How to assign DEP devices to Hexnode?
There are many ways to enroll an iOS device in an UEM. One of the ways is to register the Apple device via the Apple Business Manager’s (ABM) Device Enrollment Program (DEP) and then assign the device to the MDM server. For that, you should first enroll your organization in ABM.
To add devices to Apple ABM, make sure that you have:
- A device bought directly from Apple or an authorized dealer after 1 March 2011 and running at least iOS 7.0.4, iPadOS 13.1, macOS 10.9 or tvOS 10.2.
- An iOS 11+ device can be directly enrolled in ABM via DEP using Apple Configurator 2.5 regardless of where and when the device is purchased.
- An APNs certificate setup for the MDM server to communicate with the device.
Steps to Enroll devices via DEP
Step 1: Add devices to Apple Business Manager
You will need the Apple Customer Number, or the Reseller ID associated with the purchased devices to add them to ABM. To add the purchased device to the ABM portal, associate the number or ID obtained from the device suppliers to ABM.
- Log in to your Apple Business Manager account.
- Click your name at the bottom of the sidebar and go to Preferences > MDM server assignment.
- Click on Edit next to Customer Number.
- Enter your Apple Customer Number or Reseller Number and click Add.
- Click on Done.
If you have purchased devices from more than one entity, you have to add all the numbers and ID via this method.
Apple Customer Number
If the devices were directly purchased from Apple, Apple would assign your organization an Apple Customer Number. Contact your finance department or Apple Sales for your Apple Customer Number. If the devices were purchased from Apple Store, contact the Business Team for the Customer Number.
If the devices were purchased from Apple Authorized Reseller or a wireless carrier, you would need to enter their Reseller ID in your ABM portal. Also, you should provide your Organization ID to the reseller or carrier.
To find your Organization ID,
- Log in to your Apple Business Manager account.
- Click on your name at the bottom of the sidebar and go to Preferences > Enrolment Information.
- Your Organization ID will be displayed under Organization Info.
To get the Reseller ID, contact the Apple Authorized Reseller or carrier via which the devices were purchased. The devices can be enrolled in the MDM only if the reseller or the carrier supports the device enrollment feature in Apple Business Manager.
Step 2: Configure DEP Configuration Profile
The DEP profile can be configured from the Hexnode console. Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Configuration Profiles > Configure DEP Profiles (or edit existing DEP profiles by clicking on them).
Configuration parameters for the DEP profile:
- Display name: A friendly name of the policy.
- Department: Department name to which the devices are assigned.
- Support Email Address: An email address for the users to request support during setup.
- Support phone number: Contact number for users if they need help during setup.
- Enroll Devices in MDM: Enabling this option prevents users from bypassing the MDM Remote Management during the initial device setup.
- Allow MDM Profile Removal: Check this to make the profile removable after device enrollment. If disabled, users will be blocked from manually removing the MDM profile from the device.
- Enable Supervision: Check this to make the device supervised upon enrollment.
- Allow iTunes pairing: Check this option to allow users to sync their devices with iTunes. Disabling this option will prevent every iTunes related actions. To re-enable it, the device will have to be wiped and re-enrolled.
- Allow Shared Devices: Check this box to enable multiple users to share Apple School Manager deployed devices.
- Enable Hexnode UI for Authentication: If disabled, the device management has to be set up from Apple’s default Remote Management set up wizard. If enabled, users will be redirected to the Hexnode’s default enrollment window. Users can read and agree to the Hexnode EULA terms from here before proceeding with the enrollment. This feature is supported on iOS 13+ and macOS 10.15 or later devices. The enrollment authentication settings (Authentication Modes) configured in the Enroll > Settings tab will take affect when this option is enabled, irrespective of the User Authentication configurations in the DEP Account and the Enrollment authentication settings in the DEP Configuration Profile.
- Enrollment authentication settings: Choose the authentication method to be used for enrollment. These settings will override the User authentication configured at Enroll > All Enrollments > No-Touch > Apple Business/School Manager. Two options are available:
- No authentication – When selected admin must choose the Domain and Default user.
