Note
This article includes descriptions of third-party software and is based on the status at the time this page was created. Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation. All information without warranty.
Enrollment of iOS / iPad devices with Apple's Device Enrollment Program (Apple DEP)
This HowTo describes the enrollment of iOS / iPad devices in the Securepoint Mobile Security Portal. This integrates these iOS / iPad devices into the Securepoint Mobile Device Management (MDM) portal. The device profile, users and apps can be assigned in advance, even though the device is not yet fully registered with MDM. As soon as the iOS / iPad device is connected to the Internet and initialised, these configurations are automatically downloaded and implemented.
COBO: Company owned, business only
Company property without private use
The devices are only intended for use in a corporate environment
The IT administrator has full control over the smartphone
Private data is strictly prohibited on the device
Overview of the enrolment steps:
Preparations in the MDM portal:
Prerequisite fulfilled: Licence and ABM available, device compatible
Apple Push Certificate, DEP token and VPP token available in the MDM portal
Activate Apple Re-Enrollment in the settings
DEP profile and DEP PIN created
Device added to the ABM with a Mac or the iOS app Configurator
Device profile created in the portal
Apps purchased in ABM assigned by tags
New user added in the portal, or integrated via Entra ID
Device integration
Device assigned to the Securepoint MDM server in ABM
Accept the ABG device tile generated in the portal and select the licence
Die Geräte dürfen nicht in das ABM/ASM des Resellers hinzugefügt werden! Dies wäre ein Verstoß gegen Apples AGB! Es ist angebracht, dass jeder Endkunde sein eigenes ABM/ASM Account hat und die Geräte dort entsprechend hinzugefügt werden.
Registration in Apple Business Manager
There are two different ways to register the iOS/iPad device in the Apple Business Manager (ABM):
with the Apple Configurator iOS app
with an Apple MAC with Apple Configurator installed
The iPad must be reset for enrollment. Here is a description of that.
Fig.2
Starting the reset iPad.
Fig.3
Follow the instructions of the system wizard on the iPad until the section Selecting a WLAN.notempty
Do not select a WLAN under any circumstances! If one has been selected, the iPad must be restarted.
Fig.4
Set up Apple Configurator App on the iPhone:
Log in to Business/School Manager
Settings → Share WLAN notempty
The WLAN must not be unencrypted!
MDM Server Assignment → Determined → Select Securepoint MDM
Fig.5
Launch Apple Configurator of the iPhone and hold it close to the iPad.
Either
Scan the image in the System Wizard of the iPad using Apple Configurator.
or
Pair manually: Pair manually in the System Wizard of the iPad and then click Pair manually in the Apple Configurator. Den angezeigten 6-stelligen Code eingeben.
If pairing is not displayed in the System Wizard, restart Apple Configurator.
Fig.6
The iPad is added. Continue the system wizard.
Fig.7
Continue the system wizard on the iPad procedure until Deletenotempty
Do not delete the iPad yet!
If necessary, check whether the iPad has been correctly assigned to the MDM server in ASM/ABM under Devices
Fig.8
In the MDM portal under Mobile Security iOS/iPadOSDevices , the iPad should be listed. There it can be assigned to a profile.
Activation of Internet sharing for the connected Apple device: Once the iOS/iPad device has been connected to the Mac, you can go to System Preferences → General → Share → Internet Sharing
Activate the port via which the device is connected to the Mac.
Set the Share connection accordingly and activate Internet sharing.
Creating a WLAN profile in the Apple Configurator 2: Menu File / New profile section WLAN: WLAN can be configured here.
The iOS device automatically connects to the Wi-Fi configured here after being set up by the Apple Configurator 2 and immediately connects to DEP and the MDM server.
Save in the File / Save as menu.
Fig.3
Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.
Select device and configure by pressing the button Prepare.
Fig.4
Prepare Devices
Prepare with Manual Configuration activate from:
Add to Apple School Manager or Apple Business Manager Allow devices to pair with other computers
Fig.5
Register with MDM Server: Server:New Server...
If another device has already been added, a server can be selected here.
Otherwise the configuration data can be stored in the next step.
Fig.6
Specify MDM server Name Unique name (choose freely) Host name or URL: leave empty. This only registers the device with ABM. The assignment to the MDM server takes place later.
Fig.7
If no MDM server has been stored yet:
MDM-Server festlegen Message: The registration URL of the server could not be verified. Since the macOS does not yet know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the URL cannot be verified. But it still is correct!
Add certificates with trust anchor for the MDM server: As no server has been entered, no certificate can be added. Simply click on Next.
