Home
Insight19.10.2022

Supervision certificate for DEP devices

Can DEP devices be protected against unauthorized access?

To protect DEP devices and prevent unauthorized access to the devices, Relution allows disabling the setting "Allow connecting to Macs or PCs and configuring with Apple Configurator" in the DEP profile. This prevents the Apple device from connecting to a Mac or PC and performing a subsequent configuration via Apple Configurator. This prevents, for example, that users can remove the MDM profile. This configuration cannot be changed subsequently without resetting the device.

insight-supervision-certificate_01_en.png

What should be taken care of when using this setting?

Under certain circumstances, locked access via a Mac or PC can result in the administrator being deprived of the option of resetting a device manually via a computer. This can occur, for example, if the WiFi settings are misconfigured or the MDM server breaks. The device is then no longer accessible via Relution and cannot be managed or reset. This is also referred to as a lock-in effect.

insight-supervison-certificate_03_en.png

How to ensure allowed accesses with Relution?

With server version 5.13, Relution allows connection to Macs or PCs even if prohibited via the DEP profile. When DEP devices are enrolled in Relution, a supervision certificate is automatically generated. Using this certificate, the administrator can connect the device to a Mac or PC despite the restriction. For this purpose, the certificate is downloaded from Relution and initially specified once when connecting to the Apple Configurator. The certificate is available for download in the device details. The device can then be accessed again.

What must be considered when unlocking the device?

The following describes the process when unlocking via the Apple Configurator:

  1. Downloading the supervision certificate and intermediate copying of the password
insight-supervision-certificate_02_en.png
  1. Create a new organization via Apple Configurator settings and enter the Apple ID and verification code

  2. Select existing care identity and click next

insight-supervision-certificate_04_en.png
  1. Then open the downloaded supervision certificate on the computer with the password from Relution. The keychain with the certificate will be opened

  2. The certificate appears in the Apple Configurator dialog under supervision identities for selection

insight-supervision-certificate_05_en.png
  1. Create an organization
insight-supervision-certificate_06_en.png
  1. Now the device is unlocked again and can be managed via the Apple Configurator
insight-supervision-certificate_07_en.png

What should be considered when using the supervision certificate?

The certificate is generated only when DEP devices are newly enrolled. During DEP enrollment, the certificate is automatically created and loaded on the device. The functionality does not apply to already enrolled devices and no certificate is generated for existing devices.