Enrollment with Apple DEP with the Apple Configurator 2

Device enrollment with the macOS-App using DEP - Apple Device Enrollment Program

Last adaptation to the version: 1.24

New:

Updating the step-by-step instructions at prepare devices
New section: Apple Re-Enrollment

Last updated:

07.2024: Layout in the step-by-step instructions improved

notempty

This article refers to a Beta version

Informations

Devices can be assigned to an MDM with the help of the Device Enrollment Program
- When ordering with the DEP option at appropriate Apple dealers, the serial or order number is sufficient (Zero-Touch, suitable for larger quantities)
- afterwards using the Apple Configurator
  (For this the device must be connected to a MAC)
Profiles assigned to devices with DEP can no longer be removed on the device itself after a waiting period of 30 days, but only through the Securepoint Mobile Security Portal!
DEP is a prerequisite for rolling out centrally purchased and licensed software to devices via VPP (Volume Purchase Program).

Requirements

The following requirements are necessary:

Registration at Apple Business Manager
or at Apple School Manager
This in turn requires a DUNS number. Granting and activation can take several days.

notempty

The devices must not be added to the resller's ABM/ASM! Doing so would violate Apple's terms and conditions!
It is recommended that each end customer has their own ABM/ASM account and the devices are added there accordingly.

For subsequent device registration: An Apple MAC with installed
Apple Configurator 2 (Free of charge in the App Store)

Establish connection to DEP (Device Enrollment Program)

To be able to use Apple's DEP (Device Enrolment Program), a link between the Securepoint Mobile Security Portal and the Apple DEP must be established.
The connection is done in three steps at Mobile Security Settings Apple DEP Add profile

download the Apple push certificate (*.pem file)
upload this certificate in the Apple Business Manager or Apple School Manager menu Preferences (Click on the user name in the menu bar)
- ABM: If no corresponding MDM server has been created yet:
  - ABM: Menu Preferences / Device Management Services / Add
  - ABM: Service Info Service Name Unique name
  - ABM: MDM Server Settings Upload Certificate: Upload the .*.pem file previously downloaded from the Securepoint Mobile Security Portal and Save
- ABM: Selection of the corresponding MDM Server ttt-point-mdm-Server-123456.sms
- ABM: Download the dep token Download Token (*.p7m file) in the Apple Business Manager or Apple School Manager in the menu
upload the *.p7m file in the dial window opened under point 1 in the Securepoint Mobile Security Portal. Finish with Done

notempty

DEP tokens have a term of 12 months and must be updated regularly!

Problem / Error message	Cause	Solution
DEP token has become invalid	The account of the Apple Business Manager or Apple School Manager user who created the token is locked or deleted. The ABM/ASM user who created the token has changed his/her password	Renew DEP token with a valid account
Message when logging in to https://portal.securepoint.cloud : Check your Apple business account We retrieved an error while fetching your data from Apple This could happen due to updated software license agreements. Please check your apple business account, for further information.	Apple has changed its T&Cs.	Login to Apple Business Manager or Apple School Manager and confirm the new terms and conditions.

Prepare devices

Prepare new devices

New devices must be purchased directly from Apple or a DEP registered dealer.
The serial number of the devices is then stored at Apple for DEP.
Devices can be sent directly to the device user.
When the device is initialized, the MDM information and configuration are automatically loaded.

These devices cannot be supplied with WiFi configurations by the factory.
If the devices do not have a mobile data connection via mobile radio, the user must therefore provide an Internet connection himself once.

Prepare existing / used devices

In order to add existing devices to the DEP at a later date, they must be connected to a MAC and prepared with the Apple Configurator 2.
notempty

The device will be completely reset. All stored information will be lost!

Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.
Select device with mouse click and configure by pressing the button Prepare.
Selecting an MDM server
Login to the device registration program with the credentials for the ABM
Create or assign an organization that manages the device.
Configuring the iOS Installation Wizard
Enter the credentials for automatic registration
(at the Securepoint Mobile Security Portal).
Start preparation


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Fig.1

Option for Internet access on the device:

Activation of Internet sharing for the connected Apple device:
Once the iOS/iPad device has been connected to the Mac, you can go to System Preferences → General → Share → Internet Sharing
Activate the port via which the device is connected to the Mac.
Set the Share connection accordingly and activate Internet sharing.

