. Create a new virtual MDM server on Apple’s DEP portal by clicking ‘Add MDM Server’.
      5. Navigate to Device Enrollment Program -> Manage Servers
      6. Click Add MDM Server and type in a suitable name for your MDM Server.
      7. Now, you need to upload MDM Public Key certificate, you downloaded earlier from MDM.

      1. You can now download the DEP Token generated by Apple .                                       

    1. Navigate back to your MDM console and then Upload DEP Token.    
    2. Specify the email address, which is to receive notifications regarding DEP token expiry.
    3. Click on Upload to complete the uploading of DEP token. You can configure the device activation settings as explained here.

    Adding Devices to MDM

    After linking your MDM Server to Apple DEP, you can add devices to MDM  using one of the three methods; Serial Number, Order Number or Uploading CSV File.

    • Using Order Number
    • Using Serial Number
    • Uploading CSV File

    Using Order Number

    You can add devices using the order number of purchases done by your organization from Apple. Your organization would have an Apple Customer Number, which contains the history of all orders or purchases made.

    To add all or a specific number of devices purchased under a particular order number from Apple, directly to MDM, follow the steps mentioned below:

      1.  On your Apple Deployment portal, navigate to Device Enrollment Program -> Manage Devices
      2. Select the option Order Number for choosing devices as shown and mention the required order number.
      3. Now you must choose the action  Assign to Server and specify the name of the MDM server which was configured earlier.

    MDM Server is now automatically assigned with the iOS devices.

    Using Serial Number

    This method of adding devices can be chosen when the device is in physical proximity to IT Admin and easy to be erased.

    To add devices to MDM using Serial Number, follow the steps mentioned below:

      1. On your Apple Deployment portal, navigate to Device Enrollment Program -> Manage Devices
      2. Select the option Serial Number for choosing devices and mention the serial numbers of the required devices using comma separated values as shown.
      3. Now you must choose the action  Assign to Server and specify the name of the MDM server which was configured earlier.

     

    MDM Server is now automatically assigned with the iOS devices.

    Uploading CSV File

    You can upload a CSV File containing a list of Serial Numbers of the required devices.  To add devices to MDM, by uploading a CSV file, follow the steps mentioned below:

      1. On your Apple Deployment portal, navigate to Device Enrollment Program -> Manage Devices
      2. Select the option Upload CSV File for choosing devices, browse and upload the required CSV File containing a list of Serial Numbers of Devices.
      3. Now you must choose the action  Assign to Server and specify the name of the MDM server which was configured earlier.

    MDM Server is now automatically assigned with the iOS devices.

    The alternate and easier option, to manually adding users through CSV file is using automated user assignment. Automated user assignment ensures the users are authenticated and self-assigned when the device is enrolled. This option must be enabled when DEP is configured or if already configured, you can enable the option from DEP settings. The only pre-requisite is, AD/Azure must be configured in MDM. When enrolling the device using DEP auto assignment, the user name to be provided in device must be in the format: domain name\user name

    Device Activation Settings

    On completion of adding devices to MDM, all the devices would be enrolled successfully. Before enrolling the devices, you have to create a DEP Profile and apply it to all devices. You can create and apply profile settings to all your devices at one go, by following the steps mentioned below:

    1. On MDM console, navigate to Enrollment -> iOS -> Apple Enrollment (DEP)
    2. Complete the required fields displayed under Device Activation Settings
    3. Click Create. Now, DEP automatically gets applied to all added devices.  

     

    Profile Specification

    Description

                                                                                      DEP Settings

    Restrict users from removing MDM

    This ensures the user cannot revoke MDM management from the managed device.

    Supervise devices

    Enable Supervision of devices. For detailed information on Supervised Devices, refer this.

    Force install MDM during device setup

    Make device enrollment with MDM, mandatory during initial setup of device

    Authenticate and auto assign users on device activation

    If you want to automate the user assignment process, enable this option. This allows the user to use his Active Directory credentials and assign the device to himself upon activation.

    Skip these configurations during device setup

    During device activation, you will be required to follow some initial setup steps. With MDM, you can optionally skip selective steps or completely skip the setup. Assuming your organization wants to prevent users from setting up Siri during the setup assistant process, you can do so by selecting Siri from the list of configuration settings provided. The list of configuration settings are given below.

    Now, all your corporate iOS devices are associated with the DEP Profile created using MDM.

    Syncing Devices

    After creating the DEP and applying it to devices, you can choose to Sync Devices by navigating to Enrollment-> iOS -> Apple Enrollment (DEP). Once the devices are synced, all devices get automatically listed.

    Only when the devices are activated by the user, it gets enrolled into MDM and is listed under Settings -> Enrollment-> Devices

    In case the devices are not new,  the devices should be factory reset, in order to be configured using DEP. Users can reset their devices, by navigating to Settings -> General -> Reset -> Erase All Content and Settings on the iOS devices.

    Assigning Users to Devices

    You can assign all the devices to individual users. Navigate to Assign User tab under Enrollment -> iOS -> Apple Enrollment (DEP)->  Devices. You can upload a CSV File containing details of all the users to whom devices have to be assigned. Now, the devices get assigned to the appropriate users.

    Remove Devices from the DEP server

    When a device is enrolled using DEP, one of the most important benefit is that the user cannot unmanage the device even when factory reset. To unmanage the device the admin must remove the device from the MDM server. Once the device is removed from the MDM server, the device is automatically removed from the DEP portal.

    The devices that are enrolled with one DEP account cannot be enrolled in another. Therefore, these devices must be removed from the first DEP server before enrolling into another. Follow the steps given below to remove the devices from the DEP portal.

    1. Login to the DEP portal and click on Manage Devices.
    2. Enter either the serial number or order number of the devices. If you are trying to remove multiple devices, you can upload a CSV file with the device details.
    3. Under Choose Actions select Unassign device. This will unbind the device from this DEP account.

    NOTE: To remove the devices, always select Unassign device and not Disown device. Disown device should be used only if the device is lost or permanently damaged and will never be part of any workforce. Disowning devices is a non-reversible action and once disowned the device can never be part of an organization.

    Troubleshooting Tips

    1. Even after a successful sync, the device is not listed in the MDM server on DEP page.

      Check if the device has been enrolled in the MDM server using an enrollment method other than DEP. Remove the device from management, reset the device and sync again with the server. The device will get listed on the DEP page.

    2. During device activation, you encounter the error message “The configuration can not be downloaded. The configuration is not available”.

      Check your network connectivity. Also check if the MDM server is reachable using the browser of another device in the same network.

    3. During device activation, you encounter the error message “NSURLErrorDomain error -1012”.

      Check your network connectivity. Also check if the server certificate was copied correctly to the forwarding server while configuring it.

    4. During device activation, you encounter the error message “A server with the specified hostname could not be found.”.

      Check your network connectivity. Also check if the MDM server is reachable using the browser of another device in the same network. If not, make the required changes to the server’s NAT settings

    5. If you are trying to enroll devices not purchased from Apple or authorised resellers.

      Apple now allows adding ios 11 devices not purchased directly from Apple or authorised resellers into DEP. Follow the steps given here to use Apple Configurator to add devices to DEP.

    6. While adding devices to the DEP portal you encounter the error “NOT_ACCESSIBLE”.

      This error is shown if the device is either not eligible for DEP enrollment or is either already enrolled or owned by another organization. Follow the steps given here to add the device to DEP using Apple Configurator if the device is not eligible for DEP. Else, add the device to the correct DEP portal based on the device owner.