Introduction
This HowTo describes the enrollment of iOS / iPad devices in the Securepoint Mobile Security Portal. This integrates these iOS / iPad devices into the Securepoint Mobile Device Management (MDM) portal.
The device profile, users and apps can be assigned in advance, even though the device is not yet fully registered with MDM.
As soon as the iOS / iPad device is connected to the Internet and initialised, these configurations are automatically downloaded and implemented.
COBO: Company owned, business only
Company property without private use
- The devices are only intended for use in a corporate environment
- The IT administrator has full control over the smartphone
- Private data is strictly prohibited on the device
Overview of the enrolment steps:
- Preparations in the MDM portal:
- Prerequisite fulfilled: Licence and ABM available, device compatible
- Apple Push Certificate, DEP token and VPP token available in the MDM portal
- Activate Apple Re-Enrollment in the settings
- DEP profile and DEP PIN created
- Device added to the ABM with a Mac or the iOS app Configurator
- Device profile created in the portal
- Apps purchased in ABM assigned by tags
- New user added in the portal, or integrated via Entra ID
- Device integration
- Device assigned to the Securepoint MDM server in ABM
- Accept the ABG device tile generated in the portal and select the licence
- Assignments of:
- Assign device names
- assign users
- app tags
- device profile
- Continue setting up on the device
Requirement
- iOS or iPadOS version 14 or higher
- a Mobile Device Management (MDM)- license musst exist
- Access to Apple Business Manager must be available
Registration in Apple Business Manager
There are two different ways to register the iOS/iPad device in the Apple Business Manager (ABM):
- with the Apple Configurator iOS app
- with an Apple MAC with Apple Configurator installed
Start-up
The following steps are necessary for commissioning the iOS/iPad device in MDM:
- Apple Push certificate, Apple DEP token and Apple VPP token are available
- Existing DEP profile with DEP PIN
- Device profile has been created
- Apps purchased in ABM and apps summarised into app groups using tags
- Users created or linked via EntraID
Push certificate / DEP token / VPP token
The following steps are taken under
:- at Apple Push Certificate check whether a token is available
- If one is available, check whether it has not yet expired
- If none is available, an Apple Push certificate is added via the { Add button
- at Apple DEP check if a token is available
- the following Wiki article describes how to add an Apple DEP token
- then Set DEP profile PIN and enter a 6-digit PIN and Save
- Enable option Enable Apple Re-Enrolment activate
- at Apple VPP / Apple Business Manager / Apple School Manager check if a token is available
- If one exists, check whether it has not yet expired
- If none exists, an Apple Push certificate is added via the Add button
Further information can be found in the corresponding Wiki article.
Create DEP profile
Under Add profile a new DEP Profile can be created.
Further information can be found in the Wiki article DEP profiles in the MDM portal.
In under Apple DEP at Set DEP profile PIN one can enter their own PIN.
Create device profile
In Add profile a new profile for the device can be created.
with the button- For an iOS device and iPad, the Type is selected in the General tab device profile is selected
- For a Shared iPad, the type is selected in the General tab Shared iPad is selected different users on one device
Continue the configuration of the profile accordingly. Further information on the configuration of iOS/iPad devices or Shared iPad devices can be found in the corresponding wiki articles.
Apps
If the required apps for the iOS/iPad device are not yet available, they can be purchased in the Apple Business Manager.
In , the newly acquired apps are added using Add app.
Use tags to summarise the apps in the required app groups.
Further information can be found in the Wiki article Apps.
Create user
A new user is created in the portal under
. Two different options are available for this:- The Add user button is used to add a user directly in the portal
- The user is imported via CSV or Entra ID using the Import user button
Further information on Add user and Import user via Entra ID can be found in the corresponding wiki articles.
First device login
The following steps are required to log an iOS/iPad device into MDM for the first time:
- Assign device in ABM to the Securepoint MDM server
- Accept the terms and conditions in the generated device tile and select the licence
- Configure device tile (assign suitable name, assign user, assign device profile, assign app tags)
- Continue setup on the device
Assign device in ABM to the Securepoint MDM server
These steps are necessary to assign the iOS/iPad device to the Securepoint MDM server in the Apple Business Manager (ABM):
- Under Apple DEP Add profile to download the Apple push certificate (*.pem file)
- Upload this certificate in the Apple Business Manager or Apple School Manager menu Settings (click on the user name in the menu bar)
- ABM: If a corresponding MDM server has not yet been created:
- ABM: Selection of the appropriate MDM server ttt-point-mdm-Server-123456.sms
- ABM: Download the dep token with button Load token (*.p7m-file) in the Apple Business Manager or Apple School Manager in the menu
- Upload the *.p7m file in the dialogue window opened under point 1 in the Securepoint Mobile Security Portal. Finalise with Finish
Further information can be found in the following Wiki-Artikel.
General terms and conditions and licence
A device tile with the label logged out is generated in the portal at . This device tile serves as a placeholder.
Clicking on this device tile opens a dialogue window in which the terms and conditions are accepted. The corresponding licence is then selected. This causes the Terms not accepted label to disappear from the device tile.
Configure device tile
This device tile is configured. The following steps are necessary:
- Use the button on the device tile or in the device details to enter a suitable name and save it using
- The previously created device profile is assigned to the device tile by selecting the device tile in the
profile tab under the Devices optionGeneral {{{2}}} - Under Tags the app tags and thus the app groups to be installed on the device are selected
- The desired user is assigned to the device under User
Continue device setup
The setup on the iOS/iPad device can be continued and completed. The previously defined DEP PIN must be entered.
The enrolement of the device in the MDM portal is now complete.
Apple Re-Enrollment
This function is only available if Apple Re-Enrolment under Settings is active.
Newly added DEP devices are automatically registered in the portal and can be individually pre-configured before they are used for the first time. The settings for user profiles, applications and tags defined in this way are applied seamlessly when the device logs in for the first time.
When a device is recommissioned, the configurations of the device are automatically transferred, provided it is still available in the portal. This profile will be marked with the label Signed out.