Home
Insight11.10.2021

Add Apple devices to DEP afterwards

What is Apple Configurator 2 used for?

Apple Configurator 2 is a free app that is available in the Mac App Store. With the application, Apple devices connected via USB can be configured manually with a Mac before the devices are handed over to the users. For this purpose, so-called profiles can be created and uploaded to the devices. In addition, Apple Configurator 2 enables Apple devices that have not already been assigned to the Device Enrollment Program (DEP) by an authorized reseller to be subsequently added to DEP. This process is only possible for iOS and iPadOS and tvOS devices. macOS devices must be purchased from an authorized reseller in order to benefit from the advantages of automatic enrollment via DEP. Overall, it is advisable to purchase DEP devices directly, as adding them at a later date involves a few manual steps.

What preparations are necessary before a device is subsequently added to DEP?

So that devices can automatically establish an Internet connection and the subsequent registration for DEP can be carried out as conveniently as possible, it is advisable to create a WiFi profile in advance. The WiFi profile can be created on the Mac via the menu item “File” -> “New Profile” -> “WiFi” and then saved as a file.

insight-apple_configurator_2-01-en.png

How can Apple devices be added later using the Apple Configurator 2?

The Apple devices must be connected to a Mac via a USB cable on which Apple Configurator 2 is then started. The following dialogue appears:

insight-apple_configurator_2-02-en.png

Select the device shown with the right mouse button and click “Prepare …”. In the next step, the following options must be selected:

  • Add to Apple Business Manager (corporate) or Apple School Manager (education)
  • Allow devices to pair with other computers

Note: The option “Activate and complete registration” must NOT be selected, otherwise the device will attempt to register directly. For this purpose, after adding to DEP, further configurations in Apple Business Manager or Apple School Manager and in Relution are necessary.

insight-apple_configurator_2-03-en.png

In the next step select “New Server …” and click “Next”.

Now the name and the URL of the corresponding Relution server are given. Any name can be chosen. The URL starts with https:// and is, for example, https://live.relution.io/ for the Relution test system in connection with iOS devices

The following path must be specified for tvOS devices if the devices are to be managed on the Relution test system: https://live.relution.io/api/v1/devices/appleMdm/depenroll

insight-apple_configurator_2-04-en.png

The displayed certificate is then selected in the next step. If there are several certificates, the first one is chosen.

This defines the server, is saved in the Apple Configurator 2 and is available again when additional devices are added to the Device Enrollment Program.

Now select “New Organization…” in the following dialog and confirm with “Next”.

The next step is to connect to the Apple DEP server. For this purpose, the Apple ID and the password of the respective Apple Business Manager or Apple School Manager account are given.

insight-apple_configurator_2-05-en.png

If necessary, this registration must be confirmed via 2-factor authentication (entry of a 4-digit code that is sent via SMS).

Now select “Create new supervision identity” and confirm with “Next”. The organization data is also saved by the Apple Configurator 2 so that it can be reused later and no new organization has to be created.

Then the setup steps are selected in the next dialog that are NOT to be skipped when setting up the devices. The “Location Services” option should be selected, otherwise the Apple device will not be assigned to the correct time zone.

insight-apple_configurator_2-06-en.png

In the next step, you should select a WiFi configuration profile previously created in the Apple Configurator 2 via “File” -> “New Profile”, which the device automatically takes over after the restart, thereby establishing an Internet connection.

insight-apple_configurator_2-07-en.png

This enables the Apple device to transfer the subsequent registration for DEP to the Apple server. As an alternative to the WiFi profile, the Internet connection between the Mac and the connected device can also be shared via the USB connection.

If no profile is selected, the WiFi settings are entered manually when the devices are restarted. By clicking on “Prepare” the device will now be restarted. It is automatically registered in the DEP and is then manually assigned to the relevant MDM server from Relution in the Apple Business Manager or Apple School Manager (it is assigned to the Apple Configurator 2 by default).

insight-apple_configurator_2-08-en.png

Which configurations are necessary in the Apple Business Manager or Apple School Manager?

After manually adding Apple devices to DEP, they have to be entered in the Apple Business Manager or Apple School Manager assigned to the desired MDM server. Alternatively, a setting can be configured in the Apple Business Manager or Apple School Manager so that “new devices” are automatically assigned to a defined MDM server. All configuration options are described in the online documentation from Apple.

insight-apple_configurator_2-09-en.png

As soon as the Apple devices are assigned to an MDM server in the Apple Business Manager or Apple School Manager, they can then be synchronized in Relution under “Devices” -> “Auto-Enrollments” in the corresponding Relution organization.

insight-apple_configurator_2-10-en.png

How is the enrollment of the new DEP devices completed?

After an Apple device has been subsequently added to the DEP, assigned to an MDM server in the Apple Business Manager or Apple School Manager and assigned a DEP profile in relation to the corresponding auto-enrollment, the automatic enrollment can be carried out on the device.

If no DEP standard profile has been set up in Relution or a DEP profile other than this is to be used, a DEP profile must be assigned to the newly synchronized devices. See Insight Automatically enroll Apple DEP devices in Relution.

insight-apple_configurator_2-10-en.png

What restrictions are there when using the Apple Configurator 2 app?

Preparing devices can take a few minutes. If the current process is canceled or stopped, Apple Configurator 2 needs a certain amount of time to safely finish all operations. The Mac running Apple Configurator 2 should not be turned off during device preparation, as this can damage the devices.

Configuration profiles that are created with Apple Configurator 2 can only be imported into Apple devices via a USB connection. Subsequent remote maintenance of the devices is therefore not possible. With many devices, there is also a high manual administrator effort. By using Relution as a central MDM system, the administrative effort can be significantly reduced.

In the case of Apple devices subsequently added to the DEP, there is a grace period of 30 days with regard to the deletion of the MDM enrollment on the device. Only after this time has elapsed will the “Remove administration” option be removed from the settings on the device and can no longer be carried out manually by the user.