Articles,iOS,Management March 7, 2014 at 4:58 pm

Exploring Apple’s new Device Enrollment Program

On February 26, 2014 Apple announced its new Device Enrollment Program (DEP). You can read about the features of the DEP here.

In a nutshell, for US customers who have purchased devices directly from Apple, you can:

1) Force enrollment with your MDM when device is set up (every time)
2) Wirelessly supervise a device
3) Disallow removal of MDM profile on supervised devices

Similar to activation lock, when a DEP enrolled device hits the Internet, it will only activate through your MDM server.

For instructions on how to set up DEP, see: here

TLDR; you need:

1) A new AppleID with two-step verification
2) Your Apple Customer Number
3) Authority in your company to agree to License Agreements

Setting up your MDM in DEP

Click Add MDM Server
Screen Shot 2014-03-07 at 9.30.16 AM

 

 

Give it a display name
Screen Shot 2014-03-07 at 9.30.35 AM

 

 

 

 

 

 

 

 

 

Upload your public key. This should be downloadable from within your MDM.

Screen Shot 2014-03-07 at 9.32.03 AM

Download your DEP token and upload it back to your MDM.
Screen Shot 2014-03-07 at 9.32.16 AM

 

 

 

 

 

 

 

 

 

Enter a serial number of a device you’d like to enroll and assign that serial number to your MDM server.
Screen Shot 2014-03-07 at 9.33.01 AM

You can either enroll devices by serial number or you can enroll the entire order. Again, this is limited to purchases made directly from Apple in the United states.

Before your device will talk to the MDM, some things must be configured on the MDM. This is specific to each MDM vendor and the two MDMs I tested are both currently in beta so I can’t go into more detail.

So what does it look like when a device is part of the DEP?

If your MDM supports it, DEP will allow you to customize the setup screen when an iOS device is first turned on.

Setup Assistant screens that can be skipped include:
- Passcode. Hides and disables the passcode pane.
- Location. Does not enable Location Services.
- Restore from backup. Disables restoring from backup.
- Apple ID. Does not allow you to sign in with an Apple ID.
- Terms of Service. Skips the Terms of Service.
- Siri. Disables Siri.
- Sending diagnostics. Disables automatically sending diagnostic information.

After the “Restore from backup” screen, if you restored, the device will reboot and hit the “MDM”. Or, if you set up as a new, it will hit the “MDM” on the next screen.

It looks like this:
IMG_0002

Then the next screen sets up your MDM. I set mine to auto-configure, but you could also require an authenticated login to your MDM at this step. Edit: Still trying to figure out authenticated enrollment
IMG_0003

The setup then proceeds as normal, but once I’m done, we can see that it’s already enrolled in my MDM! (And the MDM profile CANNOT be removed!)
IMG_0004

 

And wirelessly supervised! Yes, this works on iOS 7.0.x!
IMG_0005

 

If you run into any issues or have questions, hit me on twitter @dokihara or post a comment. Thanks for reading!

About Derick Okihara

Mac and iOS systems integrator for a private K-12 school in Honolulu, Hawaii.

2 Comments

  • I do have a couple questions Derick if you don’t mind. We are still working with Apple to get our organization access to the DEP. Right now our account is going through a “migration process”. I have escalated that to our Apple EDU rep.

    Anyway, we are getting ready to do a 1 to 1 with 2,430 iPads, and I hope to use DEP. Anyway, does DEP provide any methodology for naming the iPads?

    With Configurator, I could name the device and increment by 1. I hope to somehow get something similar. I hate the thought of having 2,430 devices in Casper named “iPad”. I will contact Casper’s beta team with this inquiry to if the response should be on their end, but having worked with the new DEP, you will likely know what behaviors to expect. How do you prevent 2,000 devices named iPad showing up in your MDM database?

  • Thats a good question, I would guess its named by the serial number or something, but still a good question!

    I’m also wondering about removal as well. We buy iPads and hand them out to students and transfer the ownership to them. After they are done after 2 or 4 years it would be nice to set the Profile to remove after a certain time so if the user isn’t in school anymore its not trying to talk to DEP and only trying to activate off the school again.

Leave a reply

You must be logged in to post a comment.