Guide to Using the Apple Device Enrollment Program
The Apple Device Enrollment Program (DEP) is the preferred method for touch-free enrollment of corporate-owned devices in your MDM solution. This guide will walk you through the concepts, and help you successfully deploy DEP-enrolled devices.
Tip: We highly recommend that you read this entire guide before beginning the process of enrolling your organization in DEP.
Enrolling Your Organization
Before you can use Apple DEP, you must first enroll in the DEP program. To do this, you must first establish an account with Apple for your organization, then sign up for the DEP program. You can begin the process at https://business.apple.com by clicking the 'Enroll now' link under the sign-in field.
For information on this process, please consult Apple’s documentation, which can be found at the following link: https://help.apple.com/businessmanager/#/tes40577306d .
During the enrollment process, Apple will ask for your “D-U-N-S Number”. This is the number assigned to your organization by Dun & Bradstreet. You will want to check with someone in your finance or purchasing department to find this number. Alternatively, you can look it up on the Dun & Bradstreet website here: https://www.dandb.com/dunsnumberlookup/ .
IMPORTANT: The process of enrolling your organization in Apple’s DEP program can take some time, often as long as two weeks. Once complete, you will be able to continue the process of configuring DEP for your organization.
Once DEP is setup and configured, it provides the easiest method for you to automatically enroll corporately purchased devices in your MDM solution. It also gives you the greatest level of control over Apple devices. So, how does this happen?
First, let’s start with the purchasing process. Devices must be purchased either directly from Apple or from an Apple-authorized third-party reseller in order to be automatically added to the DEP program. If you have devices that were not purchased through one of these avenues, they can still be added to the DEP program, but it’s a little more complicated. We’ll cover that in a later section. For now, just know that the easiest path is to purchase devices directly from Apple or through an authorized reseller.
So, what happens after you’ve purchased the device?
- Apple, or the reseller, will upload the serial numbers of the devices that you’ve purchased into the DEP portal.
- These devices are then assigned to an MDM server in the DEP portal. This is either done manually by you or someone in your purchasing department, or it can be done automatically by device type. We’ll look at that in more depth shortly.
- The devices are synchronized with KACE Cloud Mobile Device Manager (KACE Cloud MDM) and assigned to a DEP profile (again, either manually or automatically, depending on how you’ve configured it).
These three steps need to occur before the device is activated for the first time. If the devices have not shown up in your Apple DEP portal (a.k.a. Apple Business Manager), then you will need to wait for either Apple or the reseller to finish uploading the device information. Typically, this happens quickly, but we have seen it take a few days.
Once the devices have made it into the DEP portal, been assigned to an MDM server, synchronized with KACE Cloud MDM, and been assigned to a DEP profile, the device can be activated. Here’s how that works:
- The device is turned on for the first time (or factory reset if you want to re-provision with a new DEP profile).
- The device contacts the Apple activation server, reports its serial number, and requests an activation profile.
- Apple sends the DEP profile to the device, along with the MDM server information.
- The device (if configured in the DEP profile), automatically enrolls with KACE Cloud MDM during the activation process.
- The device will show up in the KACE Cloud MDM 'Device' list once enrollment is complete. These devices will NOT have a user assigned to them automatically since that information is unknown during the enrollment process, but you can assign a user afterwards.
- All configuration items marked for auto-deployment will be automatically sent to the device once enrollment is complete, and the device will be ready for use by your end user.
Don’t worry—it’s not as difficult as it sounds. You need to configure the settings in Apple Business Manager, and configure the settings in KACE Cloud MDM. Both of these are normally a one-time configuration if you set up everything to happen automatically.
CONFIGURE APPLE BUSINESS MANAGER
In Apple Business Manager, you will see an item called 'MDM Servers' in a section called 'Devices'. (If you don’t see this or cannot access it, then your account may need to be assigned the 'Device Manager' role inside of Apple Business Manager.) Select 'MDM Servers'.
1. CREATE THE MDM SERVER
You may see an entry in this list already if there are devices waiting to be assigned. Assuming this is your first time, find and click the 'Add New MDM Server' link, then give this new server a name. We recommend something simple—the name is only for your use.
Note: KACE Cloud MDM only supports linking a single MDM server from Apple Business Manager to your KACE Cloud MDM subscription. If you work for a large company with multiple divisions, and each division has its own MDM solution, then you may see multiple virtual MDM servers listed here. Each one can be linked to a separate subscription in KACE Cloud MDM or can be linked to a separate MDM product.
