Jump to:navigation, search
Wiki


































  • Note
    This article includes descriptions of third-party software and is based on the status at the time this page was created.
    Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
    All information without warranty.
  • De.png
    En.png
    Fr.png








    Enrollment of iOS / iPad devices with Apple's Device Enrollment Program (Apple DEP)
    New article: 07.2024
    notempty
    This article refers to a Resellerpreview
    Access: portal.securepoint.cloud  Mobile Security iOS/iPadOS Devices

    Introduction

    This HowTo describes the enrollment of iOS / iPad devices in the Securepoint Mobile Security Portal. This integrates these iOS / iPad devices into the Securepoint Mobile Device Management (MDM) portal.
    The device profile, users and apps can be assigned in advance, even though the device is not yet fully registered with MDM.
    As soon as the iOS / iPad device is connected to the Internet and initialised, these configurations are automatically downloaded and implemented.



    COBO: Company owned, business only

    Company property without private use

    • The devices are only intended for use in a corporate environment
    • The IT administrator has full control over the smartphone
    • Private data is strictly prohibited on the device

    Overview of the enrolment steps:

    • Preparations in the MDM portal:
      1. Prerequisite fulfilled: Licence and ABM available, device compatible
      2. Apple Push Certificate, DEP token and VPP token available in the MDM portal
      3. Activate Apple Re-Enrollment in the settings
      4. DEP profile and DEP PIN created
      5. Device added to the ABM with a Mac or the iOS app Configurator
      6. Device profile created in the portal
      7. Apps purchased in ABM assigned by tags
      8. New user added in the portal, or integrated via Entra ID
    • Device integration
      1. Device assigned to the Securepoint MDM server in ABM
      2. Accept the ABG device tile generated in the portal and select the licence
      3. Assignments of:
        1. Assign device names
        2. assign users
        3. app tags
        4. device profile
      4. Continue setting up on the device




    Requirement



    Registration in Apple Business Manager

    There are two different ways to register the iOS/iPad device in the Apple Business Manager (ABM):

    • with the Apple Configurator iOS app
    • with an Apple MAC with Apple Configurator installed
    Step-by-step.png


    MS Enrollment Apple-Configurator Schritt1-en.PNG
    Fig.1
    The  iPad must be reset for enrollment. Here is a description of that.
    MS Enrollment Apple-Configurator Schritt2-en.PNG
    Fig.2
    Starting the reset  iPad.
    MS Enrollment Apple-Configurator Schritt3-en.PNG
    Fig.3
    Follow the instructions of the system wizard on the  iPad until the section Selecting a WLAN.notempty
    Do not select a WLAN under any circumstances! If one has been selected, the  iPad must be restarted.
    MS Enrollment Apple-Configurator Schritt4-en.PNG
    Fig.4
    Set up Apple Configurator App on the  iPhone:
    • Log in to Business/School Manager
    • Settings → Share WLAN notempty
      The WLAN must not be unencrypted!
    • MDM Server Assignment → Determined → Select Securepoint MDM
    MS Enrollment Apple-Configurator Schritt4-en.jpeg
    Fig.5
    Launch Apple Configurator of the  iPhone and hold it close to the  iPad.
    Either
    • Scan the image in the System Wizard of the  iPad using Apple Configurator.
    or
    • Pair manually: Pair manually in the System Wizard of the  iPad and then click Pair manually in the Apple Configurator. Den angezeigten 6-stelligen Code eingeben.
  • If pairing is not displayed in the System Wizard, restart Apple Configurator.
  • MS Enrollment Apple-Configurator Schritt6-en.PNG
    Fig.6
    The  iPad is added. Continue the system wizard.
    MS Enrollment Apple-Configurator Schritt7-en.jpeg
    Fig.7
    • Continue the system wizard on the  iPad procedure until Delete notempty
      Do not delete the iPad yet!
    • If necessary, check whether the  iPad has been correctly assigned to the MDM server in ASM/ABM under Devices
    MS Enrollment Apple-Configurator Schritt8-en.png
    Fig.8
    In the MDM portal under  Mobile Security iOS/iPadOSDevices , the  iPad should be listed. There it can be assigned to a profile.
    • The  iPad appears in the MDM Portal.
    • Under  Mobile Security iOS/iPadOS DEP Profile the  iPad is assigned a DEP profile:
      • create a new DEP profile via the  Add profile button and add the  iPad under Devices, or
      • select an existing DEP profile and add the  iPad to it under Devices.
    • Only after the DEP profile has been assigned can the  iPad be deleted.
    • When restarting, the device logs in via "Remote administration". When the setup is completed, the enrollment process is finished.