- Use Global Authentication Settings – When this option is selected, the authentication mode as selected on Enroll > Settings > Authentication Modes is considered.
- Configure user accounts: Check this to create an ‘Administrator’ user in Mac devices.
- Don’t show the selected steps: With Hexnode you can have a customized setup experience for your ABM enrolled devices. Check the boxes corresponding to steps that you want to avoid during Apple devices’ setup.
Step 3: Create a DEP Account in Hexnode
To add devices in the ABM program, you need to obtain a server token from Apple.
- In the Hexnode UEM portal, go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager to obtain the MDM DEP certificate.
- Click on Next.
- Provide an Account Name and download the certificate file Hexnode_Apple_DEP_cert.pem.
- Sign in to Apple Business Manager account.
- Click your name at the bottom of the sidebar. Then, go to Preferences > MDM server assignment, and click on Add MDM Server.
- Name the MDM server and upload the public key (the DEP certificate previously obtained) and click Save.
- Click on Download Token > Download Server Token.
- Go back to your Hexnode UEM console and upload the DEP server token in the field Upload DEP server token file*.
- Check the box Add as a Pre-approved device if you want to pre-approve the DEP devices that you are planning to enroll using Hexnode.
- Choose a Default Configuration Profile. By default, the Default DEP profile will be selected. If you want to attach a different configuration profile with the DEP Account, choose it from the drop-down.
- Select the User authentication mechanism that should be implemented when enrolling devices.
- Use global authentication settings: The authentication mode as selected under Admin > Enrollment > Authentication Modes is considered.
- No authentication: If this option is selected, the device enrollment can be completed without any user authentication. The user to which the device should be assigned must be specified.
- Domain: Select the domain in which the user resides. It can be Hexnode’s local directory or any integrated directory domains.
- Default user: Choose the user in the selected domain to which all the DEP devices should be assigned to.
- Click on Next.
Step 4: Assign devices to the MDM server
You can either assign Apple devices individually to the respective device management server or bulk assign devices to the same management server.
Individual Device Assignment
- From the Devices page, select the required device. Click on Edit MDM server.
- Tap Assign to the following MDM. Now select the server from the drop-down. Tap Continue.
- Click on Confirm to assign the device to the management server.
Bulk Device Assignment
- From the Devices page, either
- Manually select the devices that you require. On Mac, press Command key in the keyboard and click on the device names to make the selection. On Windows, use the control CRTL key.
- Apply the device filters to streamline the device list. The available filters are Device Management, Source, Order number, Device type, Storage size. To add a filter criterion, click Filter below the Search bar and check in the relevant boxes corresponding to each filter option. Then, click on Search to sort out devices according to the criterion. From the filtered device list, you can either select All devices or click on the device name for a specific device.
- Click on Edit corresponding to the Edit MDM server option.
- Select Assign to the following MDM option. From the drop-down, select the MDM server. Click on Continue.
- Click on Confirm to assign the device to the management server.
The details of assigned devices can be seen in the device Assignment History, including the order number, the MDM server to which the device is assigned, assignment date and the device type.
Step 5: Sync devices to Hexnode
The devices added under the MDM server created for Hexnode in the Apple Business Manager portal has to be synced with Hexnode. This synchronization will import the details of the added devices to the corresponding Hexnode DEP Account in Hexnode. To sync devices to Hexnode,
- On your Hexnode UEM console, go to Enroll > All Enrollments > No Touch > Apple Business/School Manager > DEP Accounts.
- Click on Sync all DEP accounts.
Navigate to DEP Devices to view all devices synced from the MDM server in the ABM portal.
Change the device filter from All Devices to the required DEP Account to list the devices assigned to that particular DEP Account.