Fig.9
Configure iOS Installation Wizard:
This selects the steps the user must perform in the installation wizard.
Fig.10
Select network profile
Choose... No profile needs to be selected
Fig.11
Select Network Profile
Selecting... of the created Apple Configurator network profile.
Fig.12
Configurator could not execute the requested action because "iPad" was already prepared.
If this message appears, this device has already been configured before and the settings for the System Assistant cannot be transferred directly.
With Delete all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.
Fig.13
The device is configured. This resets the device. notempty
All data on the device is deleted. Only operating system updates are retained.
Several steps are displayed in the following, the number of which may change.
Fig.14
Process completed.
Start-up
The following steps are necessary for commissioning the iOS/iPad device in MDM:
Apple Push certificate, Apple DEP token and Apple VPP token are available
Existing DEP profile with DEP PIN
Device profile has been created
Apps purchased in ABM and apps summarised into app groups using tags
Users created or linked via EntraID
Push certificate / DEP token / VPP token
The following steps are taken under Mobile Security Settings :
at Apple Push Certificate check whether a token is available
If one is available, check whether it has not yet expired
If none is available, an Apple Push certificate is added via the { Add button
at Apple DEP check if a token is available
the following Wiki article describes how to add an Apple DEP token
then Set DEP profile PIN and enter a 6-digit PIN and Save
Enable option Enable Apple Re-Enrolment activate
at Apple VPP / Apple Business Manager / Apple School Manager check if a token is available
If one exists, check whether it has not yet expired
If none exists, an Apple Push certificate is added via the Add button
Under Mobile Security iOS/iPadOS DEP Profile with the button Add profile a new DEP Profile can be created. Further information can be found in the Wiki article DEP profiles in the MDM portal. In Mobile Security Settings under Apple DEP at Set DEP profile PIN one can enter their own PIN.
Create device profile
In Mobile Security iOS/iPadOS Profile with the button Add profile a new profile for the device can be created.
For an iOS device and iPad, the Type is selected in the General tab device profile is selected
For a Shared iPad, the type is selected in the General tab Shared iPad is selected
Continue the configuration of the profile accordingly. Further information on the configuration of iOS/iPad devices or Shared iPad devices can be found in the corresponding wiki articles.
Apps
If the required apps for the iOS/iPad device are not yet available, they can be purchased in the Apple Business Manager.
In Mobile Security iOS/iPadOS Apps , the newly acquired apps are added using Add app.
Use tags to summarise the apps in the required app groups.
Further information can be found in the Wiki article Apps.
Create user
A new user is created in the portal under list-general Users . Two different options are available for this:
The Add user button is used to add a user directly in the portal
The user is imported via CSV or Entra ID using the Import user button
ABM: If a corresponding MDM server has not yet been created:
ABM: Menu Settings / Your MDM server / Add
ABM: MDM server name unique name
ABM: MDM server settingsSelect file: Upload the .*.pem file previously downloaded from the Securepoint Mobile Security Portal and save
ABM: Selection of the appropriate MDM server ttt-point-mdm-Server-123456.sms
ABM: Download the dep token with button Load token (*.p7m-file) in the Apple Business Manager or Apple School Manager in the menu
Upload the *.p7m file in the dialogue window opened under point 1 in the Securepoint Mobile Security Portal. Finalise with Finish
Further information can be found in the following Wiki-Artikel.
General terms and conditions and licence
A device tile with the label logged out is generated in the portal at Mobile Security iOS/iPadOSdevices . This device tile serves as a placeholder. Clicking on this device tile opens a dialogue window in which the terms and conditions are accepted. The corresponding licence is then selected. This causes the Terms not accepted label to disappear from the device tile.
Configure device tile
This device tile is configured. The following steps are necessary:
Use the button on the device tile or in the device details to enter a suitable name and save it using
The previously created device profile is assigned to the device tile by selecting the device tile in the
General
{{{2}}}
profile tab under the Devices option
Under Tags the app tags and thus the app groups to be installed on the device are selected
The desired user is assigned to the device under User
Continue device setup
The setup on the iOS/iPad device can be continued and completed. The previously defined DEP PIN must be entered. The enrolement of the device in the MDM portal is now complete.
Apple Re-Enrollment
This function is only available if Apple Re-Enrolment under Settings is active. Newly added DEP devices are automatically registered in the portal and can be individually pre-configured before they are used for the first time. The settings for user profiles, applications and tags defined in this way are applied seamlessly when the device logs in for the first time. When a device is recommissioned, the configurations of the device are automatically transferred, provided it is still available in the portal. This profile will be marked with the label Signed out.
