How to Use the Device Enrollment Program

In iOS 7 and later and OS X v10.9 and later, the Device Enrollment Program (DEP) helps to address the mass configuration needs of organizations purchasing and deploying devices in large quantities, without the need for factory customization or pre-configuration of devices prior to deployment.

A device enrolled in the Device Enrollment Program prompts the user to enroll in MDM during the initial device setup process. Additionally, devices enrolled in the program can be supervised over the air. Although Apple's servers store information about the device's participation in this program, the MDM profile and login challenge are served by the organization's server.

The MDM Device Enrollment Program (DEP) uses a Server Token to allow an MDM server to securely connect to the DEP web service.

This lesson explains how to use the Device Enrollment Program to enroll devices with Client Manager.

Security

Security around DEP service is designed in a way that if a user has read access to the DEP Server Tokens table (mdm_dep_token) then it can use DEP-related operations. By default only an admin has such access. This behavior can be changed via Role Management.

All tables engaged in DEP functionality are read-only with restricted access. Entities are added and deleted  after synchronization by DEP service only.

Sync Job

During the DEP's service's initial installation, a new sync job (DEP sync) is created for periodic synchronization with Apple’s DEP servers. The DEP sync job runs every 12 hours.

Obtain a Server Token

To obtain a DEP Server Token, the user must complete the steps outlined below.

  1. Generate a public/private key pair in PEM format for the MDM server.
  2. The user must then:
    1. Sign into the Device Enrollment Program web portal.
    2. Create a new virtual MDM server.
    3. Upload a PEM-encoded X.509 certificate containing the PEM public key that was generated in Step 1.
    4. Download the S/MIME encrypted token file generated by the program web portal.

3.     Decrypt the S/MIME encrypted Server Token.

4.     Upload the token file to the MDM server.

 

Client Manager can automate step 3.

Navigate to DEP Token Menu

Navigate to Setup > App Administration > Client Manager > DEP Token.

In this view you can link Client Manager with your DEP account by manually adding the decrypted token or you can automate the decryption of the token with the help of the Import Encrypted button.

Decrypt Token with Client Manager if Necessary

Decrypt Token with Client Manager if Necessary

You can import an encrypted token and Client Manager will decrypt it for you. To do this,

  1. Click Import Encrypted.
  2. Enter the previously downloaded S/MIME encrypted token, certificate and private key.
  3. Click OK.

A window will pop up informing you that the DEP Server token has been validated, decrypted, and saved into the Asset Vision database.

You will see the server token in the DEP Token data view.

The DEP Server will Sync with Asset Vision

The DEP Server will Sync with Asset Vision

After the DEP server token has been created/updated, automatic synchronization is triggered. It retrieves all information from DEP portal related to server token and synchronizes with the local Asset Vision database.

The same behavior can be achieved at any time later by invoking DEP > Sync Now action.

DEP Account

DEP Account

Information about available virtual MDM servers is displayed under DEP Account menu. Each DEP Account is represented by server token and displays associated with it info. In other words DEP account  it’s a virtual MDM server created on Apple’s DEP portal.

DEP-Enrolled Devices

DEP-Enrolled Devices

To see list of all available DEP-enrolled devices user should navigate to Client Manager > Devices > Apple Devices > By Status > DEP Enrolled.

This view displays information about all available devices enrolled into DEP and grouped by account to which they are assigned to.

Create a New DEP Profile

Create a New DEP Profile

Upon activation device connects to Apple server. At this point if device is DEP-enrolled and has profile assigned server tells device where to connect next to get configuration from.  Also if assigned profile defines supervision property device will become supervised after exiting Setup Wizard. DEP Profile is a directive to Apple’s servers which tells what the device should do upon activation.

DEP Profiles menu under Client Manager > Devices > Apple Devices shows all profiles already assigned to devices or just defined:

  1. A new profile can be defined by pressing New button.

Define Profile

Define Profile

Here you can provide information about the MDM server that is assigned to manage one or more devices, information about the host that the managed devices can pair with, and various attributes that control the MDM association behavior of the device.

Each form element has self-descriptive hint and explains its purpose. For example, “Skip Setup Items” allows you to define what setup panes to skip when a device is being configured. If Biometric is checked then user won’t be able to setup Touch ID, etc.

MDM server URL specifies the url of the MDM server where the device must get a profile from and enroll into. It pre-populates automatically and in most cases should not be changed.

You can also allow supervision for that device. Supervision can only be done at activation time. There is no way to supervise once the device is out of the Setup Assistant you see when you first start the phone/device. You'll need to erase the device and start over to supervision. Upon activation devices become supervised. Please note that if devices have been activated earlier you should either send “Erase” MDM command (if enrolled in MDM) or erase in another way.

Note: Due to Apple’s API limitation profile cannot be modified after it has been created. Create a new one if required.

Assign a Profile to a Device

Assign a Profile to a Device

After a profile has been created it should be assigned to one or more devices. Navigate to Client Manager > Devices > Apple Clients > By Status > DEP Enrolled

  1. Click DEP > Assign Profile right-click context action OR grid button DEP > Assign Profile to selected to invoke a pop up window with available DEP Profiles.

Select the profile you want to assign to the selected devices. This action tells Apple’s severs that the specified devices should use a particular profile upon activation. Each DEP-enrolled device can be assigned one DEP profile.

After successful assignation confirmation is displayed. After profile has been assigned to device it must be activated. If device hasn’t been activated yet then it will pick up setting upon activation. Otherwise device must be erased to invoke activation.

  1. Click OK.

Removing DEP Profile

Removing DEP Profile

A DEP profile can be removed from a device before that device is activated by using the DEP > Remove Profile action.

  1. Right-click the device record that will have the DEP profile removed.
  2. Click the DEP > Remove Profile action.

This action removes the DEP profile mapping from the list of devices from Apple’s servers. After this call, the devices in the list will have no profiles associated with them. However, if those devices have already obtained the profile, this has no effect until the device is wiped and activated again.