Best Practices using Apple Device Enrollment Program (DEP)

Device Enrollment Program Overview

The Device Enrollment Program service, as part of Apple Business Manager/Apple School Manager, helps organizations easily deploy and configure Apple devices (iOS, macOS, tvOS). Using the Device Enrollment Program, organizations benefit from a streamlined Out-Of-Box MDM onboarding process that is essentially "Zero-Touch.”  Organization-owned iOS, macOS, and tvOS devices purchased directly from Apple or participating Apple Authorized Resellers or carriers are eligible to leverage Device Enrollment Program functionality.

A quick highlight of Device Enrollment Program features include:

  • Mandatory and non-removable MDM enrollment
  • Over-the-Air Supervision
  • Streamlined Setup Assistant

For more information on managing device assignments, refer to Apple Business Manager Help.


Best Practices for Securing Sensitive Information

Apple’s Device Enrollment Program services support two specific authentication scenarios during the Setup Assistant for new device onboarding:  ON and OFF.  By turning authentication ON, the person onboarding a device must provide valid organization credentials before the device is configured to the user with any sensitive information (including credentials, applications, etcetera).   If Authentication is OFF, the device enrolls into management without any user authentication prior to obtaining potentially sensitive organizational data.

On iOS and macOS, the Authentication OFF configuration is typically used for staging flows:  Single-User Staging, and Multi-User Staging. To best secure sensitive user information in a staging workflow, VMware recommends the following:

  • Leverage a staging user account without a true user persona that has access to corporate resources
  • Limit user-specific configurations such as Email, Certificate, Mobile SSO etc.. to only the end-users and only deploy generic configurations and applications to the staging user
  • For iOS in addition to the above recommendations, leverage Show/Hide configuration to hide all applications (except the AirWatch Agent / Workspace ONE Intelligent Hub) installed and staged to the Staging User. This is to prevent access to staged applications with any automated application configuration that could contain organization sensitive information
  • For macOS in addition to the above recommendations, Workspace ONE UEM solution by default follows native MDM best practices in handling user sensitive information for Authentication OFF flows with both Single User Staging and Multi-User Staging. Workspace ONE UEM requires device to be domain-joined to authenticate the user before user-specific configurations and profiles are deployed.

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.