Apple Device Enrollment Program (DEP) using Codeproof
The Apple’s Device Enrollment Program (DEP) allows you to assign iOS devices to mobile device management (MDM) servers from the moment you purchase them. This enables you to automate MDM enrollment, wirelessly supervise devices, and skip basic setup steps. Device assignment is done using the Apple Deployment Programs website deploy.apple.com. Using DEP, Administrator can setup MDM and enroll devices without physically accessing them. The DEP managed devices can also lock the MDM in the device so that end-user wont be able to turn-off MDM.
1. Setup a DEP account on Apple DEP Portal here
To create a DEP account, You need company information including business DUN number, Apple customer number, Apple Id..etc. To get a apple customer number, you need to contact your Apple sales business account manager. With Apple customer number, DUN number & an apple id, you are good to create a DEP account on apple DEP portal deploy.apple.com . Now you are good to purchase Apple devices using DEP. Once you purchase devices using DEP, you can assign devices to Codeproof MDM servers via DEP portal. Your Apple customer number contains a record of all the orders you make.
2. Add MDM server in the DEP portal
You can now add MDM server in the DEP portal using a codeproof certificate. Once you import the certificate, You will be prompted to download a encrypted server token file. Download the server token file and import the token file in the Codeproof console.
Add MDM Server to DEP
Download Server token file
3. Assign devices to MDM Server in the Apple DEP portal
Your Apple customer number contains a record of all the orders you make. After an order ships, you can search for it by number and assign devices using that number to an authorized MDM server. For example, when you place an iPad order for 5,000 units, you can use the order number to assign all or a specific number of devices to an existing authorized MDM server. Assigning devices by order number might be done when a single MDM server is used for an entire device deployment and devices are still in their original packaging and will be going directly to the end users.
Assign devices by order number:
1. Go to deploy.apple.com, then sign in using your Apple ID.
2. Select Device Enrollment Program in the sidebar then, if requested, follow the two-step verification process.
3. Select Assign by Order Number and begin to enter your known order number.
As you type, order numbers that match the digits typed will begin to appear.
Once an order number is selected, the quantity and type of unassigned devices are shown.
4. Select the MDM server to associate with the order number, then click Assign Now.
You can also download a comma-separated value (CSV) file which contains the full list of all assigned and unassigned devices in a specific order. Devices are listed in the file by serial number and any spreadsheet app, for example Numbers, can open this file.
4. Importing Server Token in MDM Server
Now, Login to Codeproof console, Select “EMM” from the top menu choices. Select “Apple DEP” from the left side menu. Click on “Add Server Token” file and import the server token downloaded from Apple website. See below.
5. Assign the MDM profile to device
Click on “Manage” button to view all the purchased devices. Select a device or multiple devices and then click on “Install MDM to push MDM profile remotely to them. Profile will be installed automatically and the devices will appear in “Policy Manager” section of Codeproof Console. In the list, Profile Status “assigned” means profile already assigned to the device. See below. If you have a large number of devices, go through the each page and assign them to MDM. There is a “CheckAll” link to select all the devices in the current page.
Admin Portal Screen-1
Admin Portal Screen-2
6. Factory Reset the device
If the device has been setup already, then you must factory reset the device to complete the DEP enrollment. To factory reset, Open “Settings” app and then go to “General->Reset” and then tap on “Erase All Content and Settings”. If the device is still in the box, turn-on the device and it will go through the DEP setup process. See below.
Benefits of Apple DEP
- Automated Mobile Device Management (MDM) enrollment
- Zero touch configuration for IT
- Immediately configure devices when activated
- Require users to automatically enroll in MDM
- MDM profile is locked to the device
- Automatic re-enrollment if device is reset
- OTA Supervision
- Without DEP the only solution available is via tethering to Apple Configurator
- OTA Enabled during setup
- Setup wirelessly via DEP solution
- Supervision provides greater centralized control of an iPad including:
- Restricting access to iMessage
- Configuring a global proxy
- Allow or prevent users from deleting apps
- Allow or disable access to AirDrop
- Silently install & remove apps
- Customized setup assistant
- Simple setup right out of the box
- Enable users to set themselves up
- Skip following setup screens (optional):
- Restore from backup
- Apple ID
- Terms of Service
- Sending diagnostic
Consumer purchased Apple Devices
The consumer purchased iOS devices(not through DEP) can be enrolled into DEP and lockdown with MDM. This is available since iOS 11. This requires a physical access to device though. Using the latest Apple Configurator tool (a free tool from Apple) on a MAC computer and connecting the devices to MAC computer via USB. Instructions are here.