    Step-by-step.png




    MacOS 14.5 Einstellungen Internetfreigabe-en.png
    Fig.1
    Option for Internet access on the device:
    • Activation of Internet sharing for the connected Apple device:
      Once the iOS/iPad device has been connected to the Mac, you can go to System PreferencesGeneralShareInternet Sharing
    • Activate the port via which the device is connected to the Mac.
    • Set the Share connection accordingly and activate Internet sharing.
    Datei:MacOS 14.5 Configurator WLAN-Profil-en.png
    Fig.2
    Option for Internet access on the device:
    • Creating a WLAN profile in the Apple Configurator 2:
      Menu File / New profile section WLAN:
      WLAN can be configured here.
    • The iOS device automatically connects to the Wi-Fi configured here after being set up by the Apple Configurator 2 and immediately connects to DEP and the MDM server.
    • Save in the File / Save as menu.
    MacOS 14.5 Configurator-en.png
    Fig.3
    • Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.
    • Select device and configure by pressing the button MacOS 14.5 Configurator Vorbereiten Icon.png Prepare.
    MacOS 14.5 Configurator Geräte-vorbereiten-en.png
    Fig.4
    Prepare Devices
    • Prepare with Manual Configuration activate from:
    Add to Apple School Manager or Apple Business Manager
    Allow devices to pair with other computers
    MacOS 14.5 Configurator MDM-registrieren-en.png
    Fig.5
    Register with MDM Server:
    Server: New Server...
    • If another device has already been added, a server can be selected here.
    • Otherwise the configuration data can be stored in the next step.
    MacOS 14.5 Configurator MDM-festlegen leer-en.png
    Fig.6
    Specify MDM server
    Name Unique name (choose freely)
    Host name or URL: leave empty. This only registers the device with ABM. The assignment to the MDM server takes place later.
    MacOS 14.5 Configurator MDM-festlegen Fehler-en.png
    Fig.7
    If no MDM server has been stored yet:
    • MDM-Server festlegen Message: The registration URL of the server could not be verified.
      Since the macOS does not yet know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the URL cannot be verified. But it still is correct!
    Datei:MacOS 14.5 Configurator MDM-festlegen Zertifikat leer-en.png
    Fig.8
    Add certificates with trust anchor for the MDM server:
    As no server has been entered, no certificate can be added. Simply click on Next.
    MacOS 14.5 Configurator Installationsassistent-en.png
    Fig.9
    Configure iOS Installation Wizard:
    • This selects the steps the user must perform in the installation wizard.
    MacOS 14.5 Configurator Konfigurationsprofil-WLAN leer-en.png
    Fig.10
    Select network profile
    • Choose... No profile needs to be selected
    MacOS 14.5 Configurator Konfigurationsprofil-WLAN-en.png
    Fig.11
    Select Network Profile
    • Selecting... of the created Apple Configurator network profile.
    Macos 14.5 Configurator Fehler bereits-vorbereitet-en.png
    Fig.12
    Configurator could not execute the requested action because "iPad" was already prepared.
    • If this message appears, this device has already been configured before and the settings for the System Assistant cannot be transferred directly.
    • With Delete all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.
    MacOS 14.5 Configurator iPad-vorbereiten-en.png
    Fig.13
    • The device is configured. This resets the device.
      notempty
      All data on the device is deleted. Only operating system updates are retained.
    • Several steps are displayed in the following, the number of which may change.
    MacOS 14.5 Configurator fertig-en.png
    Fig.14
    Process completed.









    Start-up

    The following steps are necessary for commissioning the iOS/iPad device in MDM:

    1. Apple Push certificate, Apple DEP token and Apple VPP token are available
    2. Existing DEP profile with DEP PIN
    3. Device profile has been created
    4. Apps purchased in ABM and apps summarised into app groups using tags
    5. Users created or linked via EntraID

    Push certificate / DEP token / VPP token

    The following steps are taken under  Mobile Security Settings :

    • at  Apple Push Certificate check whether a token is available
      • If one is available, check whether it has not yet expired
      • If none is available, an Apple Push certificate is added via the { Add button
    • at  Apple DEP check if a token is available
      • the following Wiki article describes how to add an Apple DEP token
      • then Set DEP profile PIN    and enter a 6-digit PIN and  Save
      • Enable option Enable Apple Re-Enrolment    activate
    • at  Apple VPP / Apple Business Manager / Apple School Manager check if a token is available
      • If one exists, check whether it has not yet expired
      • If none exists, an Apple Push certificate is added via the  Add button

    Further information can be found in the corresponding Wiki article.

