Enrollment of iOS / iPad devices

Note

This article includes descriptions of third-party software and is based on the status at the time this page was created.
Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.

Enrollment of iOS / iPad devices with Apple's Device Enrollment Program (Apple DEP)

New article: 07.2024

notempty

This article refers to a Beta version

Introduction

This HowTo describes the enrollment of iOS / iPad devices in the Securepoint Mobile Security Portal. This integrates these iOS / iPad devices into the Securepoint Mobile Device Management (MDM) portal.
The device profile, users and apps can be assigned in advance, even though the device is not yet fully registered with MDM.
As soon as the iOS / iPad device is connected to the Internet and initialised, these configurations are automatically downloaded and implemented.

COBO: Company owned, business only

Company property without private use

The devices are only intended for use in a corporate environment
The IT administrator has full control over the smartphone
Private data is strictly prohibited on the device

Overview of the enrolment steps:

Preparations in the MDM portal:
1. Prerequisite fulfilled: Licence and ABM available, device compatible
2. Apple Push Certificate, DEP token and VPP token available in the MDM portal
3. Activate Apple Re-Enrollment in the settings
4. DEP profile and DEP PIN created
5. Device added to the ABM with a Mac or the iOS app Configurator
6. Device profile created in the portal
7. Apps purchased in ABM assigned by tags
8. New user added in the portal, or integrated via Entra ID
Device integration
1. Device assigned to the Securepoint MDM server in ABM
2. Accept the ABG device tile generated in the portal and select the licence
3. Assignments of:
  1. Assign device names
  2. assign users
  3. app tags
  4. device profile
4. Continue setting up on the device

Requirement

iOS or iPadOS version 14 or higher
a Mobile Device Management (MDM)- license musst exist
Access to Apple Business Manager must be available

notempty

The devices may not be added to the ABM/ASM of the reseller! This would be a violation of Apple's terms and conditions!
It is appropriate that each end customer has their own ABM/ASM account and the devices are added there accordingly.

If the iOS or iPad device is to be stored with an Apple DEP profile, a separateApple DEP PIN must be set up beforehand

notempty

As of portal version 2.8, a PIN must be available, otherwise enrollment for iOS/iPad devices with DEP profiles is no longer possible for security reasons.

Registration in Apple Business Manager

There are two different ways to register the iOS/iPad device in the Apple Business Manager (ABM):

with the Apple Configurator iOS app
with an Apple MAC with Apple Configurator installed

Fig.1

The iPad must be reset for enrollment
Here is a description of that

Fig.2

Starting the reset iPad

Fig.3

Follow the instructions of the system wizard on the iPad until the section Selecting a WLANnotempty

Do not select a WLAN under any circumstances! If one has been selected, the iPad must be restarted!

Fig.4

Set up Apple Configurator App on the iPhone:

Log in to Business/School Manager
Settings → Share WLAN notempty
The WLAN must not be unencrypted!
MDM Server Assignment → Determined → Select Securepoint MDM

Fig.5

Launch Apple Configurator of the iPhone and hold it close to the iPad.

Either

Scan the image in the System Wizard of the iPad using Apple Configurator.

or

Pair manually: Pair manually in the System Wizard of the iPad and then click Pair manually in the Apple Configurator. Den angezeigten 6-stelligen Code eingeben.

If pairing is not displayed in the System Wizard, restart Apple Configurator.

Fig.6

The iPad is added
Continue the system wizard

Fig.7

Continue the system wizard on the iPad procedure until Erase iPad

notempty

Do not erase the iPad yet!

If necessary, check whether the iPad has been correctly assigned to the MDM server in ASM/ABM under Devices

Fig.8

In the MDM portal under , the iPad should be listed

There it can be assigned to a profile

The iPad appears in the MDM Portal.
Under Mobile Security iOS/iPadOS DEP Profile the iPad is assigned a DEP profile:
- create a new DEP profile via the Add profile button and add the iPad under Devices, or
- select an existing DEP profile and add the iPad to it under Devices.

