Category Filter

Apple DEP Management

Apple Business Manager’s (ABM) Device Enrollment Program (DEP) enables automatic deployment of your corporate Apple devices. Once a device is activated, it is immediately configured without the need for the IT team to physically do it. The following documentation will explain how to use Apple Business Manager with Hexnode.


Notes:


Only iOS 7.0.4, iPadOS 13.1, OS X 10.9 and tvOS 10.2 or later devices can be added to ABM.

Device Enrollment Program Settings

To integrate Hexnode with the Apple Business Manager for device enrollment, the following steps are to be followed:

  • Go to the Enroll > All Enrollments > No-Touch > Apple Business / School Manager.
  • Create a DEP Account and download the certificate file.

Here a DEP token is required which is to be uploaded to the portal.
Follow the steps below to download a server token:

    1. Login to Apple Business Manager page.
    2. Click on Settings in the side bar. Click on Device Management Settings.
    3. Click on Add MDM Server button and name the server.
    4. Upload the public key obtained from the MDM console while setting up the DEP and click Save.
    5. Click on Download Token. Download the server token and upload it to the Hexnode portal.
    6. Click on Next and Finish.

Device Management settings in the DEP portal for assigning enrollment server

Renew the DEP Token

Apple DEP tokens need to be renewed every year. Follow the above steps and upload new token before your previous token expires.

Pre-approve DEP synced devices

To add DEP devices as Pre-approved devices, check the option Add as Pre-approved Device under DEP Settings.

Setup device enrollment program account for the MDM integration

Apple DEP Devices

By default, the DEP device tab contains the list of devices enrolled under DEP. The list would contain details like the serial number, model along with the DEP profiles applied to that device if any.

Devices synced form the DEP account to Hexnode

Associate a device with a profile

  1. Select the device.
  2. Click Associate DEP Profile button on the top. The following window pops up.
  3. Associate DEP profile with devices for secure communication
  4. Search for the profile that you want to associate to the device and click on Assign.

Sync with Apple Device Enrollment Program

To import devices enrolled in the configured Apple DEP account to Hexnode portal you have to initiate a DEP sync.
Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Devices > Sync with DEP.

DEP Configuration Profiles

This page lists all the existing DEP profiles.

List of DEP configuration profiles created

View the details of any profile

  1. Click on its name.
  2. The following screen pops up with detailed information about the profile.

Setup enrollment information via the DEP profile

You can also edit the profile on this page and save it again.

Add a new profile

  1. Click on Configure DEP Profile.
  2. Fill out all the necessary fields and click on Save.


Here is the description of the configuration parameters for the DEP profile.

  • Display name– A friendly name of the policy.
  • Department– Department name to which the devices are assigned.
  • Support Email Address– An email address for the users to request support during setup.
  • Support Phone Number– Contact number for users if they need help during setup.
  • Enroll Devices in MDM– Enabling this option prevents users from bypassing “Remote Management” during initial device setup screen.
  • Allow MDM Profile Removal– Check this to make the profile removable after device enrollment. If disabled, users will be blocked from manually removing the MDM profile from the device.
  • Enable Supervision– Check this to make the device supervised upon enrollment.
  • Allow iTunes pairing– Check this option to allow users to sync their devices with iTunes. Disabling this option will prevent every iTunes related actions. To re-enable it, the device will have to be wiped and re-enrolled.
  • Allow Shared Devices– Check this box to enable multiple users to share Apple School Manager deployed devices.
  • Enable Hexnode UI for Authentication– If disabled, the device management has to be set up from Apple’s default Remote Management set up wizard. If enabled, users will be redirected to the Hexnode’s default enrollment window. Users can read and agree to the Hexnode EULA terms from here before proceeding with the enrollment. This feature is supported on iOS 13+ and macOS 10.15 or later devices. The enrollment authentication settings (Authentication Modes) configured in the Enroll > Settings tab will take affect when this option is enabled, irrespective of the User Authentication configurations in the DEP Account and the Enrollment authentication settings in the DEP Configuration Profile.
  • Enrollment authentication settings– Choose the authentication method to be used for enrollment. The following options are available,
    • Use Global Authentication Settings – When this option is selected, the authentication settings configured in Enroll > Settings > Authentication Modes are considered.
    • No authentication – When selected, the admin must choose the Domain and Default user to which the device should be assigned to.
    Notes:

    • This configuration will not take effect if Enable Hexnode UI for Authentication is enabled.
    • If Enable Hexnode UI for Authentication is disabled, the Enrollment authentication settings configurations will override the User Authentication configurations in the DEP Account.