    Create DEP profile

    Under  Mobile Security iOS/iPadOS DEP Profile with the button  Add profile a new DEP Profile can be created.
    Further information can be found in the Wiki article DEP profiles in the MDM portal.
    In  Mobile Security Settings under  Apple DEP at Set DEP profile PIN one can enter their own PIN.

    Create device profile

    In  Mobile Security iOS/iPadOS Profile with the button  Add profile a new profile for the device can be created.

    • For an iOS device and iPad, the Type is selected in the General tab device profile is selected
    • For a Shared iPad, the type is selected in the General tab Shared iPad is selected
      different users on one device

    Continue the configuration of the profile accordingly. Further information on the configuration of iOS/iPad devices or Shared iPad devices can be found in the corresponding wiki articles.

    Apps

    If the required apps for the iOS/iPad device are not yet available, they can be purchased in the Apple Business Manager.
    In  Mobile Security iOS/iPadOS  Apps , the newly acquired apps are added using  Add app.
    Use   tags to summarise the apps in the required app groups.
    Further information can be found in the Wiki article Apps.

    Create user

    A new user is created in the portal under list-general  Users . Two different options are available for this:

    • The  Add user button is used to add a user directly in the portal
    • The user is imported via CSV or Entra ID using the  Import user button

    Further information on Add user and Import user via Entra ID can be found in the corresponding wiki articles.



    First device login

    The following steps are required to log an iOS/iPad device into MDM for the first time:

    1. Assign device in ABM to the Securepoint MDM server
    2. Accept the terms and conditions in the generated device tile and select the licence
    3. Configure device tile (assign suitable name, assign user, assign device profile, assign app tags)
    4. Continue setup on the device

    Assign device in ABM to the Securepoint MDM server

    These steps are necessary to assign the iOS/iPad device to the Securepoint MDM server in the Apple Business Manager (ABM):

    1. Under  Mobile Security Settings Apple DEP  Add profile to download the Apple push certificate (*.pem file)
    2. Upload this certificate in the Apple Business Manager or Apple School Manager menu ABM Settings-Icon.png Settings (click on the user name in the menu bar)
      •  ABM: If a corresponding MDM server has not yet been created:
        •  ABM: Menu ABM Settings-Icon.png Settings / Your MDM server /  Add
        •  ABM: MDM server name unique name
        •  ABM: MDM server settings Select file: Upload the .*.pem file previously downloaded from the Securepoint Mobile Security Portal and save
      •  ABM: Selection of the appropriate MDM server ttt-point-mdm-Server-123456.sms
      •  ABM: Download the dep token with button  Load token (*.p7m-file) in the Apple Business Manager or Apple School Manager in the menu
    3. Upload the *.p7m file in the dialogue window opened under point 1 in the Securepoint Mobile Security Portal. Finalise with  Finish

    Further information can be found in the following Wiki-Artikel.

    General terms and conditions and licence

    A device tile with the label logged out is generated in the portal at  Mobile Security iOS/iPadOSdevices . This device tile serves as a placeholder.
    Clicking on this device tile opens a dialogue window in which the terms and conditions are accepted. The corresponding licence is then selected. This causes the Terms not accepted label to disappear from the device tile.

    Configure device tile

    This device tile is configured. The following steps are necessary:

    • Use the button on the device tile or in the device details to enter a suitable name and save it using
    • The previously created device profile is assigned to the device tile by selecting the device tile in the
      General{{{2}}}
      profile tab under the Devices option
    • Under Tags the app tags and thus the app groups to be installed on the device are selected
    • The desired user is assigned to the device under User

    Continue device setup

    The setup on the iOS/iPad device can be continued and completed. The previously defined DEP PIN must be entered.
    The enrolement of the device in the MDM portal is now complete.


    Apple Re-Enrollment

    This function is only available if Apple Re-Enrolment under Settings is active.
    Newly added DEP devices are automatically registered in the portal and can be individually pre-configured before they are used for the first time. The settings for user profiles, applications and tags defined in this way are applied seamlessly when the device logs in for the first time.
    When a device is recommissioned, the configurations of the device are automatically transferred, provided it is still available in the portal. This profile will be marked with the label Signed out.