- 1 Informations
- 2 Requirements
- 3 Establish connection to DEP (Device Enrollment Program)
- 4 Prepare devices
- 5 Add devices to the DEP
- 6 Login to the portal
- 7 Error messages / Troubleshooting
Device enrollment using DEP - Apple Device Enrollment Program
Last adaption: 07.2020
- Devices can be assigned to an MDM with the help of the Device Enrollment Program
- When ordering with the DEP option at appropriate Apple dealers, the serial or order number is sufficient (Zero-Touch, suitable for larger quantities)
- afterwards using the Apple Configurator
(For this the device must be connected to a MAC)
- Profiles assigned to devices with DEP can no longer be removed on the device itself after a waiting period of 30 days, but only through the Securepoint Mobile Security Portal!
- DEP is a prerequisite for rolling out centrally purchased and licensed software to devices via VPP (Volume Purchase Program).
The following requirements are necessary:
- Registration at Apple Business Manager
or at Apple School Manager
This in turn requires a DUNS number. Granting and activation can take several days.
- For subsequent device registration: An Apple MAC with installed
Apple Configurator 2 (Free of charge in the App Store)
Establish connection to DEP (Device Enrollment Program)
The connection is done in three steps at Apple DEP-Token Update
1. download the Apple push certificate (*.pem file)
2. upload this certificate in the Apple Business Manager or Apple School Manager menu Settings
- ABM: If no corresponding MDM server has been created yet:
- <ABM: Selection of the corresponding MDM Server 30px ttt-point-mdm-Server-123456.sms
- <ABM: Download the dep token Load token (*.p7m file) in the Apple Business Manager or Apple School Manager in the menu
3. upload the *.p7m file in the dial window opened under point 1 in the Securepoint Mobile Security Portal. Finish with Done
DEP-Tokens do not have an expiry date and do not have to be renewed
Prepare new devices
- New devices must be purchased directly from Apple or a DEP registered dealer.
- The serial number of the devices is then stored at Apple for DEP.
- Devices can be sent directly to the device user.
- When the device is initialized, the MDM information and configuration are automatically loaded.
If the devices do not have a mobile data connection via mobile radio, the user must therefore provide an Internet connection himself once.
Prepare existing / used devices
In order to add existing devices to the DEP at a later date, they must be connected to a MAC and prepared with the Apple Configurator 2.
The device will be completely reset. All stored information will be lost!
- Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.
Select device with mouse click and configure by pressing the button Prepare.
- Selecting an MDM server
- Login to the device registration program with the credentials for the ABM
- Create or assign an organization that manages the device.
- Configuring the iOS Installation Wizard
- Enter the credentials for automatic registration
(at the Securepoint Mobile Security Portal).
- Start preparation
All devices (new devices as well as existing / used devices) must be added to the DEP in Apple Business Manager (ABM) or Apple School Manager (ASM).
Add devices to the DEP
- Login to Apple Business Manager or Apple School Manager with the registered credentials.
- Opening the Device Assignments menu
- Devices must be assigned to an MDM server in Apple Business Manager or Apple School Manager
1. select devices
- The serial number, the order number or a csv file with serial numbers for one or more devices is specified here.
2. select action
DEP devices in the Mobile Security Portal
Devices that have been added to the Device Enrollment Program (DEP) with the Apple Business Manager (ABM) or Apple School Manager (ASM) can be recognized in the Securepoint Mobile Security Portal by the abbreviation DEP in the first line of the device tile.
With the connection to DEP it is possible to use the Apple Volume Purchase Program (VPP).
Further notes in the article for Apple VPP Apps.
Login to the portal
The device is now displayed in the portal with the status not configured. The enrollment must be completed by clicking on the device tile.
For better identification, the device should be given an alias name:
a0a0 (4-digit ID) (in the upper part of the device tile)
There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:
|Owner BYOD||Standard functional range.
COPE (Corperate owned, Personal enabled)
With BYOD additionally:
|User||Device user from the user administration.|
The user cannot be changed afterwards for BYOD devices.
|agree||Accepting and saving the settings|
|Displays the updated properties.|
Error messages / Troubleshooting
|Unexpected error 33007||An unexpected error with "iphone" has occurred.
Provisional Enrollment failed.
Network communication error.
[MCCloudConfigErrorDomain - 0x80EF (33007)]
|The device is still managed by another MDM.||The device must be given a WiFi profile that can be accessed during the preparation process.|
|The device must be removed in the previous MDM before it can be reconfigured|
|Activation lock||"iphone" could not be activated.
The activation lock for the device may be activated. Continue on the device or use Finder to activate it and press "Retry".
|The device is still connected to an Apple account||On the device, the connection to the iTunes account must be removed ( Preferences -> iTunes & App Store)|
|At https://icloud.com / Find my iPhone the connection with the Apple-ID must be removed|