When you create the server, you will need to upload the public key from your KACE Cloud MDM subscription. You can download it from KACE Cloud MDM by going to Settings > iOS Settings > Device Enrollment Program (DEP), then clicking the 'Download MDM Public Key' button. Take the file that you downloaded and upload it to the Apple Business Manager portal.
After uploading the public key, you must generate and download the server token from Apple Business Manager so that you can upload it to KACE Cloud MDM. This file exchange is the “handshake” that introduces the two products to each other. These keys are also used to encrypt the DEP data during the exchange (in addition to the https protocol). After you upload the token to KACE Cloud MDM, you should see KACE Cloud MDM display the DEP information for your organization. Note that there is an asynchronous update that is launched in the background and refreshing this page will show the DEP device count once this process is complete.
For detailed instructions, consult the DEP configuration instructions in our Admin Guide: Apple Device Enrollment Program (DEP).
2. MAKE THE MDM SERVER THE DEFAULT
To make the process as easy as possible, you’ll want to mark the MDM server that you just created as the default server for the Apple devices you intend to manage through KACE Cloud MDM. In the 'MDM Servers' list, select the newly created MDM server, then click the 'Edit' button and check the appropriate checkboxes under 'Default Server for' section. This will automatically assign any future purchases to this server.
3. ASSIGN DEVICES
Devices that were previously purchased will need to be assigned to the newly created MDM server. In Apple Business Manager, select the 'Device Assignments' item under 'Devices'. Enter the serial numbers or order numbers of the devices to be assigned to the server, then select the 'Assign to Server' action and choose the MDM server you just created. After clicking 'Done', these devices should be assigned to that server. You can verify that by selecting the server in the 'MDM Servers' list and looking at the number of devices assigned to it. You can also click the 'Download' link in the 'Total' column to download a CSV list of the devices.
If all has gone well, then you have completed the configuration of the MDM sever within Apple Business Manager, and you are now ready to proceed to configuring KACE Cloud MDM.
CONFIGURE KACE CLOUD MDM
When you uploaded the token to KACE Cloud MDM in the previous section, KACE Cloud MDM was linked to the new MDM server you created. This means KACE Cloud MDM can now see the devices in DEP so that you can configure the DEP profile and control the activation process.
If you just assigned devices to your MDM server in DEP, you will probably need to re-sync the information. Although we synchronize the information each night, you can run it manually at any time by going to Settings > iOS Settings > Apple Device Enrollment Program (DEP) and clicking the 'Sync' button. This will read the latest device information from Apple Business Manager so you can use it in the next steps.
1. CREATE A DEP PROFILE
The first step in configuring DEP devices in KACE Cloud MDM is to create a DEP profile. You can have more than one DEP profile if you want to treat certain devices differently than others. That’s up to you, but just remember
that only one profile can be set as the default. If you create more than one, then you will need to manually assign the devices to the non-default profile.
First, you may be wondering, what is a DEP profile? A DEP profile controls the activation process of the device. A DEP profile MUST be assigned to the device before it is activated, otherwise the device will be activated like any normal end-user device (i.e., it won’t be automatically enrolled in mobile device management, and it won’t be a supervised device).
To create a new DEP profile, click the 'Manage DEP Profiles' link under Settings > iOS Settings, then click the 'Add New' button. You will see a few fields plus a bunch of checkboxes. These checkboxes allow you to control the activation process.
First, fill in the name of the profile along with your company’s IT support phone number and email address. The department field is optional and can be used to help you determine which profile to use for a particular group or department in your company.
The next 5 checkboxes are the most important. Here’s what we recommend and why:
- Check 'Supervise the device'.
- As a device administrator, you have MUCH greater control over a supervised device than a non-supervised device. Support for unsupervised DEP devices has been deprecated starting with iOS 11, and eventually Apple will remove this option entirely. Until then, check it.
- Check 'Allow supervised pairing'.
- This will allow the device to be paired to a local computer. This one is really up to you—uncheck it if you don’t want the device to be able to be paired and synched to a computer.
- Check 'Force MDM Enrollment'.
- This will force the device to automatically enroll with KACE Cloud MDM. If it isn’t checked, the user still has the option to enroll, but they can skip it if they don’t want to.
- Uncheck 'Allow MDM profile to be removed'.
- Unless you don’t mind losing corporate assets, you probably want to keep them under management, which means you don’t want end users to be able to remove the MDM management profile from the device. Leave this unchecked, and the end user will not be able to remove the profile.
