Apple Device Enrollment Program
What is Apple’s Device Enrollment Program (DEP) and what are its benefits?
With the Device Enrollment Program from Apple, DEP for short, device enrollment in an MDM system can be automated and the initial setup of Apple devices simplified. For example, iOS, macOS and tvOS devices can be preconfigured in Relution automatically and with very little manual effort during the initial start-up.
Registered DEP devices have the following advantages:
- Make it mandatory to enroll the devices via an MDM system
- Operation of the Apple devices in supervised mode (“monitor devices”) in order to obtain extended configuration options
- Protect the device enrollment and prohibit the deletion of the MDM profile on the device
- Put the devices in “Shared iPad” mode
- Skip the setup steps when initially setting up the device
With Relution, Apple DEP devices can be conveniently prepared for use in security-critical scenarios.
What are the requirements for using DEP?
In order to benefit from the advantages, free access for the Apple Business Manager (corporate customers) or the Apple School Manager (educational institutions). Apple devices can then be enrolled in the Apple Device Enrollment Program.
There are basically two options available for this:
-
The Apple devices must be procured as DEP devices. You can do this either directly through Apple or through Apple Authorized Resellers.
-
Apple devices that were not procured as DEP devices can also be added to the DEP program at a later date since iOS 11. The current version of the Apple Configurator2 is required for this. The subsequent addition of devices is described in insight Add DEP devices with Apple Configurator 2 The subsequent addition of macOS devices is currently not planned by Apple.
It is recommended to obtain the devices from an authorized Apple dealer in order to avoid the expense of adding them afterwards.
The enrollment of DEP devices is described later in this insight. This enables automatic device registration with the following devices:
- iOS devices with iOS 7 or newer
- iPadOS devices
- macOS devices with OS X Mavericks 10.9 or newer
- Apple TV devices (4th generation or newer) with tvOS 10.2 or newer
How is Relution linked to a DEP account?
First, a DEP account is created under “Settings” -> “Apple Automated Device Enrollment”.
Relution generates a server certificate that has to be downloaded. A new MDM server is then created in the Apple Business Manager or Apple School Manager under “Settings for device management”.
To make the Relution server known, the certificate downloaded from Relution is uploaded to the Apple Business Manager or Apple School Manager. When naming the MDM server, it is advisable to use the domain and the relution organization in order to ensure an overview when there are several MDM servers.
After this step, an Apple Token can now be downloaded for the new MDM server.
To complete the coupling of Relution with the Apple Business Manager or Apple School Manager to use DEP, this is stored in Relution under “Upload token”.
This completes the initial configuration of DEP in Relution and the DEP account that has been set up is displayed.
Currently, Apple’s token has an expiration date and should therefore be updated in good time before it expires. Relution shows pending updates in the Notification Center in good time before the expiry.
In order for DEP devices to be displayed in Relution, the devices must still be assigned to the newly created MDM server in the Apple Business Manager or Apple School Manager in the “Devices” area. If only one MDM server has been configured in Apple Business Manager or Apple School Manager, it is advisable to automatically assign new DEP devices to this MDM server. For this purpose, an automatic device assignment can be configured in the settings of Apple Business Manager or Apple School Manager.
How is a DEP profile created in Relution and why is it needed?
So that DEP devices automatically registered in Relution receive all the necessary configuration information directly during the registration process, a DEP profile must be created in advance under “Devices” -> “DEP profiles”. This defines which settings are preconfigured on the Apple devices before the actual device enrollment is carried out automatically during the initial start-up. Important options are:
- Force MDM enrollment
- Force user authentication on enrollment
- Monitor device (supervise) - see insight Dealing with iOS supervised devices
- User is allowed to remove MDM enrollment
- Activate “Shared iPad” - see insight Relution with Apple Shared iPad
The options “Monitor device (supervise)” and “User can remove MDM enrollment” are particularly important. The supervised mode is a prerequisite that an MDM profile on the device can no longer be removed manually by users. This prevents the MDM from losing control of the device.
Furthermore, in the lower area of the DEP profile input mask, you can define which setup steps should be skipped during the initial commissioning of the devices. The option to skip the location services should not be selected, otherwise the Apple device will not automatically be assigned to the correct time zone. Alternatively, the time zone can also be set using a policy.
A DEP profile can be defined as the standard profile for all new DEP devices to be registered. Changes to the settings for a DEP profile will not affect enrolled devices unless they are reset and enrolled again via DEP.
Where are the DEP devices from the linked DEP account displayed in Relution?
An overview of all DEP devices synchronized with the DEP account for the corresponding MDM server are listed under “Devices” -> “Auto-Enrollment”. The device list is regularly compared in Relution with the Apple Business Manager or Apple School Manager. Alternatively, device synchronization can be initiated manually. If a device is not displayed in Relution, you should check in Apple Business Manager or Apple School Manager whether the device has been assigned to the corresponding MDM server.
A DEP profile must be assigned to each device so that these devices are automatically preconfigured when they are switched on for the first time (or after a reset) and then connect to the Relution server in order to automatically register. In addition, a device user can be stored here, the device name can be set and guidelines and rules can be assigned.
After the assignment of the DEP profile, devices are configured accordingly during initial commissioning or after a factory reset and are automatically entered into Relution. As long as the assignment of the DEP profile is not changed, resetting an Apple device results in a new enrollment. In the course of enrollment, configurations are imported again using guidelines. When resetting, it should of course be noted that all data, apps or manually adjusted settings on the device are deleted and cannot be automatically restored from an existing backup.
Can DEP devices be moved from another MDM system to Relution?
By creating the Relution server in the Apple Business Manager or Apple School Manager, assigning the DEP devices to it and then resetting the devices to the factory settings, it is easy to switch from another MDM system to Relution. When resetting the DEP devices to the delivery status, all apps, data and settings on the device are deleted. When restarted, the devices automatically register with Relution and receive the assigned configurations via the correspondingly assigned DEP profile from Relution.
This mechanism can also be used to easily move devices from one Relution server to another Relution server.
Apple devices can be reset in Relution in the device inventory list using the “Reset device to factory settings” action:
Alternatively, devices can also be reset using the Apple Configurator 2 app on a Mac via USB.