Datei:MacOS 14.5 Configurator WLAN-Profil-en.png

Fig.2

Option for Internet access on the device:

Creating a WLAN profile in the Apple Configurator 2:
Menu File / New profile section WLAN:
WLAN can be configured here.

The iOS device automatically connects to the Wi-Fi configured here after being set up by the Apple Configurator 2 and immediately connects to DEP and the MDM server.

Save in the File / Save as menu.

Fig.3

Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.

Select device and configure by pressing the button

Prepare.

Fig.4

Prepare Devices

Prepare with Manual Configuration activate from:

Add to Apple School Manager or Apple Business Manager
Allow devices to pair with other computers

Fig.5

Register with MDM Server:
Server: New Server...

If another device has already been added, a server can be selected here.
Otherwise the configuration data can be stored in the next step.

Fig.6

If no MDM server has been stored yet:

In Mobile Security Portal in the menu button Register new device / iOS Copy URL.

Fig.7

If no MDM server has been stored yet:
MDM-Server festlegen

Selection of the Securepoint MDM-Server
For additional devices that are to be recorded for the same customer (or tenant), this configuration can be selected directly.

Name Unique name

Hostname or URL: Insert the URL from the dialog Register New Device in the Securepoint Mobile Security Portal (see previous step).

Fig.8

If no MDM server has been stored yet:

MDM-Server festlegen Message: The registration URL of the server could not be verified.
Since the macOS does not yet know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the URL cannot be verified. But it still is correct!

Fig.9

If no MDM server has been stored yet:

Add certificates with trust anchor for the MDM server: The certificate *.securepoint.cloud must be added once

Fig.10

If no MDM server has been stored yet:

Register with the device registration program The credentials for the Apple Business Manager or Apple School Manager must be entered here.

Continue with Next

Fig.11

Authentication when first connecting from Apple Configurator 2 to the ABM

Fig.12

Normally not required

Fig.13

Create Organization

The organization that manages the device can be selected or created.

Fig.14

assign to an organization

If an organization has already been created, it can be selected here.

Fig.15

Configure iOS Installation Wizard:

This selects the steps the user must perform in the installation wizard.

Fig.16

Select network profile

Choose... No profile needs to be selected

Fig.17

Select Network Profile

Selecting... of the created Apple Configurator network profile.

Fig.18

Can remain empty

Fig.19

The changes must be confirmed with the password of the current MAC user.

Fig.20

Configurator could not execute the requested action because "iPad" was already prepared.

If this message appears, this device has already been configured before and the settings for the System Assistant cannot be transferred directly.

With Delete all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.

Fig.21

The device is configured. This resets the device.
notempty

All data on the device is deleted. Only operating system updates are retained.

Several steps are displayed in the following, the number of which may change.

Fig.22

Process completed.


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Fig.1

Option for Internet access on the device:

Activation of Internet sharing for the connected Apple device:
Once the iOS/iPad device has been connected to the Mac, you can go to System Preferences → General → Share → Internet Sharing
Activate the port via which the device is connected to the Mac.
Set the Share connection accordingly and activate Internet sharing.

Datei:MacOS 14.5 Configurator WLAN-Profil-en.png

Fig.2

Option for Internet access on the device:

Creating a WLAN profile in the Apple Configurator 2:
Menu File / New profile section WLAN:
WLAN can be configured here.

The iOS device automatically connects to the Wi-Fi configured here after being set up by the Apple Configurator 2 and immediately connects to DEP and the MDM server.

Save in the File / Save as menu.

Fig.3

Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.

Select device and configure by pressing the button

Prepare.

Fig.4

Prepare Devices

Prepare with Manual Configuration activate from:

Add to Apple School Manager or Apple Business Manager
Allow devices to pair with other computers

Fig.5

Register with MDM Server:
Server: New Server...

If another device has already been added, a server can be selected here.
Otherwise the configuration data can be stored in the next step.

Fig.6

Specify MDM server
Name Unique name (choose freely)
Host name or URL: leave empty. This only registers the device with ABM. The assignment to the MDM server takes place later.

Fig.7

If no MDM server has been stored yet:

MDM-Server festlegen Message: The registration URL of the server could not be verified.
Since the macOS does not yet know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the URL cannot be verified. But it still is correct!

Datei:MacOS 14.5 Configurator MDM-festlegen Zertifikat leer-en.png

Fig.8

Add certificates with trust anchor for the MDM server:
As no server has been entered, no certificate can be added. Simply click on Next.

