Device Enrollment Program (DEP) – Admin & End User Benefits and Challenges

DEP, or the Device Enrollment Program, was announced by Apple in 2013, and rolled out in February 2014, to automate and simplify both enterprise and school bulk enrollment into Enterprise Mobility Management (EMM) environments. DEP empowers Apple, Apple authorized resellers, and carriers to register iOS, macOS, and tvOS devices with the EMM server so that devices automatically receive company policies and configurations when powered on from a reset or new state.

Benefits for Admins

  1. Easy deployment with streamlined enrollment of iOS, macOS, and tvOS devices without the need of physically touching devices. Administrators do not need to worry that end users might get stuck or confused with the steps that need to be followed; the process is straightforward and easy to follow. For more details on this process please check the following Apple resource – Apple Business Manager.
  2. OTA Supervision of Apple devices. Supervision is Apple’s indication for “corporate-owned”, and offers admins a wider range of management commands than typically permitted on a regularly enrolled device. This can range from applying extra restrictions, updating the OS of the device, or silently pushing configuration items without the need for end user interaction. If you are an end user and want to find out if your Apple device is supervised, see the following Apple Support article. Note, supervision is never appropriate for employee-owned, aka “BYOD” devices.
  3. Prevent Activation Lock – Supervised devices will no longer be locked with an Apple ID from a previous employee. As an admin the most painful process when an employee leaves the company and returns company owned assets is trying to reuse the Apple mobile devices they had; if the employee does not willingly disconnect from their iCloud account the mobile device will remain assigned to them, and cannot be released from this, unless you either have the employee contact and request they do this from their iCloud account, or you have the purchase order in order to go directly to Apple to perform this step. Nevertheless this wasted time is not good for you or for the employees that are waiting for the device. This is where supervision offers one of its greatest benefits, as supervised devices are not subject to activation lock. This means immediate reusability and a much greater admin and end user experience.
  4. Easy to manage & retire process. Apple offers options within Apple Business Manager (ABM) to search based on the serial number to see which profile is assigned to the Apple device, and for Apple devices that are no longer in use it offers the option to disown the device.
    • Note that if you disown the device from the ABM console you will no longer have the possibility to add it back automatically. You can do this manually with Apple Configurator 2 however.
  5. Apple Business Manager or School Manager account – you can also administer Volume Purchase Program (VPP) with this new ABM account. Apple has combined both DEP and VPP corporate programs into the new ABM interface, so an admin no longer needs to manage 2 separate accounts, one for DEP and one for VPP. DEP is not required in order to deploy VPP applications, so you as an admin can still use the part of ABM that is of interest for your organization, though do keep in mind supervision improves the VPP experience.

Benefits for End Users

  1. Easy EMM onboarding process with fast setup and enrollment for all corporate settings, policies and applications. You as an end user receive the mobile device, you power it on and within the setup assistant you need only to provide your registration token or user credentials to complete setup. Company policies, profiles and applications are automatically added to your new device.
  2. Unneeded setup screens can be removed from setup assistant so the process can be faster and the onboarding experience better.
  3. Users no longer see prompts when EMM installs new or updated apps. Who likes prompts?  
  4. Streamlined EMM enrollment has become more important with iOS 12.2, as Apple has added steps to the alternative, manual enrollment for unsupervised devices. For details see iOS 12.2 Changes the way EMM enrollments are performed.

   Challenges

  1. Resellers need to add the serial numbers into DEP before shipping. If this is not done employees will not be able to follow the DEP process, and will need to onboard manually into the EMM system, or admins will need to use Apple Configurator to manually add the devices in DEP.
    • Note that macOS devices will constantly receive a nag or popup screen if the reseller adds the serial number afterwards, so there is actually a way to enforce the DEP enrollment on them. There are also ways to force DEP & EMM check in – see Troubleshooting MDM
    • There is no way to do a similar nag with iOS devices. Devices need to be factory reset in order to obtain supervision, whether the reseller adds the serial number of the device after shipment or if an admin uses Apple Configurator
  2. Apple’s lack of SAML/OAuth in the Setup Assistant – Employees need to use a device activation token or other means of authentication. This is probably the most requested feature from companies to Apple. It will simplify the enrollment as employees know very well their SSO credentials and are used to them. They are however not familiar with requesting a different set of credentials that are used just for an enrollment purpose.
  3. DEP is not supported in all the countries in the world. At this moment ABM is available in 64 countries, which is better as DEP was initially available just in the US, but still a limitation. The full list of countries is available here. As an EMM admin of a global company you may require 2 sets of instructions (enrolment guides, and such) which can create confusion.  Even if DEP is technically available in a country, reseller support may be limited.
  4. Eligibility – All modern devices and OS versions are supported, but here’s a list in case you have older devices: .
    • iOS devices with iOS 7 or later
    • macOS computers with OS X Mavericks 10.9 or later
    • tvOS devices (4th generation or later) with tvOS 10.2 or later

Generally speaking this is no longer an issue in 2019, but it was in the past.

Apple has done a great job designing the DEP solution, combining it with VPP, and developing Apple Business Manager. As stated above, DEP is not required in order to deploy VPP apps, but it offers the enhancement to silently push VPP apps on supervised devices without the need for an Apple ID.

It has been a long journey which has offered improvements by adding support in more countries, adding the option for resellers & carriers to sync data to the ABM console, and all this with still keeping end user data on mobile device secure and restricted from EMM admin access. The two things missing which would make the DEP solution complete, from my point of view, are:

  1. Integration of SAML/OAuth within the setup assistant so the onboarding process would be smoother and offer the best user experience.
  2. ABM support of SAML for admins in order to make the portal access secure and easy.

Discuss this article on MobilePros!

Jump straight to the Apple channel for members:

Or click below to join our community:

iOS 12.2 Changes the way EMM enrolments are performed

Apple will soon release a change in the way non-DEP iOS devices are enrolled into EMM platforms. These changes were first tested in iOS 12.1.3 beta late last year and will soon be introduced in the iOS 12.2 public release.

Apple is making this change in iOS 12.2 “in order to improve the platform security by reducing misleading profile installations.”

This new workflow will affect all EMM vendors and impacts the initial enrollment of BYOD devices in EMM. EMM vendors are working on providing explicit information within their applications/enrolment flows to make it as clear as possible what an end user needs to do; the main change is that the browser will no longer redirect an end user automatically to Settings in order to install a MDM profile, instead end users need to do this manually by coming out of the EMM app and navigating to Settings in order to install the profile. Installation is timed, and will eventually expire.

This change does not affect the enrolment of DEP-enabled iOS devices, only those enrolled manually to the EMM console.

In order to be prepared for this upcoming change you need to:

  1. Test iOS 12.2 beta to see if you find any issues with this new workflow. At this time (February 20th) we are in iOS 12.2 beta 3
  2. Get in touch with your EMM vendor to see what plans they have to change the wording in the application for a better user experience
  3. Keep your end user documentation updated to better navigate this change
  4. Keep an eye open or contact your Apple representative for an official release date of iOS 12.2

My take on this is that with this change Apple is improving the overall iOS platform security by:

  • Giving end users the option to “inspect the details of the profile and install it”
  • Automatically deleting uninstalled profiles after 8 minutes

These benefits come with a cost; organizations will face challenges with the BYOD enrollment process, so should organisations provide corporate-owned devices for employees, they must seriously take into consideration Apple Business Manager and DEP to avoid future complications.

Discuss this article on MobilePros!

Jump straight to the iOS channel for members:

Or click below to join our community: