On February 26, 2014 Apple announced its new Device Enrollment Program (DEP). You can read about the features of the DEP here. In a nutshell, for US customers who have purchased devices directly from Apple, you can: 1) Force enrollment with your MDM when device is set up (every time) 2) Wirelessly supervise a device 3) Disallow removal of MDM profile on supervised devices Similar to activation lock, when a DEP enrolled device hits the Internet, it will only activate through your MDM server. For instructions on how to set up DEP, see: here TLDR; you need: 1) A new AppleID with two-step verification 2) Your Apple Customer Number 3) Authority in your company to agree to License Agreements Setting up your MDM in DEP Click Add MDM Server Give it a display name Upload your public key. This should be downloadable from within your MDM. Download your DEP token and upload it back to your MDM. Enter a serial number of a device you’d like to enroll and assign that serial number to your MDM server. You can either enroll devices by serial number or you can enroll the entire order. Again, this is limited to purchases made directly from Apple in the United states. Before your device will talk to the MDM, some things must be configured on the MDM. This is specific to each MDM vendor and the two MDMs I tested are both currently in beta so I can’t go into more detail. So what does it look like when a device is part of the DEP? If your MDM supports it, DEP will allow you to customize the setup screen when an iOS device is first turned on. Setup Assistant screens that can be skipped include: – Passcode. Hides and disables the passcode pane. – Location. Does not enable Location Services. – Restore from backup. Disables restoring from backup. – Apple ID. Does not allow you to sign in with an Apple ID. – Terms of Service. Skips the Terms of Service. – Siri. Disables Siri. – Sending diagnostics. Disables automatically sending diagnostic information. After the “Restore from backup” screen, if you restored, the device will reboot and hit the “MDM”. Or, if you set up as a new, it will hit the “MDM” on the next screen. It looks like this: Then the next screen sets up your MDM. I set mine to auto-configure, but you could also require an authenticated login to your MDM at this step. Edit: Still trying to figure out authenticated enrollment The setup then proceeds as normal, but once I’m done, we can see that it’s already enrolled in my MDM! (And the MDM profile CANNOT be removed!) And wirelessly supervised! Yes, this works on iOS 7.0.x! If you run into any issues or have questions, hit me on twitter @dokihara or post a comment. Thanks for reading!
