The process of adding devices to Device Enrollment Program (DEP) is explained here. To add devices to Apple DEP, make sure that you have:
- A device bought from Apple or an authorized dealer on or after 1 March 2011 and running at least iOS 7.0.4, OS X 10.9 or tvOS 10.2,
- An MDM server supporting iOS devices,
- Enrolled in DEP, and
- Setup APNs certificate (for the MDM server to communicate with the device).
Steps to Add Devices to DEP
Step 1: Obtain Server Token
Now that you are enrolled in DEP, you can add devices to the program. Before adding devices, you need to obtain a server token from Apple.
- Obtain the DEP certificate from a Mobile Device Management (MDM) console. In the case of Hexnode MDM, a DEP certificate is obtained from Enroll > All Enrollments > No-Touch > Apple Business/School Manager.
- Click on Configure DEP Account.
- Provide an Account Name and download the certificate file dep_cert.pem.
- Sign into Apple Business Manager account (recommend opening in a new tab).
- Click on MDM Servers in the side bar > Click on Add MDM Server button and name the server.
- Upload the public key (the DEP certificate previously obtained) > Click Save.
- Click on Get Token > Download Server Token.
Finally, get back to the Hexnode MDM console and upload the DEP server token.
Step 2: Add Devices to Apple DEP
Now, it is time to add devices. In Apple Business Manager page, under Device Assignments, there are two steps in which you can enroll devices.
- Choose Devices: There are three options in this section – Serial Number, Order Number, and Upload CSV File. Devices can be enrolled to this server either by providing the devices’ serial numbers or by providing the purchase order number. A CSV file can also be uploaded containing the list of serial numbers of those devices needed to be enrolled.
- Choose Action: In this section, select Assign to Server option from the first drop-down box and choose the MDM server to which you need to add the devices from the second list.
After enrolling devices in DEP portal, the details of assigned devices can be seen in the device assignment history, including order number, the MDM server to which the device is assigned, assignment date and the device type.
Step 3: Configure DEP Policy
The DEP policy can be configured from the Hexnode MDM console. Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Policies > Create DEP Policy (or edit existing DEP policies by clicking on them). The policy page contains some text boxes and checkboxes. Text boxes include:
- Display name: Any name that is used to distinguish this DEP policy from other DEP policies.
- Department: Used to mention a group.
- Support phone number: A phone number provided to the users in case they have any doubts regarding DEP enrollment.
Check boxes include the following. The actions performed when checked is explained below:
- Enroll Devices in MDM: Users are required to complete the enrollment before setup.
- Allow MDM Profile Removal: Determines whether the MDM profile installed on the device can be manually removed.
- Allow MDM Profile Removal: Make the device a supervised one. Making a device supervised unlocks additional options of device management that cannot be provided by an ordinary MDM server.
- Allow iTunes pairing: Allow users to sync their devices with iTunes. Disabling this option will prevent every iTunes related actions. To re-enable it, the device will have to be wiped and re-enrolled.
- Enable Multi User Mode: A multi-user is a user who has more than one device registered with DEP. This feature works only with an Edu Apple ID.
- Enrollment authentication settings: Choose the authentication method to be used for enrollment. These settings will override the User authentication configured at Enroll > All Enrollments > No-Touch > Apple Business/School Manager. Two options are available:
- No authentication – When selected admin have to choose the Domain and Default user.
- Use Global Authentication Settings – When this option is selected, the authentication mode as selected on Enroll > Settings > Authentication Modes is considered.
- Don’t show the selected steps: Skip setup steps of the following
- Location: This is the first setup screen where you can select the language and country. This step can be skipped by checking Location in Skip Steps.
- Restore: When the device is reset, checking this option will skip restoring the device back from backup. Backup can be restored later. This option will set up the device as a new device.
- Apple ID: Hides the screen where an existing or a new Apple ID is required to be entered when the device is first set up.
- TOS: The device agrees to the terms of service and conditions automatically.
- Diagnostic: Skip sending diagnostic information to Apple.
- Siri: This setup step, that can be skipped using DEP, prompts whether to use Siri.
- Passcode: Hides the screen to set up passcode when the device is first set up.
- Registration: Skip registration screen.
- Biometric: Skip the screen where you are asked to provide your biometrics if the device supports it.
- Payment: Skip Apple Pay setup screen.
- Zoom: Skip the step to use Zoom which shows larger text and controls. Needs iOS 6 or above for this feature. Zoom can be setup from the first setup screen.
- FileVault: Skip FileVault setup screen.
Once the devices are enrolled with DEP, DEP settings needs to be pushed to the device from the MDM server. To do this, reset the device. The device will restart and starts the activation process. During this process, iOS activation servers provide the device with the link of MDM server. This link is that provided by the organization through MDM server DEP portal.
Renew DEP Server Token
The DEP server token is valid for a period of one year. Apple stores the public key permanently, so there is no need to upload a new public key to Apple DEP website. Just click on Generate new token, and a new server token is created with the same public key.