On February 26, 2014 Apple announced its new Device Enrollment Program (DEP). You can read about the features of the DEP here.
In a nutshell, for US customers who have purchased devices directly from Apple, you can:
1) Force enrollment with your MDM when device is set up (every time)
2) Wirelessly supervise a device
3) Disallow removal of MDM profile on supervised devices
Similar to activation lock, when a DEP enrolled device hits the Internet, it will only activate through your MDM server.
For instructions on how to set up DEP, see: here
TLDR; you need:
1) A new AppleID with two-step verification
2) Your Apple Customer Number
3) Authority in your company to agree to License Agreements
Setting up your MDM in DEP
Upload your public key. This should be downloadable from within your MDM.
You can either enroll devices by serial number or you can enroll the entire order. Again, this is limited to purchases made directly from Apple in the United states.
Before your device will talk to the MDM, some things must be configured on the MDM. This is specific to each MDM vendor and the two MDMs I tested are both currently in beta so I can’t go into more detail.
So what does it look like when a device is part of the DEP?
If your MDM supports it, DEP will allow you to customize the setup screen when an iOS device is first turned on.
Setup Assistant screens that can be skipped include:
- Passcode. Hides and disables the passcode pane.
- Location. Does not enable Location Services.
- Restore from backup. Disables restoring from backup.
- Apple ID. Does not allow you to sign in with an Apple ID.
- Terms of Service. Skips the Terms of Service.
- Siri. Disables Siri.
- Sending diagnostics. Disables automatically sending diagnostic information.
After the “Restore from backup” screen, if you restored, the device will reboot and hit the “MDM”. Or, if you set up as a new, it will hit the “MDM” on the next screen.
Then the next screen sets up your MDM. I set mine to auto-configure,
but you could also require an authenticated login to your MDM at this step. Edit: Still trying to figure out authenticated enrollment
If you run into any issues or have questions, hit me on twitter @dokihara or post a comment. Thanks for reading!