07 Feb Manually Add iOS and tvOS Devices to Apple’s DEP Program
Since the inception of Apple’s Device Enrollment Program (DEP), devices had to be purchased directly from Apple or from an Apple Authorized Reseller or carrier in order to participate in DEP. While it was an easy way for Apple to guarantee you were the absolute owner of the device using this method, it left many devices that were officially purchased by organizations, only purchased outside of the official channels Apple approved channels, unable to be added to the DEP program.
Well, with iOS 11 and tvOS 11, Apple introduced a way for you to “manually add iOS and tvOS devices to your Device Enrollment with Apple Configurator 2 (version 2.5 or later), even if the devices weren’t purchased directly from Apple, an Apple Authorized Reseller, or an authorized cellular carrier.” Unfortunately, at this time, Macs cannot be manually added.
This process is commonly be referred to as “provisional DEP enrollment.”
When manually adding devices to DEP, they end up behaving like a device that was purchased through Apple or an authorized reseller, with the exception that the user “has a 30-day provisional period to remove the device from enrollment, supervision, and MDM. The 30-day provisional period begins after the device is activated.” Notice at the bottom of the login screen, the user is alerted to the fact that their device can be un-enrolled in settings.
All the user needs to do is click on Settings > General > Device Management and then select the Mobile Device Management profile. At the bottom of this page, they can press the “Leave Remote Management” button.
The process, therefore, is not as perfect as purchasing directly through authorized channels, but if the device remains enrolled for more than 30 days, the button to remove from management disappears and at that point, it’s locked into DEP.
Enrolling devices into this process is not hard, but at the same time, it’s not as straight forward as one would hope. The rest of this post will walk you through the enrollment process, but if you’d like some more background information, Aaron Freimark has written a great post on some common questions and answers people have on Provisional DEP, if interested, see his blog post here.
Provisional DEP Enrollment Process
There are a couple of requirements to enroll devices. First, the device must be on iOS 11 or tvOS 11 (as mentioned above, macOS at this time, is not available for provisional DEP enrollment). Secondly, you must be willing to erase the device. There is no way to preserve the data on the device to be enrolled. You’ll also need a Mac with Apple Configurator installed. And, your devices will either need to plug directly into the Mac or be connected via Ethernet to the same network for the Apple TV 4K as the Mac. Finally, you’ll also need access to Apple’s DEP portal so the devices can be added to the correct MDM server.
Prepare Your Organization in Apple Configurator
Before you prepare your first device, you’ll need to setup your Organization inside of Apple Configurator.
- Launch Apple Configurator.
- From the Apple Configurator 2 file menu, select Preferences.
- Click on the Organizations tab.
- Click on the + button at the bottom left and walk through the wizard, providing the appropriate Apple ID with DEP access.
- Generate or choose a supervision identity. It’s likely you’ll be generating a new one if this is your first time using Apple Configurator.
- Provide your password when prompted.
- Close the Preferences panel when you see your organization listed in the Organizations panel.
Add Your Device’s Serial Number to DEP Using Apple Configurator
This part of the process needs to be done for each and every device you want to add to DEP. It will require a bit of time on your behalf.
- For best results, update your device to the latest version of iOS or tvOS.
- Plug the iOS or tvOS device into your Mac (or into Ethernet on the same network as your Mac if using an Apple TV 4K – see Apple’s help file for more specific details on this step).
- Double-click on the device presented in Apple Configurator’s All Devices list.
- While in the Info panel, click on the Prepare button in the top menu bar.
- Select the following options on the Prepare Devices Panel:
- Set the Prepare With option to Manual Configuration.
- Check the box Add to Device Enrollment Program
- Unselect the box to Activate and Complete Enrollment.
- It’s important to uncheck this box at this point. When Apple Configurator adds the device to DEP, it will not be assigned to your MDM server and if you try to automatically enroll it will fail.
- If desired, check the box Allow Devices to Pair with Other Computers.
- If desired, check the box Enable Shared iPad.
- Click the Next button.
- Select New Server from the drop down menu on the Enroll in MDM Server and click Next.
- Enter any name for your MDM server (ex. Nine41 MDM Server).
- The Host Name or URL is going to vary depending on your MDM provider. If using Ivanti Endpoint Manager, this URL will be the FQDN of your Cloud Service Appliance (ex. https://csa.nine41consulting.com).
- Click the Next button.
- Select the valid trust anchor certificate for your MDM server and click Next.
- Select the name of your Organization that you previously setup and click Next.
- Select any option for the Setup Assistant dropdown box. It doesn’t matter as these settings come from your MDM DEP settings and will not be used. I just select the Don’t Show Any of These Steps option. Click Next when ready.
- Don’t add any configuration profiles.
- Click the Prepare button. Apple Configurator will at this point begin Preparing your device. Depending on whether you reset your device or have actual user data on the machine, you may be asked a couple of questions so don’t just leave the device at this point. Eventually, your device should restart.
Assign Your Device’s Serial Number in DEP to the Appropriate MDM Server
If all went well in the previous section, you should be able to login to your Apple DEP portal and see a new server named Devices Added by Apple Configurator 2 with the serial number from your device. You now need to take that serial number(s) and assign it to the appropriate MDM Server. Once you’ve vetted this process in your own environment, it’ll probably make more sense to batch these next steps and do all of your devices at once.
- Open a web browser compatible with Apple’s DEP portal.
- Enter the URL deploy.apple.com for businesses or your Apple School Manager URL if in education.
- Enter your credentials for your Apple ID and provide any two-factor authentication if prompted.
- If you don’t know your devices serial number, proceed with this step. If you do know it, proceed to step 8. From the menu tree on the left hand side of the Deployment Programs page, select the Device Enrollment Program button.
- Click on the hyperlink button for the Devices Added by Apple Configurator 2 server.
- At the top right, click on the Download Serial Numbers and then click the OK button.
- Open the CSV file and copy the serial number.
- From the menu tree on the left hand side of the Deployment Programs page, select the Manage Devices button.
- Verify the radio button for Serial Numbers is selected and add your serial number(s) into the box.
- Choose the action Assign to Server and from the drop down list pick your appropriate MDM server.
- Click the OK button and validate you received a successful message.
- If you return to the Manage Servers page, you should see that the Number of Devices count should have changed according to your assignment.
Activate and Enroll your Device
With all of the DEP leg work completed, you’re now ready to activate and enroll your device. The process for iOS and tvOS is nearly identical. For this example, I’ll use an iOS device. For tvOS instructions, see my previous blog post. This process could be completed by the end-user themselves if you so desire.
- Click the home button on the iOS device to begin enrollment.
- Select your desired language.
- Select your Country or Region.
- Press on the Setup Manually link at the bottom of the screen.
- Provide the appropriate information to connect to WiFi.
- Wait for activation.
- Let the device retrieve its configuration.
- Press the Next link at the upper-right corner of the page.
- Enter the device owner’s username and password (typically an Active Directory account but will vary on MDM vendor and your setup).
- Proceed with any setup assistant items that were not skipped in your DEP configuration.
- Press the Get Started link.
- Enjoy your success.
- Validate the profile has been applied. Go to Settings > General > Device Management and press on the MDM Configuration Profile.