Fig.9

Configure iOS Installation Wizard:

This selects the steps the user must perform in the installation wizard.

Fig.10

Select network profile

Choose... No profile needs to be selected

Fig.11

Select Network Profile

Selecting... of the created Apple Configurator network profile.

Fig.12

Configurator could not execute the requested action because "iPad" was already prepared.

If this message appears, this device has already been configured before and the settings for the System Assistant cannot be transferred directly.

With Delete all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.

Fig.13

The device is configured. This resets the device.
notempty

All data on the device is deleted. Only operating system updates are retained.

Several steps are displayed in the following, the number of which may change.

Fig.14

Process completed.

All devices (new devices as well as existing / used devices) must be added to the DEP in Apple Business Manager (ABM) or Apple School Manager (ASM).

Add devices to the DEP

Login to Apple Business Manager or Apple School Manager with the registered credentials.
Opening the Device Assignments menu
Devices must be assigned to an MDM server in Apple Business Manager or Apple School Manager

1. select devices

Alle Geräte (Neugeräte ebenso wie vorhandene / gebrauchte Gerät

The serial number, the order number or a csv file with serial numbers for one or more devices is specified here.

2. select action

All devices (new decices as well as existing devices). An action is selected here:

Section perform action
Click on Select Action
- Server zuweisen
section MDM-Server
- Click on Select MDM server
- Select the desired MDM server
With a click on the button Done the device is assigned to the server.

DEP devices in the Mobile Security Portal

Devices that have been added to the Device Enrollment Program (DEP) with the Apple Business Manager (ABM) or Apple School Manager (ASM) can be recognized in the Securepoint Mobile Security Portal by the abbreviation DEP in the first line of the device tile.
With the connection to DEP it is possible to use the Apple Volume Purchase Program (VPP).
Further notes in the article for Apple VPP Apps.

Login to the portal

The device is now displayed in the portal with the status not configured. The enrollment must be completed by clicking on the device tile.

Device Alias

For better identification, the device should be given an alias name:
a0a0 (4-digit ID) (in the upper part of the device tile)

Ownership Selection

There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:

Owner 'COPE

The following functions are additionally available in the device administration in the Mobile Security Portal:

⦁ Localize	notempty Only available if the device has been registered in supervised mode. at: Operations Enable Lost Mode
⦁ Clear password	at: Operations
⦁ Wipe Data	at: Operations : Deletion of personal data
⦁ Applications	Monitoring of installed apps, installation, deinstallation

Owner BYOD

Standard functional range

no localization
No way to remove the local device password
No deletion of personal data
No control for installed apps

Login

Ownership	Selection between COPE (Corperate owned, Personal enabled) BYOD (Bring-Your-Own-Device)	Terms of License and Ownership
With BYOD additionally:
User	Device user from the user administration The user cannot be changed afterwards for BYOD devices.
	Accept the terms of the license and privacy policy
agree	Accepting and saving the settings
	Displays the updated properties

Apple Re-Enrollment

notempty

New as of: 1.24

This function is only available if Apple Re-Enrolment under Settings is active.
Newly added DEP devices are automatically registered in the portal and can be individually pre-configured before they are used for the first time. The settings for user profiles, applications and tags defined in this way are applied seamlessly when the device logs in for the first time.
When a device is recommissioned, the configurations of the device are automatically transferred, provided it is still available in the portal. This profile will be marked with the label Signed out.

Error messages / Troubleshooting

Error	Error message	Cause	Solution
Unexpected error 33007	An unexpected error with "iphone" has occurred. Provisional Enrollment failed. Network communication error. [MCCloudConfigErrorDomain - 0x80EF (33007)]	The device is still managed by another MDM.	The device must be given a WiFi profile that can be accessed during the preparation process.
Unexpected error 33007		The device is still managed by another MDM.	The device must be removed in the previous MDM before it can be reconfigured
Activation lock	"iphone" could not be activated. The activation lock for the device may be activated. Continue on the device or use Finder to activate it and press "Retry".	The device is still connected to an Apple account	On the device, the connection to the iTunes account must be removed ( Preferences -> iTunes & App Store)
Activation lock		The device is still connected to an Apple account	At https://icloud.com / Find my iPhone the connection with the Apple-ID must be removed
DEP Assignment after enrolment	The profile has been assigned to the device but will not be applied until the next reset.	The boot wizard of the device was run through before the DEP profile was assigned.	Delete device in MDM via the tile or in the settings