How to add any device running iOS 11 to Apple Device Enrollment Program (DEP)?

Description

Most organizations prefer enrolling corporate devices into their organization using Apple Device Enrollment Program (Apple DEP), due to the following benefits

  • One-time setup for enrolling devices in bulk
  • Mandatory enrollment for corporate devices despite performing a factory reset
  • Supervision of devices for extra-control over devices

But, due to the pre-requisite of purchasing devices directly from Apple or authorised resellers, many organizations are unable to enroll devices using DEP. To allow the enrollment of devices that are not purchased from authorised resellers, Apple has now allow organizations to enroll any device that meets the following criteria into DEP using Apple Configurator.

Device Enrollment Program (DEP) has now been upgraded to Apple Business Manager (ABM). You can find the steps to enroll any iOS 11 device into ABM, here.

Prerequisites

  • DEP must be available in your country.
  • A Mac machine running Apple Configurator 2.5
  • Devices to be enrolled must be iOS 11 devices or must be capable of upgrading to iOS 11. 

Steps

Enrolling any device into ABM using Apple Configurator involves the following steps:

  1. On Apple Configurator, create a new profile and add it to a Blueprint as explained here. Control-click the Blueprint and click on Prepare after which the following screen is shown.


    preparing the Blueprint


  2. Ensure Add to Device Enrollment Program as well as Activate and complete enrollment are selected. Then follow the on-screen instructions to proceed with the enrollment.
  3. After a few steps, you will be prompted to enter your Apple DEP credentials as shown below. Enter your corporate DEP account credentials to ensure the devices are added to the DEP portal.


    Entering DEP credentials


  4. Once the Blueprint is prepared and applied to the device, activate the device to complete the enrollment process.

  5. By default the devices are added to server automatically created by Apple Configurator named Devices Added by Apple Configurator 2 as shown below.


    Adding devices to DEP


  6. Assign the devices to the required server

    Based on whether you have already integrated the required server with Mobile Device Manager Plus or not, follow the steps given below:

    Integrate Apple DEP with MDM

    1. On the MDM server, navigate to Enrollment and then select Apple Enrollment (ABM/ASM).

    2. Click on Download to download the public key certificate. This is to be uploaded in Apple DEP portal.


      Download Public Key


    3. On the Apple DEP portal, click on the server titled Devices Added by Apple Configurator 2 and select Add Key as seen below:


      Add Public Key


    4. Upload the Public Key certificate downloaded from MDM, when prompted.


      Upload Public Key


    5. Click on Next and select Your Server Token, to download Apple DEP token which is to be uploaded back on the MDM server. You can optionally change the name of the DEP server. You can also regenerate the DEP token any time by clicking on the server and selecting Generate Token.


      Download Server Token


    6. Upload the token back into MDM server as shown and follow the on-screen instructions to complete configuring Apple DEP.


      Upload Server Token


    Already integrated with MDM

    1. On the Apple DEP portal, click on Manage Devices from the left pane.

    2. Under Choose devices by, specify whether you want the devices to be added using Serial Number, Order Number or CSV file. Provide the required details.

    3. Under Choose Action, select Assign to Server and select your existing DEP server from the dropdown. Click on OK to complete the device re-assignment.

      Assign to Server

  7. Once the re-assignment is complete, go back to MDM server, navigate to the Enrollment tab and select Apple Enrollment(ABM/ASM) and click on Sync devices. The re-assigned devices be listed on the MDM server.

  8. Now assign users on the MDM server to these devices, to complete enrollment.

 

NOTE: The devices are added to provisional DEP and can be removed by the user within 30 days of adding to the server. To remove the device from management navigate to Settings -> General -> Device Management -> Remove Device Management. This is important if the wrong devices have been added to the portal.