Only after the DEP profile has been assigned can the iPad be deleted

The details of the device tile at DEP Profile display a DEP profile with the note The profile has been assigned to the device but will only be applied the next time it is reset

After restarting and completing the initial setup of the iPad again, ‘Remote Management’ appears, which is used to register the iPad

Ensure that a Wi-Fi connection has been established

When the setup is completed, the enrollment process is finished

If the "Remote administration" is not displayed and the configuration runs again as before (it is in a loop), it may be helpful to switch off the Apple Configuration App or to no longer have the iPhone near the iPad.

Fig.1

Option for Internet access on the device:

Activation of Internet sharing for the connected Apple device:
Once the iOS/iPad device has been connected to the Mac, you can go to System Preferences → General → Share → Internet Sharing
Activate the port via which the device is connected to the Mac.
Set the Share connection accordingly and activate Internet sharing.

Datei:MacOS 14.5 Configurator WLAN-Profil-en.png

Fig.2

Option for Internet access on the device:

Creating a WLAN profile in the Apple Configurator 2:
Menu File / New profile section WLAN:
WLAN can be configured here.

The iOS device automatically connects to the Wi-Fi configured here after being set up by the Apple Configurator 2 and immediately connects to DEP and the MDM server.

Save in the File / Save as menu.

Fig.3

Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.

Select device and configure by pressing the button

Prepare.

Fig.4

Prepare Devices

Prepare with Manual Configuration activate from:

Add to Apple School Manager or Apple Business Manager
Allow devices to pair with other computers

Fig.5

Register with MDM Server:
Server: New Server...

If another device has already been added, a server can be selected here.
Otherwise the configuration data can be stored in the next step.

Fig.6

Specify MDM server
Name Unique name (choose freely)
Host name or URL: leave empty. This only registers the device with ABM. The assignment to the MDM server takes place later.

Fig.7

If no MDM server has been stored yet:

MDM-Server festlegen Message: The registration URL of the server could not be verified.
Since the macOS does not yet know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the URL cannot be verified. But it still is correct!

Datei:MacOS 14.5 Configurator MDM-festlegen Zertifikat leer-en.png

Fig.8

Add certificates with trust anchor for the MDM server:
As no server has been entered, no certificate can be added. Simply click on Next.

Fig.9

Configure iOS Installation Wizard:

This selects the steps the user must perform in the installation wizard.

Fig.10

Select network profile

Choose... No profile needs to be selected

Fig.11

Select Network Profile

Selecting... of the created Apple Configurator network profile.

Fig.12

Configurator could not execute the requested action because "iPad" was already prepared.

If this message appears, this device has already been configured before and the settings for the System Assistant cannot be transferred directly.

With Delete all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.

Fig.13

The device is configured. This resets the device.
notempty

All data on the device is deleted. Only operating system updates are retained.

Several steps are displayed in the following, the number of which may change.

Fig.14

Process completed.

Start-up

The following steps are necessary for commissioning the iOS/iPad device in MDM:

Apple Push certificate, Apple DEP token and Apple VPP token are available
Existing DEP profile with DEP PIN
Device profile has been created
Apps purchased in ABM and apps summarised into app groups using tags
Users created or linked via EntraID

Push certificate / DEP token / VPP token

The following steps are taken under Mobile Security Settings :

at Apple Push Certificate check whether a token is available
- If one is available, check whether it has not yet expired
- If none is available, an Apple Push certificate is added via the { Add button
at Apple DEP check if a token is available
- the following Wiki article describes how to add an Apple DEP token
- then by Set DEP profile PIN enter an own 6-digit PIN and Save
- Enable option Enable Apple Re-Enrolment activate
at Apple VPP / Apple Business Manager / Apple School Manager check if a token is available
- If one exists, check whether it has not yet expired
- If none exists, an Apple Push certificate is added via the Add button

Further information can be found in the corresponding Wiki article.

