Add iOS 11+ devices to DEP using Apple Configurator

Prior to iOS 11, Apple allowed only the devices purchased directly from Apple or authorized resellers to be enrolled in Apple’s Device Enrollment Program (DEP). But now you can add any Apple devices running iOS 11 or later using Apple Configurator to your DEP account and then take advantage of Apple Business/School Manager enrollment.

There are two methods to add your iOS/iPadOS devices to DEP using Apple Configurator installed on:

• iPhone running on iOS 16+.
• Mac running on macOS 10.15.6 or later.

Assign an iPhone/iPad to DEP using an iPhone with Apple Configurator installed

Follow the below steps to add your iOS/iPadOS device to DEP:

Install Apple Configurator on iPhone

1. Go to the App Store and install Apple Configurator.
2. Once installed, open the app and grant access to Bluetooth by clicking OK in the pop-up window. Then click Continue.
3. Sign in using your Managed Apple ID that has the Device Enrollment Manager role.



4. Grant access to the camera by clicking OK in the pop-up window.
5. Once the app is prepared, you can decide how to connect the iPhone/iPad (to be added to DEP) to the internet by tapping the gear icon located at the bottom left corner of the app. You can either share the Wi-Fi network credentials or use a network configuration profile.
   • Share Network: If you choose this option, the iPhone/iPad to be added will connect to the internet using the same network credentials as the one configured in the Apple Configurator when it starts.
   • Configuration Profile: You need to create a configuration profile with a Wi-Fi or 802.1x payload credentials. Save the profile in a location in the Files app and then configure it in Apple Configurator.

Assign iOS/iPadOS devices to ABM

1. If you’ve purchased a new iOS/iPadOS device and it is yet to get started, skip directly to step 2. On the other hand, if you want to assign an already configured iOS/iPadOS device to ABM, you must erase all existing content and settings on it.
   • Navigate to Settings > General. Now click on the Transfer or Reset iPhone option. Then choose the Erase All Content and Settings option.

   

   • In the Erase Assistant option, enter your Apple ID password or passcode and review the items that will be erased apart from the content and settings.

   

   • Follow the onscreen instructions and wait for the iPhone/iPad to restart.
2. Launch the Apple Configurator when the iPhone/iPad to be added reaches the Choose a Wi-Fi Network pane on the Setup Assistant. Please note that you must restart the iPhone/iPad to be added if you go past this pane.
3. Hold the device with Apple Configurator close to the iPhone/iPad to be assigned. Within a few seconds, the iPhone/iPad to be added will present the ‘assign’ screen automatically.
4. Position the pattern in the circle to scan the image that appears in the Setup Assistant. If the pairing fails, tap on Pair Manually in the Apple Configurator and select Pair Manually option on the iPhone/iPad to be added. Now, enter the six-digit code that appears on the screen.
5. Wait for a few minutes for the process to complete, then press Erase and Shut Down.
6. Once the device is assigned, tap the menu in the lower right corner of Apple Configurator to see the list of devices assigned.

Assign the added iOS/iPadOS devices to the Hexnode UEM Server

1. Sign in to Apple Business Manager (ABM)/Apple School Manager (ASM).
2. Navigate to Devices. Choose the filter type as Source and then select Manually Added > Apple Configurator. From the list of available devices, you can verify whether your iOS device is added to DEP or not.
3. Select the required device from the list.
4. Click on Edit MDM server and select the MDM server to assign the devices with that server.



Open your Hexnode UEM portal and navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager. If the process has been successful, you’ll find the devices under DEP Devices. If the devices do not appear here, click Sync with DEP to sync with Apple Business Manager or Apple School Manager.

Assign an iPhone/iPad to DEP using a Mac with Apple Configurator installed

Pre-requisites:

• The Apple Configurator installed on the Mac should be version 2.5 or later.
• The iPhone/iPad to be added to DEP should be running on iOS/iPadOS 11 or later.

Create a Wi-Fi profile

Follow the below steps to create a Wi-Fi profile in Apple Configurator:

1. Open Apple Configurator.
2. From File → New Profile → Wi-Fi, select Configure.
3. Enter the SSID, security type, password, and any other relevant settings required to connect to your Wi-Fi network.
4. Click Save from the File menu.

