What is the Device Enrollment Program (DEP)?
DEP was developed by Apple to allow administrators to install a non-removable MDM profile on a device, which prevents end users from being able to delete it from their device. The DEP program allows you to perform the following:
- Provision devices in Supervised Mode.
- Enforce enrollment for all end users.
- Customize and streamline the enrollment process to meet your organization's needs.
What devices are supported?
- iOS 8+
- OS X 10.9+
Difference between ‘Fetch All Devices’ and ‘Sync Devices’?
The Fetch All Devices command will sync current devices in the MDM server into AirWatch and assign to them the Default DEP Profile. It will not sync removed devices from the MDM server. The Sync Devices command will only sync devices into AirWatch that have been added to your MDM server or remove devices that have been removed/disowned from your MDM server since the last sync. The best practice is to use Fetch Devices the first time you configure DEP and Sync always after that.
Why does the DEP portal show less devices than the AirWatch Console lifecycle page?
This may be caused when performing Fetch all Devices, as this will only return the current devices on the DEP portal to the AirWatch Console; Any devices which were removed will not be returned. To resolve this, you can compare the serial numbers on the Apple portal and the AirWatch Console by downloading the respective CSV files to determine which devices are not in the DEP portal. Upon adding those serial numbers into the DEP portal, perform a Sync.
Why is my device not going through DEP enrollment?
- Ensure the device has a DEP Profile assigned by navigating in the Admin Console to Devices > Lifecycle > Enrollment Status
- Ensure to select an open network when prompted for during the Setup Assistant. On the network, you should be able to make the following telnet commands successfully:
- telnet gateway.push.apple.com 2195
- telnet 1-courier.push.apple.com 5223
- telnet feedback.push.apple.com 2196
- Ensure that your DEP token has not expired by navigating in the Admin Console to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program
- Ensure that you have accepted Apple’s Terms and Conditions within the Apple Portal by logging into Apple’s DEP portal
- OS X devices enrolling with a Directory User will throw an error initially, but second attempt will be successful. This is because a local account must be present for the DEP process to be successful
What is the difference between ‘Remove Device’ and ‘Disown Device’?
When modifying the MDM server created in the Apple Portal, you have the option to Add, Remove, or Disown a device. Removing a device will make it so that the MDM integrated will no longer have control of the device. The device can be added to a different MDM server or added back to the server it was removed from. Disowning a device will completely remove the device from all instances of DEP preventing it from ever being added back.
Is there a difference between a DEP Supervised and a Configurator Supervised device?
Yes. To force OS updates, the device must have Supervised Mode enabled by DEP.
To associate devices into the Device Enrollment Program, do you have to enter all of the devices’ serial numbers in the Apple site?
Yes, the devices need to be tied to a MDM server. This can be accomplished by associating the serial numbers to the MDM server within Apple’s Deployment Programs site (https://deploy.apple.com). You can either do this by entering in the exact serial number of each device or by associating it with an order number that you received when you purchased the devices.
Instead of skipping location services during the Setup Assistant on the device, can you enable it automatically?
Currently, there is no way to automatically enforce location services to be enabled. Since skipping prompts defaults the action to disabled, it is recommended that you do not skip the location services pane so that users can choose to enable it.
What does ‘Not Applicable’ means on the Token Status?
Once the devices are enrolled not using a token, the Token Status changes from ‘Registration Active’ to ‘Not Applicable’ since no token was used during enrollment.
Can multiple DEP tokens be used in an environment?
You can certainly use multiple DEP tokens in multiple Parent OGs, but not the same token in all the OGs.