What is the Device Enrollment Program (DEP)?
DEP was developed by Apple to allow administrators to install a non-removable MDM profile on a device, which prevents end users from being able to delete it from their device. The DEP program allows you to perform the following:
- Provision devices in Supervised Mode.
- Enforce enrollment for all end users.
- Customize and streamline the enrollment process to meet your organization's needs.
What devices are supported?
- iOS 8+
- OS X 10.9+
Why does the DEP portal show less devices than the Workspace ONE Console lifecycle page?
This may be caused when performing Fetch all Devices, as this will only return the current devices on the DEP portal to the Workspace ONE Console; Any devices which were removed will not be returned. To resolve this, you can compare the serial numbers on the Apple portal and the Workspace ONE Console by downloading the respective CSV files to determine which devices are not in the DEP portal. Upon adding those serial numbers into the DEP portal, perform a Sync.
Why is my device not going through DEP enrollment?
- Ensure the device has a DEP Profile assigned by navigating in the Admin Console to Devices > Lifecycle > Enrollment Status
- Ensure to select an open network when prompted for during the Setup Assistant. On the network, you should be able to make the following telnet commands successfully:
telnet gateway.push.apple.com 2195
telnet 1-courier.push.apple.com 5223
telnet feedback.push.apple.com 2196
- Ensure that your DEP token has not expired by navigating in the Admin Console to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program
- Ensure that you have accepted Apple’s Terms and Conditions within the Apple Portal by logging into Apple’s DEP portal
Is there a difference between a DEP Supervised and a Configurator Supervised device?
Yes. To force OS updates on devices below iOS 10.3, the device must have Supervised Mode enabled by DEP.
To associate devices into the Device Enrollment Program, do you have to enter all of the devices’ serial numbers in the Apple site?
Yes, the devices need to be tied to a MDM server. This can be accomplished by associating the serial numbers to the MDM server within Apple’s Deployment Programs site (
https://deploy.apple.com). You can either do this by entering in the exact serial number of each device or by associating it with an order number that you received when you purchased the devices.
Instead of skipping location services during the Setup Assistant on the device, can you enable it automatically?
Currently, there is no way to automatically enforce location services to be enabled. Since skipping prompts defaults the action to disabled, it is recommended that you do not skip the location services pane so that users can choose to enable it.
What does ‘Not Applicable’ means on the Token Status?
Once the devices are enrolled not using a token, the Token Status changes from ‘Registration Active’ to ‘Not Applicable’ since no token was used during enrollment.
Can multiple DEP tokens be used in an environment?
You can certainly use multiple DEP tokens in multiple Parent OGs, but not the same token in all the OGs.