Create a Blueprint

Blueprints are templates used for configuring profiles and applications and assigning them quickly to devices. To create a blueprint,

1. Open Apple Configurator, go to Blueprints → Edit Blueprints → New. Provide a suitable name for the blueprint.
2. Select the newly created blueprint and click Add > Profiles. Select the Wi-Fi profile created earlier and click Add.

Prepare the Blueprint

1. Select the blueprint and then click on Prepare.
2. Use Manual configuration.
3. Make sure to check the option ‘Add to Device Enrollment Program’. Then, choose from the following options:
   • Activate and complete enrollment: Uncheck this setting if you have a new or existing device that requires unique user authentication to enroll in MDM and the user must complete the device enrollment. You can enable this setting to manage all the Setup Assistant panes so that the user gets a device ready for use.
   • Supervise devices: This option will be automatically selected when the option ‘Add to Device Enrollment Program’ is enabled. Supervised devices unlock additional management capabilities, mainly intended for corporate-owned devices.
   • Allow devices to pair with other computers: Enable this option to allow users to sync devices with a Mac or PC using a USB cable.
4. Click Next. Add a new MDM server or select it from the list if you’ve added it previously in Apple Configurator 2 preferences.
   • To add a new server, select New Server. Click Next.
   • Enter a name for the server. On the ‘Host name or URL’ field, enter the enrollment URL provided in your Hexnode portal at Admin > Configurator Enrollment or Enroll > Platform-Specific > iOS > Apple Configurator.
5. The required anchor certificates will be automatically added. Click Next.
6. Next, you can create a new organization or select an already created organization.
   • To add a new organization, select New Organization. Click Next.
   • Sign in to your Apple Business Manager or Apple School Manager account. Note that this account should have administrative permissions to manage devices.
   • Select Generate a new supervision identity and click Next.
7. From the Setup Assistant screen, select the steps to be shown to the user. In case you need to skip all the steps in Setup Assistant, select the ‘Don’t show any of these steps’ option. Click Prepare.

Apply blueprint to enroll iOS 11+ devices in Apple DEP

The blueprint prepared on Apple Configurator can be pushed to the target devices by following the below steps:

1. Connect the iOS device to the Mac.
2. Once connected, the device will appear on Apple Configurator. Highlight the device by clicking on it.
3. Navigate to Blueprints and select the newly prepared blueprint. Click Apply.
4. If the device has been previously prepared, you will be prompted to erase the device.

The blueprints will be pushed, and the device will be added to DEP.

Is your iOS device added to DEP?

To verify that your device is added to DEP,

1. Sign in to Apple Business Manager (ABM) / Apple School Manager (ASM).
2. Navigate to Devices. Choose the filter type as Source and then select Manually Added > Apple Configurator. From the list of available devices, you can verify whether your iOS device is added to DEP or not.



Assign the added DEP devices to the Hexnode UEM server

Perform the following steps to assign the DEP devices to the MDM server:

1. Log in to your Apple Business Manager or Apple School Manager account.
2. Select Devices. Search and select the required devices from the list.
3. Next, click on Edit MDM Server and select the MDM server to assign the devices to that server.



On your Hexnode UEM portal, navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager. You’ll find the devices under DEP Devices. If the devices do not appear here, click Sync with DEP to sync with Apple Business Manager or Apple School Manager.



30-day provisional period

A device added in Apple DEP via Apple Configurator will behave as a provisionally managed device during the initial 30 days of deployment. This means that the device will take 30 days to transform into an actual DEP-enrolled device. This enables the users to remove the MDM management from the device during this 30-day period irrespective of the DEP Profile configurations. During this provisional period, the device will show a banner on the lock screen notifying the users that the device is managed and they can leave remote management from the Settings app. After 30 days, both the banner and the option to leave remote management will disappear from the device, and users will no longer be able to remove remote management.

Note:

• The ‘Remove Management’ option (Settings > General > Device Management > Remove Management), which appears when you try to uninstall the MDM profile from a device, will remain enabled on your device throughout the 30-day provisional period even if the ‘Allow MDM Removal’ option is disabled on the DEP Policy (Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Policies).
• You can also remove the endpoint management on wiping the device during the provisional period. After the device wipes, click on Leave Remote Management on the Remote Management setup wizard for removing the management.