Step 6: Associate the DEP Profile with individual devices
DEP Configuration Profile assists the MDM in streamlining the device enrollment and set up on ABM added devices. If you want to attach a different DEP Profile (other than the one attached with the DEP Account) with an individual device,
- On your Hexnode UEM console, navigate to Enroll > All Enrollments > No Touch > Apple Business/School Manager > DEP Devices.
- Select the device and click on Associate DEP Profile.
- Select the profile and click Assign.
All DEP Devices
- Apple ID: Hides the screen where an existing or a new Apple ID is required to be entered when the device is first set up.
- Biometric: Skip the screen where you are asked to provide your biometrics if the device supports it.
- True Tone Display: Skipping this prevents users from enabling four-channel sensors to adjust the white balance of the display dynamically.
- Apple Pay: Skip Apple Pay setup screen.
- Restore: Skipping this option prevents the users from restoring the device during device setup. Backup can be restored later. This option will set up the device as a new device. If this option is configured the device will be set as a new one.
- Screen Time: Skip setting up screen time in the start-up window. Screen time gives you an insight on how much time you spend on your Apple device.
- Appearance: This skips the Choose Your Look screen.
- Diagnostic: Skip sending diagnostic information to Apple.
- Location Services: This is the first setup screen where you can select the language and country. This step can be skipped by checking Location in Skip Steps.
- Privacy: Checking this box prevents the user from seeing the privacy consent window.
- Siri: Check the box to disable users from setting up Siri in the setup assistant screen.
- Terms and Conditions: Skipping this step prevents users from seeing the Terms and Conditions windows to the user.
- Move from Android: Skip this step to hide it from the users. Hiding it will prevent users from migrating from their Android devices.
- Keyboard: When this is skipped, the keyboard setup pane will not get displayed.
- Watch Migration: Disabling this block the users from migrating Apple Watch data during start-up.
- iMessage and FaceTime: Skipping this prevents users from setting up iMessage and FaceTime in the Setup Assistant Screen.
- Passcode: Hides the screen to set up passcode when the device is first set up.
- SIM Setup: Skipping this disables the user from setting up SIM.
- Onboarding: Skips on-boarding informational screens for user education.
- Software Update: Skipping this disables the user from updating their iOS device to the latest version in the setup screen.
- Home button Sensitivity: Skipping this prevents the user from adjusting the home button sensitivity in the setup screen.
- Device to Device Migration: Skipping this step disables users from migrating data from their current iPhone to a new iPhone.
- Zoom: Skip the step to use Zoom which shows larger text and controls. Zoom can be set up from the first setup screen.
- Welcome/Get Started: Skipping this disables the user from viewing the Get Started screen.
- FileVault: Checking this box disables the users from setting up FileVault during device startup.
- iCloud Storage: Skips the iCloud storage setup windows.
- iCloud Analytics: Skipping this would restrict the user from seeing the iCloud Analytics pane.
- Registration: Skip the registration screen so that users don’t have to fill out the registration form and send it to Apple.
- Screen Saver: Skipping this prevents setting up screen saver in the setup window.
- TV Home Screen Sync: Skipping this disables the user from syncing their Apple TV Home Screen layout with that of another Apple TVs’.
- Where is this Apple TV?: Skipping this blocks user from selecting the room for the Apple TV.
- Set Up your Apple TV: Skipping this step disable users from configuring Apple TV from QuickStart.
- Sign In to Your TV Provider: Skipping this disables the user from signing into their TV provider.
What Happens at the device end?
If you have a device that is not yet activated, switch on the device and connect it to the internet. The Apple server will push the DEP Profile previously attached to the devices via the MDM server on the ABM. This will enroll the device in the MDM. However, if you have an already activated device, reset it to its factory settings to get it enrolled in the MDM.
If no enrollment authentication is enforced via the MDM, the device will get directly enrolled in the MDM. However, if enrollment authentication was turned on, the device will get enrolled only after user authentication.
Renew DEP Server Token
The DEP server token is valid for a period of one year. Apple stores the public key permanently, so there is no need to upload a new public key to the Apple DEP website. Just click on Generate new token, and a new server token is created with the same public key.