Enrollment of Apple devices through ADE

Automated Device Enrollment (ADE), formerly known as the Device Enrollment Program (DEP), is Apple’s standard method for enrolling organization-owned devices into Mobile Device Management (MDM). ADE utilizes a “zero-touch” approach, allowing devices to automatically enroll in Hexnode UEM and apply configurations immediately upon their first power-on.

This capability is managed through Apple Business Manager (ABM) or Apple School Manager (ASM), which integrate directly with Hexnode to streamline deployment.

Key Concepts

• Apple Business Manager (ABM): A web-based portal combining ADE and VPP (Volume Purchase Program) to manage devices and apps in enterprise environments.
• Supervision: Devices enrolled via ABM can be “Supervised” over-the-air, granting administrators higher privileges and control.
• Zero-Touch Deployment: No manual configuration is required by IT; the user unboxes the device, connects to Wi-Fi, and the device configures itself.

Prerequisites

To use ADE, ensure the following requirements are met:

• ABM/ASM Account: Your organization must be enrolled in Apple Business Manager or Apple School Manager.
• APNs Certificate: A valid Apple Push Notification service certificate must be configured in the Hexnode UEM portal.
• Supported Operating Systems:
  • iOS: iOS 7 or later.
  • iPadOS: iPadOS 13.1 or later.
  • macOS: macOS 10.9 or later.
  • tvOS: tvOS 10.2 or later.
  • visionOS: visionOS 2.0 or later.

Step 1: Configure ADE in Hexnode

Establishing a connection between Hexnode and Apple’s portal is the first step.

1. Log in to your Hexnode UEM portal.
2. Either navigate to Enroll > Platform-Specific > [iOS/macOS/tvOS/visionOS] > Apple Business/School Manager > Add ADE Account or Admin > Apple Business/School Manager > Automated Device Enrollment > Add ADE Account.
3. Enter a name for the ADE account and click to download the certificate file.

Step 2: Configure Apple Business Manager (ABM)

1. Sign in to the Apple Business Manager portal.
2. Select your user account (bottom-left) and navigate to Preferences.
3. Click Add to create a new MDM server.
4. Enter an MDM Server Name (e.g., “Hexnode Production”).
5. Upload the Certificate file downloaded from Hexnode in Step 1.
6. Click Save.
7. Click Download MDM Server Token to retrieve the new server token file.

Step 3: Upload Token to Hexnode

1. Return to the ADE settings page in Hexnode UEM console.
2. Upload the MDM Server Token you just downloaded from Apple.
3. Configure the enrollment settings:
   • Add as Pre-approved device: Enable this to add the ADE devices as pre-approved devices.
   • Default Configuration Profile: Select an existing ADE enrollment profile or create a new one.
4. Save the configuration.

Step 4: Assign Devices to Hexnode Server

Devices purchased from Apple must be assigned to the specific MDM server within the Apple portal.

1. Log in to Apple Business Manager.
2. Click Devices in the sidebar.
3. Search for devices (filter by Order Number, Source, or Device Type).
4. Select the devices, then click Edit MDM Server (ellipsis button).
5. Choose Assign to the following MDM and select the Hexnode server created in Step 2.

Step 5: Sync Devices with Hexnode

1. In the Hexnode portal, go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Devices.
2. If new devices do not appear, click Sync with ADE.
3. Full Sync: To completely sync all the ADE-enrolled devices go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Devices.> Accounts and click Sync all ADE Accounts.

End-User Experience (Device Activation)

Once assigned and synced:

1. The user turns on the device.
2. The device connects to Wi-Fi.
3. The device contacts the Apple server, detects the assigned ADE profile, and prompts for Remote Management.
4. The Hexnode MDM profile installs automatically, and the device applies all pre-configured policies (Supervision, restrictions, etc.).

Frequently Asked Questions (FAQs)

Q1: Is “ADE” the same as “DEP”?

Yes. Automated Device Enrollment (ADE) is the modern name for what was formerly known as the Device Enrollment Program (DEP). Apple rebranded the service to align with Apple Business Manager, but the functionality—automating MDM enrollment and supervision—remains the same.

Q2: What happens if I sell or retire an ADE device?

You must release the device from Apple Business Manager. Simply wiping the device is not enough; if it remains in ABM, it will attempt to re-enroll in Hexnode the next time it connects to Wi-Fi.

Troubleshooting Common ADE Errors

If the enrollment process does not initiate or completes with errors, check the following common issues derived from our support database.

1. “Profile Installation Failed” (On Device)

Symptom: The iOS device fails to install the profile and displays the message “Profile Installation Failed”.

Cause: This usually occurs when the device is not connected to the internet or when Stolen Device Protection is active.

Resolution:

• Check that the device is connected to a stable Wi-Fi network. If Wi-Fi is turned off, ensure cellular data is available.
• Turn off the Stolen Device Protection option in Settings before starting enrollment.
• Updating the device to the latest OS version can also help resolve the issue.

Need more help?

For a comprehensive list of error codes and advanced debugging steps, please refer to our detailed troubleshooting guides:

• Common errors while enrolling iOS devices in Hexnode UEM.
• Common errors while enrolling in Apple Business Manager.