Motivation

The Apple Device Enrollment Program (DEP) can be used to prepare iPads for use in security-critical scenarios. This includes functions such as:

• Using supervised mode
• Making MDM Enrollment mandatory
• Protecting MDM Enrollment from removal¹
• Skipping setup steps when setting up the iPad

¹There is a grace period of 30 days for devices which have been added manually to the DEP. After this period the option “Remove management” will be removed from the devices.

Requirements

To use Relution with DEP, you need:

• A DEP account using a separate Apple ID that is enabled for managing DEP devices (https://business.apple.com for corporate customers https://school.apple.com for educational institutions).
• The Apple configurator in its current version (from the Mac App Store)
  • https://itunes.apple.com/de/app/apple-configurator-2/id1037126344?mt=12

Manually adding iOS devices to DEP

Since iOS11, iPads can also be added to the DEP program after receiving them – previously, this was only possible through specially authorized dealers or apple directly.

1. Connect the device to be registered to a Mac using a USB cable and start the Apple Configurator. The following screen appears. Select the device and click “Prepare…”:

2. In the next dialog, select the following options and click “Next”.

3. Then select “New Server…” and click “Next”.
4. Now enter the name and URL of your Relution server. The URL starts with https://. For example, for the Relution test system https://live.relution.io

5. Now select the certificate that appears. For multiple certificates, select the first one. The Apple Configurator stores these settings so that you don’t have to re-enter it when additional devices are added later.
6. In the following dialog, select “New organization…” and confirm the selection with “Next”.
7. Now a connection to the Apple DEP server is made. Enter the Apple ID and password of your DEP account. You may need to confirm this by 2-factor authentication (enter a 4-digit code that you receive via SMS).

8. Select “Create new supervision identity” and click Next. The organization data is also stored by the Apple Configurator, so you can reuse it later and no longer need to create a new organization.
9. In the next step, you select the setup steps that should NOT be skipped when starting the device for the first time. Be sure to select the Location Services option, otherwise, the iPads are not assigned the correct time zone.

10. You can then assign a configuration profile previously created (via “Storage-new profile-WiFi) for a WiFi network that the iPad automatically connects to over after the reboot. If you do not select a profile here, after the iPad is restarted, enter the WLAN settings manually (unless the device is connected to a Mac via USB). Click “Prepare” and the iPad will restart. It is then automatically enrolled in the DEP program and can then be assigned to a Relution server in the DEP portal (by default it is assigned to the Apple Configurator).

Connecting Relution to your DEP account

1. First, a DEP account is created in Relution by clicking on “Settings – Auto-Enrollment”; then select the “Device Enrollment Program” tab and press the “Create Account” button:





2. Relution then generates a server certificate that needs to be downloaded. A new MDM server has to be defined in the Apple DEP Portal and the certificate downloaded in Relution is uploaded there. The Apple portal then offers a downloadable token, which in turn has to be uploaded to Relution:
   
   
   
   This completes the initial configuration of the DEP account and the DEP account is displayed:
   
   
   
   
3. You must then create at least one DEP profile. This is done under “Devices – DEP Profiles”:
   
   
   
   A DEP profile determines which options are preconfigured on the iOS device before the MDM enrollment happens. By clicking on the “Create” button you will see the following page:
   
   
   
   Notice: The section with the Buttons “Supervise device” and “User may remove MDM enrollment “. Supervised Mode is a prerequisite that an MDM profile can no longer be removed. In the lower part of the page, you define the screens to be skipped when the iOS device is reset. This can be used make the device reset Zero Touch (see point 6.2.). Save the DEP profile by pressing the “Save” button on the top right.



4. “Devices – Auto Enrollments” now lists all of the devices associated with your DEP account:
   
   
   
   In order for these devices to be automatically preconfigured when switched on and then connected to the Relution server to enroll, each device must be assigned a DEP profile. In addition, Relution needs to be specified by the device user. Optionally, you can directly assign a policy and a rule s set, as with a “normal” Relution Enrollment too. The device configuration is saved by pressing the “Save” button.
   
   
   
   Pressing the “Save” button will submit the device configuration to Apple. From now on the device will be configured automatically after each reset to factory state. As long as the mapping of the DEP profile is not changed, resetting the iOS device will always result in a re-enrollment.

Resetting devices

When you reset an iOS devices, apps, data, and settings on the device. Are deleted. As a DEP device, it then automatically re-enrolls with Relution and receives the associated configuration and apps again. You can reset iOS devices in several ways:

In the Relution portal (over-the-air)

This type of reset is meant for individual devices that are not locally available. Select the device in the inventory list and assign the “Wipe device” action.

Note: It is important that in the associated DEP profile (see point 5.3.) the option to skip the location services page during setup is not selected because otherwise the iOS device will be assigned the wrong time zone. This cannot be corrected afterwards on the device.

With the Apple Configurator (USB, Zero Touch)

This method is suitable whenever many iOS devices are to be reset at the same time (e.g. a set of tablets), which are connected to a Mac via a USB hub. On the Mac, you should have Content Caching and Internet Connection Sharing enabled under System Preferences – Sharing.



Sharing the Internet connection does not work over WiFi – the Mac must be connected by Ethernet cable. This way, the iOS device does not require WiFi to be configured, and the apps to be installed come from the Mac’s cache, which greatly reduces installation times.



Note: For this method, the option to skip the location services page should be set in the DEP profile because the correct time zone is set automatically through the Mac. Select the device (s) you want to reset, and then click “Prepare…” – “Automatic Registration”. The following dialogs you can confirm without further changes. When resetting the devices, no more input on the device itself is required (“Zero Touch Installation”).



FAQ

Which devices can be added to DEP (Device Enrollment Program)? iPads and iPhones that are not older than about 2 years running iOS11 or higher.

My device does not appear in the Auto Enrollments in Relution. What can I do? You must define the Relution server in the Apple DEP portal as an MDM server and assign your device to it.