  • Configure user accounts– Check this to create an ‘Administrator’ user in Mac devices.
  • Don’t show the selected steps– With Hexnode you can have a customized setup experience for your ABM enrolled devices. Check the boxes corresponding to steps that you want to avoid during Apple devices’ setup.

Available options

All DEP Devices
SetUp Assistant Options Supported versions Description
Apple ID
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
Skip Apple ID setup.
Biometric
  • iOS 8.1+
  • macOS 10.12.4+
Skip biometric setup.
True Tone Display
  • iOS 9.3.2+
  • macOS 10.13.6+
Skip True Tone Display pane.
Apple Pay
  • iOS 8.1+
  • macOS 10.12.4+
Skip Apple Pay setup.
Restore
  • iOS 7.0+
  • macOS 10.9+
Disable restoring from backup.
Screen Time
  • iOS 12.0+
  • macOS 10.15+
Skip the Screen Time pane.
Appearance
  • iOS 13.0+
  • macOS 10.14+
Skip the Choose Your Look window.
Diagnostics
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
Skip sending diagnostic information to Apple.
Location Services
  • iOS 7.0+
  • macOS 10.11+
Skip setting up Location Services.
Privacy
  • iOS 11.3+
  • tvOS 11.3+
  • macOS 10.13.4+
Skips the privacy pane.
Siri
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.12+
Disable users from configuring Siri.
Terms and Conditions
  • iOS 7.0+
  • tvOS 10.2+
  • macOS 10.9+
Hide terms and conditions from the user.


iOS only
SetUp Assistant Options Supported versions Description
Move from Android iOS 9.0+ Remove Move from Android option from the Restore pane.
Keyboard iOS 11.0+ Skip the Keyboard pane.
Watch Migration iOS 11.0+ Skip the screen for watch migration.
iMessage and Face Time iOS 12.0+ Skip the iMessage and FaceTime screen.
Passcode iOS 7.0+ Hides and disables the passcode pane.
SIM Setup iOS 12.0+ Skip the add cellular plan pane.
Onboarding iOS 11.0+ Skip on-boarding informational screens.
Software Update iOS 12.0+ Skip the mandatory software update screen.
Home Button Sensitivity iOS 10.0+ Skip the Home Button screen.
Device to Device Migration iOS 13.0+ Skip Device to Device Migration pane.
Zoom iOS 8.3+ Skip the Zoom pane which shows larger text and controls.
Welcome/Get Started iOS 13.0+ Skip the Get Started pane.


macOS only
SetUp Assistant Options Supported versions Description
FileVault macOS 10.10+ Disable FileVault Setup Assistant screen.
iCloud Storage macOS 10.13.4+ Skip iCloud Documents and Desktop screen.
iCloud Analytics macOS 10.12.4+ Skip the iCloud Analytics screen.
Registration macOS 10.9+ Prevent users from filling out the registration form and send it to Apple.


tvOS only
SetUp Assistant Options Supported versions Description
Screen Saver tvOS 10.2+ Skip setting up screen saver.
TV Home Screen Sync tvOS 11.0+ Skip TV home screen layout sync screen.
Where is this Apple TV? tvOS 11.4+ Prevent user from selecting the room for the Apple TV.
Set up your Apple TV tvOS 10.2+ Prevent users from configuring their Apple TV.
Sign In to your TV provider tvOS 11.0+ Skip the TV provider sign in screen.

DEP Enrollment

If you have a non-activated device, start setting it up and get it connected to the internet. If you have an already activated device, reset the device to its factory settings and then activate it. Once it is connected to the internet, the user will be prompted to enable remote management for the device. This will enable MDM administration on the device. Note that the user can bypass this process if “Enroll Devices in MDM” is not enabled on the DEP Configuration Profile.

Multiple DEP Account Management

You can configure multiple DEP accounts in Hexnode. So, even if your Apple devices are registered to different DEP accounts, you can enroll it in Hexnode by configuring all those DEP accounts in the Hexnode portal.
To Configure Multiple DEP accounts,

  1. Go to Enroll > All Enrollments > No Touch > Apple Business/School Manager > DEP Accounts.
  2. Click on Configure DEP Account.
  3. Follow the same procedure to complete the configuration.

To sync all DEP accounts to Hexnode, click on Sync all DEP accounts. This would automatically import all the DEP users associated with multiple accounts to Hexnode.