The Device Enrollment Program (DEP) from Apple is designed to help enterprises and educational institutions simplify the Mobile Device Management (MDM) enrollment process for IT departments and end-users. The Device Enrollment Program enables enterprises to automatically install MDM profiles onto devices during the initial device setup process as well as supervise iOS devices over-the-air. Prior to the Device Enrollment Program, in order to supervise a device, it had to be tethered via USB to a computer running Apple Configurator. Learn more about this program with Apple’s Device Enrollment Program guide.
One important prerequisite to be followed for the DEP to be eligible is, the enterprise information must be registered with the Apple DEP. For more information on other prerequisites and to register the enterprise information, customers should navigate to https://deploy.apple.com
Note: From the Device Enrollment Program guide from Apple, “The Device Enrollment Program is available to qualifying businesses, K–12 public and private schools, colleges, and universities in the United States that purchase iPad, iPhone, or Mac directly from Apple.” Devices cannot be simply bought from the Apple Store and used in DEP. They must be procured directly from Apple through a corp order or through a supported carrier.
Safari, Firefox, or Chrome web browser. (Internet Explorer is not supported.) Make sure to work through all of the steps in this guide using the same browser session. The APNs generation process with Apple includes time-based and browser-based credentials for security purposes. This mandates going through all the steps below on the same browser session from start to finish to avoid any security or session related errors. If one browser does not generate the certificate, try a different browser, but make sure to re-do/complete all of the steps in one session.
The Device Enrollment Program solves several critical requirements for corporate-owned devices. A major concern for IT is the user's discretion to remove MDM from their corporate iOS devices. With DEP, enterprises can now install non-removable MDM profiles thus disabling the users from dis-enrolling the device.
With Apple, more control over a device is given to an administrator that places their devices into supervised mode. Prior to the Device Enrollment Program, enterprises that wanted to place their devices under supervision had to connect the device via USB to a master Mac. Once a device was connected, the device could be placed under supervision through Apple Configurator. Now, with the Device Enrollment Program, devices can be placed into supervised mode over-the-air (OTA) through the AirWatch administrative console. Since MDM enrollment begins during the initial device setup, enterprises can skip certain setup options entirely and even require end-users to enroll the device. By making enrollment into MDM part of the device setup, Device Enrollment Program simplifies the entire enrollment process, making it easy for non-tech savvy end-users to enroll into MDM. For example, students given a school owned device can simply unbox the device and complete the setup process to enroll into MDM.
For end-users, MDM enrollment now becomes a familiar user experience and part of the initial device setup. In addition, the Device Enrollment Program drastically reduces the number of post-enrollment steps through the use of silent application installations. Administrators can also easily customize prompts or eliminate setup steps during enrollment to fit their organizations needs.
For IT, manually enrolling thousands of devices is time consuming. However, now with automated enrollment during the device’s setup, end-users can simply enroll into MDM as soon as the device is taken out of the box. With the Device Enrollment Program, the need for a staging or provisioning processes can be completely eliminated and devices can be sent directly to end-users. The Device Enrollment Program enables IT to easily leverage the advanced capabilities of supervision without the need to physically tether a device to a master computer running Apple Configurator – supervision can be turned on with the click of a button OTA. IT also benefits from the avoided risks associated with unmanaged devices. With the Device Enrollment Program, IT can leverage un-removable MDM profiles and even require devices to re-enroll after being wiped or reset.
Integration and Enrollment
- AirWatch versions 7.1+
- iOS 7+
AirWatch integrates seamlessly with the Device Enrollment Program to provide streamlined enrollment and management benefits. AirWatch allows organizations to automatically import devices into AirWatch directly from your Apple order history. Through AirWatch, administrators can configure the DEP, create DEP profiles and apply the configured settings to different devices depending on the use case.
The steps for configuring the DEP for integration with AirWatch are as given below:
Register your Organization with DEP by navigating to https://deploy.apple.com
Log into AirWatch Admin Console and navigate to Groups & Settings > All Settings > Devices & Users > Apple > DEP and select Configure to configure the settings for Apple.
Download the Public key by selecting MDM_DEP_PublicKey.pem
Select Apple Deployment Programs to navigate to https://deploy.apple.com and log in using your registered Apple ID and password.
Add the MDM server and upload the Public key to the Apple DEP.
Download the Apple Server Token file from Apple DEP.
Register devices to the MDM server.
Upload the Apple Server Token file in AirWatch Admin Console by clicking Upload.
Define the DEP profile settings within the AirWatch Admin Console.
AirWatch also enables the following through the Device Enrollment Program:
Support for staging workflows.
Automatically assign ownership types to different devices.
Pre-assign devices to users and groups to bypass authentication and automatically organize devices.
Full support for other standard device lifecycle and MDM features.
Once the DEP is configured, DEP profile settings are defined within the AirWatch Admin Console which is then assigned to the registered devices. The device user completes the Setup Assistant actions on the device after which the device is enrolled into MDM.
- AirWatch sends request to the Apple Server. The requests can be of types such as Define a profile, Assign a profile, Fetch and Sync devices, and Delete a device.
- Device begins the Setup Assistant process, communicates with the Apple Server and receives the DEP Profile settings from the Apple server.
- The device is redirected to AirWatch Server to receive the MDM profile.
You can assign devices based on either Order Number or Serial Number from Apple's Volume Services page.
Apple Configurator Considerations
Organizations that currently use Apple Configurator can choose to transition to the Device Enrollment Program if they desire. However, Apple does not allow organizations to supervise a device with Configurator if that device is registered to a Device Enrollment Program profile. Devices that were previously enrolled into AirWatch MDM with Apple Configurator can be wiped and re-enrolled into the Device Enrollment Program. However, a device should only be given a Device Enrollment Program profile if an organization plans to start enrolling devices through the program.
Using Multiple MDM Providers
Customers can utilize multiple MDM providers. This is set up in Apple's Volume Services by linking groups of serial numbers to specific MDM instances.
For additional information on using Apple's DEP to automatically enroll new devices with AirWatch MDM, see the AirWatch Guide for the Apple Device Enrollment (DEP) Program.