Jump to:navigation, search
Wiki







































































































De.png
Fr.png


Device enrollment using DEP - Apple Device Enrollment Program


New:


Last adaption: 07.2020



Informations

  • Devices can be assigned to an MDM with the help of the Device Enrollment Program
    • When ordering with the DEP option at appropriate Apple dealers, the serial or order number is sufficient (Zero-Touch, suitable for larger quantities)
    • afterwards using the Apple Configurator
      (For this the device must be connected to a MAC)
  • Profiles assigned to devices with DEP can no longer be removed on the device itself after a waiting period of 30 days, but only through the Securepoint Mobile Security Portal!
  • DEP is a prerequisite for rolling out centrally purchased and licensed software to devices via VPP (Volume Purchase Program).































Requirements

The following requirements are necessary:


MSP v1.5.3 Infos DEP-Token-en.png

Establish connection to DEP (Device Enrollment Program)

The connection is done in three steps at  account /  Infos / Apple DEP-Token Update
1. download the Apple push certificate (*.pem file)
2. upload this certificate in the Apple Business Manager or Apple School Manager menu Settings

  •  ABM: If no corresponding MDM server has been created yet:
  •  <ABM: Menu Settings/ Organization Settings / 30px Device Management Settings / 30px] Add MDM server
  •  ABM: MDM Server Name Unique name
  •  ABM: MDM Server Settings Select File: Upload the .*.pem file previously downloaded from the Securepoint Mobile Security Portal and Secure
  •  <ABM: Selection of the corresponding MDM Server 30px ttt-point-mdm-Server-123456.sms
  •  <ABM: Download the dep token ABM Token Icon.PNG Load token (*.p7m file) in the Apple Business Manager or Apple School Manager in the menu

3. upload the *.p7m file in the dial window opened under point 1 in the Securepoint Mobile Security Portal. Finish with  Done

DEP-Tokens do not have an expiry date and do not have to be renewed


Prepare devices

Prepare new devices

  • New devices must be purchased directly from Apple or a DEP registered dealer.
  • The serial number of the devices is then stored at Apple for DEP.
  • Devices can be sent directly to the device user.
  • When the device is initialized, the MDM information and configuration are automatically loaded.
  • These devices cannot be supplied with WiFi configurations by the factory.
    If the devices do not have a mobile data connection via mobile radio, the user must therefore provide an Internet connection himself once.

  • Prepare existing / used devices

    In order to add existing devices to the DEP at a later date, they must be connected to a MAC and prepared with the Apple Configurator 2.
    The device will be completely reset. All stored information will be lost!

    • Connect the iPhone / iPad to the Mac and trust access through the Apple Configurator 2.
      Select device with mouse click and configure by pressing the button MAC Einstellungen.png Prepare.
    • Selecting an MDM server
    • Login to the device registration program with the credentials for the ABM
    • Create or assign an organization that manages the device.
    • Configuring the iOS Installation Wizard
    • Enter the credentials for automatic registration
      (at the Securepoint Mobile Security Portal).
    • Start preparation



    All devices (new devices as well as existing / used devices) must be added to the DEP in Apple Business Manager (ABM) or Apple School Manager (ASM).

    Add devices to the DEP

    • Login to Apple Business Manager or Apple School Manager with the registered credentials.
    • Opening the Device Assignments menu
    • Devices must be assigned to an MDM server in Apple Business Manager or Apple School Manager
    1. select devices
    • The serial number, the order number or a csv file with serial numbers for one or more devices is specified here.
    2. select action
    • Section perform action
    • Click on Select ActionLink=
      • Server zuweisenLink=
    • Section: MDM Server
      • Click on select MDM serverLink=
      • Select the desired MDM serverLink=
    • With a click on the button Done the device is assigned to the server.

    [[Datei: |hochkant=2|mini|]]

    DEP devices in the Mobile Security Portal

    Devices that have been added to the Device Enrollment Program (DEP) with the Apple Business Manager (ABM) or Apple School Manager (ASM) can be recognized in the Securepoint Mobile Security Portal by the abbreviation DEP in the first line of the device tile.

    With the connection to DEP it is possible to use the Apple Volume Purchase Program (VPP).
    Further notes in the article for Apple VPP Apps.










































    Login to the portal

    The device is now displayed in the portal with the status not configured. The enrollment must be completed by clicking on the device tile.


    Device Alias

    For better identification, the device should be given an alias name:
    a0a0 (4-digit ID) (in the upper part of the device tile)

    Ownership Selection

    There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:

    Owner 'COPE
    • The following functions are additionally available in the device administration in the Mobile Security Portal:
      Localize Only available if the device has been registered in supervised mode.
    at: Operations  =>   Enable Lost Mode
      Clear password   at: Operations
      Wipe Data at: Operations  : Deletion of personal data

      Applications   Monitoring of installed apps, installation, deinstallation
    Owner BYOD Standard functional range.
    • no localization
    • No way to remove the local device password
    • No deletion of personal data
    • No control for installed apps


    Login

    Terms of License and Ownership
    Ownership Selection between
    COPE (Corperate owned, Personal enabled)

    BYOD (Bring‑Your‑Own‑Device)

    With BYOD additionally:

    User Device user from the user administration.

    The user cannot be changed afterwards for BYOD devices.
    Accept the terms of the license and privacy policy
      agree Accepting and saving the settings
    Displays the updated properties.




    Error messages / Troubleshooting

    Error Error message Cause Solution
    Unexpected error 33007 An unexpected error with "iphone" has occurred.
    Provisional Enrollment failed.
    Network communication error.
    [MCCloudConfigErrorDomain - 0x80EF (33007)]
    The device is still managed by another MDM. The device must be given a WiFi profile that can be accessed during the preparation process. Apple Configurator Fehler-33007.png
    The device must be removed in the previous MDM before it can be reconfigured
    Activation lock "iphone" could not be activated.
    The activation lock for the device may be activated. Continue on the device or use Finder to activate it and press "Retry".
    The device is still connected to an Apple account On the device, the connection to the iTunes account must be removed ( Preferences -> iTunes & App Store) Apple Configurator Fehler Aktivierungssperre.png
    At https://icloud.com / Find my iPhone the connection with the Apple-ID must be removed