- Check 'Force setup to wait for the MDM server to acknowledge configuration'.
- In our opinion, it’s better to wait a few seconds on the enrollment screen and know that it was successfully enrolled rather than allow the end user to proceed with setting up the device just to have to redo it if the network dropped out unexpectedly.
The rest of the checkboxes are purely about your preferences. iOS has a series of screens that are displayed to the end user during the activation process, and you can choose which of those screens to allow and which to suppress. Whatever you choose, click 'Save' when you’re done.
2. SET THE DEP PROFILE AS THE DEFAULT
To keep things as automated as possible, you can set the newly created DEP profile as the default profile so that all newly synchronized devices (i.e., newly purchased devices) are automatically assigned to the profile. We recommend doing this, especially if you only have one profile. Otherwise, you will inevitably forget to assign the device, then wonder why the device wasn’t automatically enrolled. Worse yet, the end user probably won’t tell you about it, either.
To do this, select the DEP profile in the list, then click the 'Set as Default' button in the command bar above the profile detail screen.
3. ASSIGN DEVICES TO THE DEP PROFILE
Last step! Any previously purchased devices will need to be assigned to the DEP profile. If you don’t set a profile as the default, then any future devices that you purchase will also need to be assigned to the DEP profile. Do this by selecting the DEP profile, then clicking the 'Manage Devices' button above the profile detail screen.
The screen that you see will show you the devices that are already assigned to the profile. To remove a device from the profile, click the checkbox in the 'Unassign' column next to the device, then click 'Save'.
To add new devices, click the 'Assign Devices' button at the top right. This will display a list of unassigned devices. Select them, then click the 'Assign' button, followed by the 'Save' button.
At this point, the devices have been assigned to the profile and are now ready to be activated.
Congratulations, you have finished Apple DEP configuration!
Configuring DEP in both Apple Business Manager and KACE Cloud MDM can seem like a lot of work, but the payoff is that you can now deploy Apple devices into your workforce without having to touch them first. Now that it is configured, let’s look at what you will see in KACE Cloud MDM when new devices are purchased and how to configure and activate them.
ASSIGNING NEW DEVICES
If you configured everything to be automatic, then new devices will be automatically assigned to the MDM server in Apple Business Manager, automatically synchronized with KACE Cloud MDM, and automatically associated with a DEP profile. These devices will show up in the system with a status of 'Unenrolled'. Why? Because they haven’t been activated yet, which means they aren’t actually able to be managed by KACE Cloud MDM. You will only be able to view the serial number of the device, because that is all the information that Apple provides until the device is enrolled.
ACTIVATING THE DEVICE
To get the device enrolled, the device must be activated. This is done by: 1) Turning on the device, or 2) Resetting the device to factory defaults. Remember, this has to be done AFTER the device has been synchronized from DEP to KACE Cloud MDM. Doing it before the process is complete will result in the device being set up as just a normal iOS device.
If the DEP profile is configured to force MDM enrollment, then the device will be automatically enrolled during the activation process. If you’ve manually enrolled an iOS device before, you’ll notice one big difference: the DEP-enrolled device will not ask for a username and password during the enrollment process. Instead, these devices are automatically enrolled without an assigned user, but you can manually assign a user to the device once enrollment is complete.
After the device is activated and enrolled, all configuration items and policies that are marked for auto-deployment will be pushed out to the device. Once complete, the device is ready for use.
1. How do I add devices to DEP that were not purchased from Apple or an authorized reseller?
Devices that were not purchased from Apple or an authorized reseller can be added to the Apple DEP program, but it’s a little more difficult to do. You will need to have an Apple Mac computer with Apple Configurator 2 (AC2 ) installed. This app is available for free from Apple through the Mac App Store. Instructions for adding the device to DEP using the app can be found in the Apple Configuration 2 Help section or on the Apple web site.
You will need to have physical possession of the device and plug it into the Mac running AC2. The device will also need to be running iOS 11 or later. If it is running an older version of iOS, you will need to upgrade it first.
Note: Any device added to DEP through AC2 will have a 30-day opt-out period. This means that the device can be reset and removed from the program by the end user within 30 days of being added. To prevent this, we recommend holding on to the device for 30 days before issuing it to your end users.
2. I've changed the DEP profile settings. How do I make them active on the device?
Since the DEP profile is only used during the activation of the device, any changes to a DEP profile will NOT be made automatically on the devices that were previously activated. To get the changes to take effect on the device, you will need to factory reset the device so that it will request a new version of the DEP profile from Apple.