Apple Device Enrollment Program

Related Video: Apple Device Enrollment Program

Note: If you have no previous experience with Apple DEP, you may want to begin with the Guide to Using the Apple Device Enrollment Program.

To set up KACE® Cloud management of iOS and macOS devices in the Apple Device Enrollment Program (DEP), follow this 4-step process:

1. Link KACE Cloud MDM with DEP

In KACE Cloud MDM

  1. Select the Settings tab in top navigation.
  2. Select Apple Settings > Device Enrollment Program (DEP).
  3. Click Download MDM Public Key. (.pem file)

In Apple DEP Portal

  1. Go to Apple Deployment Programs (ADP) and sign in using your Apple ID.
  2. Configure a KACE Cloud MDM server:
    • Choose an existing server, or click Add MDM Server and follow instructions.
  3. Caution: To ensure new devices are automatically under management when activated, an admin should check 'Automatically Assign New Devices' during server configuration.

  4. Upload Public Key:
    • Click Choose File to upload public key that was downloaded in KACE Cloud MDM (.pem file), then click Next.
  5. Download Server Token:
    • Click Your Server Token to download and install, then click Done.

Note: For Apple-related support, see Apple Deployment Programs Help .

In KACE Cloud MDM

  1. Click Select Server Token. (.p7m file)
  2. Click Upload Server Token.

Once the server token is uploaded, your server information will be visible in the DEP Information section at the bottom of the page. You can then manage DEP profiles, sync new devices to profile, and unlink KACE Cloud MDM from DEP.

2. Assign to Server in DEP

In Apple DEP Portal

  1. Select Manage Devices in left navigation.
  2. Enter devices by serial or order number, or upload a CSV file.
  3. Under Choose Action, select Assign to Server then choose a server from the list.
  4. Click OK and wait for the Assignment Complete message.

There is a nightly sync between KACE® Cloud MDM and the Apple DEP portal. If you add devices and want to manage them right away, you can force a sync in the DEP Setup section of KACE® Cloud MDM. This will pull any changes that were made to the linked server.

3. Add a DEP Profile and Assign to Devices

To add a DEP profile that will be delivered to a device when it is activated:

In KACE Cloud MDM

  1. Go to Apple Settings > Manage DEP Profiles.
  2. Click Add New.
  3. Complete required fields and make selections.

Note: Force Token Authentication - When configuring a device with a DEP profile on a Mac-enabled tenant, an admin can enable 'force token authentication'. This setting forces a user to enter their username and a deployment token to enroll their device. This restriction helps prevent unauthorized access to sensitive customer information like VPNs, certificates, and custom applications.

Caution: If an iOS device is included in a DEP profile on a Mac-enabled tenant that has 'force token authentication' enabled, then the iOS device(s) will also be forced to authenticate.

Note: Once created, a profile can be designated as the default profile.

The DEP Profile allows for additional levels of device control beyond supervised mode. You can also choose to skip certain setup assistant screens. For many of them, it's not just about skipping an option, but deactivating the functionality on the device. For example, if you skip Apple ID, the user won't be able to sign in with Apple ID on the device at all.

To assign devices to a new profile:

  1. Click Select Devices to Assign to Profile.
  2. Select a device name or names from the list.
  3. Click Assign.
  4. Click Save.

Caution: Devices purchased outside of an official channel may still be assigned to the DEP portal using the Apple Configurator 2 app on Mac, provided the devices are iOS 11 or later. For information on this process, please refer to Apple Configurator 2 Help .

4. Activate Devices

When the end user receives their company-owned device, they should complete the setup process. Once the device logs in to the KACE Cloud MDM server, it will automatically be under mobile device management, provided that 'Automatically Assign New Devices' was checked during the 'Add MDM Server' process in Step 1.

See Activation Lock.


DEP Profile Status Chart

To locate the DEP management status of a device:

  1. Select the Devices tab in top navigation.
  2. Select one or more device names from the list.
  3. In the right panel, choose General.
  4. Scroll down to the Management section to locate the DEP Profile Status line item.
Status Defined
Assigned Apple DEP has received a profile and it is ready to be assigned to the device.
Empty A profile has never been assigned to the device.
Pushed A profile has been delivered to the activated device.
Removed A profile was assigned to the device but has been removed. The device will no longer be managed by KACE Cloud MDM once reactivated.