Create DEP profile

Make sure, that in Mobile Security Settings under Apple DEP at Set DEP profile PIN an own PIN has been entered.
Under Mobile Security iOS/iPadOS DEP Profile with the button Add profile a new DEP Profile can be created.
Further information can be found in the Wiki article DEP profiles in the MDM portal.

Create device profile

In Mobile Security iOS/iPadOS Profile with the button Add profile a new profile for the device can be created.

For an iOS device and iPad, the Type is selected in the General tab device profile is selected
For a Shared iPad, the type is selected in the General tab Shared iPad is selected
different users on one device

Continue the configuration of the profile accordingly. Further information on the configuration of iOS/iPad devices or Shared iPad devices can be found in the corresponding wiki articles.

Apps

If the required apps for the iOS/iPad device are not yet available, they can be purchased in the Apple Business Manager.
In Mobile Security iOS/iPadOS Apps , the newly acquired apps are added using Add app.
Use tags to summarise the apps in the required app groups.
Further information can be found in the Wiki article Apps.

Create user

A new user is created in the portal under list-general Users . Two different options are available for this:

The Add user button is used to add a user directly in the portal
The user is imported via CSV or Entra ID using the Import user button

Further information on Add user and Import user via Entra ID can be found in the corresponding wiki articles.

First device login

The following steps are required to log an iOS/iPad device into MDM for the first time:

Assign device in ABM to the Securepoint MDM server
Accept the terms and conditions in the generated device tile and select the licence
Configure device tile (assign suitable name, assign user, assign device profile, assign app tags)
Continue setup on the device

Assign device in ABM to the Securepoint MDM server

These steps are necessary to assign the iOS/iPad device to the Securepoint MDM server in the Apple Business Manager (ABM):

Under Mobile Security Settings Apple DEP Add profile to download the Apple push certificate (*.pem file)
Upload this certificate in the Apple Business Manager or Apple School Manager menu Settings (click on the user name in the menu bar)
- ABM: If a corresponding MDM server has not yet been created:
  - ABM: Menu Settings / Your MDM server / Add
  - ABM: MDM server name unique name
  - ABM: MDM server settings Select file: Upload the .*.pem file previously downloaded from the Securepoint Mobile Security Portal and save
- ABM: Selection of the appropriate MDM server ttt-point-mdm-Server-123456.sms
- ABM: Download the dep token with button Load token (*.p7m-file) in the Apple Business Manager or Apple School Manager in the menu
Upload the *.p7m file in the dialogue window opened under point 1 in the Securepoint Mobile Security Portal. Finalise with Finish

Further information can be found in the following Wiki-Artikel.

General terms and conditions and licence

A device tile with the label logged out is generated in the portal at Mobile Security iOS/iPadOSdevices . This device tile serves as a placeholder.
Clicking on this device tile opens a dialogue window in which the terms and conditions are accepted. The corresponding licence is then selected. This causes the Terms not accepted label to disappear from the device tile.

Configure device tile

This device tile is configured. The following steps are necessary:

Use the button on the device tile or in the device details to enter a suitable name and save it using
The previously created device profile is assigned to the device tile by selecting the device tile in the
General {{{2}}}
profile tab under the Devices option
Under Tags the app tags and thus the app groups to be installed on the device are selected
The desired user is assigned to the device under User

Continue device setup

The setup on the iOS/iPad device can be continued and completed. The previously defined DEP PIN must be entered.
The enrolement of the device in the MDM portal is now complete.

Apple Re-Enrollment

This function is only available if Apple Re-Enrolment under Settings is active.
Newly added DEP devices are automatically registered in the portal and can be individually pre-configured before they are used for the first time. The settings for user profiles, applications and tags defined in this way are applied seamlessly when the device logs in for the first time.
When a device is recommissioned, the configurations of the device are automatically transferred, provided it is still available in the portal. This profile will be marked with the label Signed out.