Motivation

The Apple DEP program can be used to prepare iPads for use in security-critical scenarios. This includes functions such as:

» Using supervised mode
» Making MDM Enrollment mandatory
» Protecting MDM Enrollment from removal¹
» Skipping setup steps when setting up the iPad

¹ When devices are manually added to DEP, there is a grace period of 30 days after which the option "Remove administration" from device’s settings menu is removed

Conditions

To use Relution with DEP, you need:

» A DEP account for corporate customers or education customers, using a separate Apple ID that is enabled for managing DEP devices
» The Apple configurator in its current version (from the Mac App Store)

1. Manually adding iPads to DEP

Since iOS11, iPads can also be added to the DEP program after receiving them - previously, this was only possible through specially authorized dealers or apple directly.

1.1 Connect the device to be registered to a Mac using an USB cable and start the Apple configurator.

The following screen appears:

Select the device and click "Prepare...".

1.2 In the next dialog, select the following options:

Then click "Next".

1.3 Then select "New Server..." and click "Next".

1.4 Now enter the name and URL of your Relution server. The URL starts with https:// and, for example, for the Relution test system https://live.relution.io

1.5 Now select the certificate that appears. For multiple certificates, select the first one.

The Apple Configurator stores these settings so that you don’t have to re-enter it when additional devices are added later.

1.6 In the following dialog, select "New organization..." and confirm the selection with "Next".

1.7 Now a connection to the Apple DEP server is made. Enter the Apple ID and password of your DEP account.

You may need to confirm this by 2-factor authentication (enter a 4-digit code that you receive via SMS).

1.8 Select “Create new supervision identity” and click Next. The organization data is also stored by the Apple Configurator, so you can reuse it later and no longer need to create a new organization.

1.9 In the next step, you select the setup steps that should NOT be skipped when starting the device for the first time. Be sure to select the Location Services option, otherwise the iPads are not assigned the correct time zone.

1.10 You can then assign a configuration profile previously created (via "Storage-new profile-WiFi) for a WiFi network that the iPad automatically connects to over after the reboot:

If you do not select a profile here, after the ipad is restarted, enter the WLAN settings manually (unless the device is connected to a Mac via USB).
Click "Prepare" and the ipad will restart. It is then automatically enrolled in the DEP program and can then be assigned to a Relution server in the DEP portal (by default it is assigned to the Apple Configurator).

2. Connecting Relution to your DEP account

2.1 First, a DEP account is created in Relution by clicking on "Settings – Auto Enrollment”; then select the “Device Enrollment Program” tab and press the "Create Account" button:

2.2 Relution then generates a server certificate that needs to be downloaded. A new MDM server has to be defined in the Apple DEP Portal and the certificate downloaded in Relution is uploaded there. The Apple portal then offers a downloadable token, which in turn has to be uploaded to Relution:

This completes the initial configuration of the DEP account and the DEP account is displayed:

2.3 You must then create at least one DEP profile. This is done under "Devices - DEP Profiles":

A DEP profile determines which options are preconfigured on the iOS device before the MDM enrollment happens. By clicking on the "Create" button you will see the following page:

Notice the section with the Buttons "Supervise device" and "User may remove MDM enrollment".

Supervised Mode is a prerequisite that an MDM profile can no longer be removed.

In the lower part of the page, you define the screens to be skipped when the iOS device is reset. This can be used make the device reset Zero Touch (see 5.2).

Save the DEP profile by pressing the "Save" button on the top right.

2.4 “Devices – Auto Enrollments” now lists all of the devices associated with your DEP account:

In order for these devices to be automatically preconfigured when switched on and then connected to the Relution server to enroll, each device must be assigned a DEP profile.

On this screen you can also specify the device’s user. Optionally, you can directly assign a policy and a rule s set, as with a "normal" Relution Enrollment too. The device configuration is saved by pressing the "Save" button.

Pressing the "Save" button will submit the device configuration to Apple. From now on the device will be configured automatically after each reset to factory state.

As long as the mapping of the DEP profile is not changed, resetting the iOS device will always result in a re-enrollment.

Note: To successfully enroll a mobile device, the Relution Client App is required. It can be provided via VPP (see next chapter).

3. Preparing Relution for the distribution of VPP apps

The Volume Purchase Program (VPP) allows to distribute apps from the Apple AppStore via Relution without requiring an Apple ID on the mobile device. It is configured similar to DEP in Apple School Manager / Apple Business Manager. Also, all app licenses have to be bought there, for both free and paid apps.

In order to connect Relution to VPP, go to the Apple Portal and select “Settings”, then “Apps and Books”. On that screen, a Token can be downloaded for each location:

This token is uploaded in Relution under “Settings -> Volume Purchase Program”:

At this point a new menu “Purchased Apps” is added to the “Apps” menu. This menu lists all VPP apps and their licenses.

Note: The Relution Client App is also available from the Apple AppStore. Since it is required for enrolling iOS devices, make sure the required licenses for it are acquired via VPP before starting to enroll iOS devices.

4. Migrating devices to Relution from another MDM system

DEP Devices that are being managed by another MDM system and that should be transferred to Relution can be migrated by creating a new MDM server in Apple School Manager / Apple Business Manager, connecting it to the desired Relution system and assigning the devices to the new MDM server. Then, do a factory reset of the devices from the old MDM console and upon resetting, the devices will auto-enroll with Relution.

5. Resetting Devices

When you reset an iOS device, apps, data, and settings on the device. are deleted. As a DEP device, it then automatically re-enrolls with Relution and receives the associated configuration and apps again.

You can reset iOS devices in several ways:

5.1 In the Relution portal (Over the air)

This type of reset is meant for individual devices that are not locally available. Select the device in the inventory list and assign the "Wipe device" action.

Note: It is important that in the associated DEP profile (see 2.3) the option to skip the location services page during setup is not selected because otherwise the iOS device will be assigned the wrong time zone. This cannot be corrected afterwards on the device.

5.2 Using the Apple Configurator (USB, zero touch)

This method is suitable whenever many iOS devices are to be reset at the same time (e.g. a set of tablets), which are connected to a Mac via an USB hub.

On the Mac, you should have Content Caching and Internet Connection Sharing enabled under System Preferences - Sharing.

Sharing the Internet connection does not work over WiFi - the Mac must be connected by Ethernet cable.

This way, the iOS device does not require WiFi to be configured, and the apps to be installed come from the Mac's cache, which greatly reduces installation times.

Note: For this method, the option to skip the location services page should be set in the DEP profile because the correct time zone is set automatically through the Mac.

Select the device (s) you want to reset, and then click "Prepare…” - “Automatic Registration"

When resetting the devices, no more input on the device itself is required ("zero touch installation").

Questions and Answers

» Which devices can be added to DEP?

» My device does not appear in the Auto Enrollments in Relution.