Device Enrolment Program for Dummies

In short the Apple Device Enrolment Program (DEP for short) is Apple's solution to using iOS devices, or Mac's for that matter, in business with a business first, consumer second mindset.

It features methods to make the setup of the devices with corporate data as simple as could be and ensuring they stay that way. It can restrict many of the consumer features that make businesses nervous such as the dreaded Find my iPhone service that we've seen cause so many headaches when an employee leaves and organisation and hands their tightly locked up device back.

In conjunction with Apple's Volume Purchase Program (VPP for short), it can even deliver corporate approved applications to devices, without them having an Apple ID registered at all.

Getting DEP up and running isn't quite as easy as Apple may have you believe though, especially if you want to use the program with devices that you already have deployed in the field, or that you've procured from different suppliers.

To start with, you can not add devices to DEP yourself, this has to be done by an authorised Apple Reseller. This could be Apple themselves if you purchased the devices from an Apple Store and you have a business account with them, your telecom provider can also do this for devices that they have supplied you, and some telecom dealers have the ability as well, but if you purchased them from a smaller IT supplier or a grey market source such as Kogan, you're out of luck.

The reason for this is that by adding a device to DEP, the organisation that is applying the DEP for you has to be explicitly trusted by you and Apple. You are giving that organisation the right to force the device to link to a DEP account which in turn can force the device to enrol with a Mobile Device Management platform, which is your second requirement, DEP only works with a Mobile Device Management Platform (MDM), it isn't one in its own right.

Should the organisation that is applying DEP decide to hijack all of the devices that they have supplied you, they potentially could and there is no way around it. That's why Apple's requirements to become a DEP Authorised Reseller are so stringent, and it's why only the supplier that you procured the devices from can add them to DEP, because nobody has the ability to add DEP to the serial numbers of devices that they didn't supply.

I won't go into the requirements to enrol in the program itself, you can find those from Apple here: https://deploy.apple.com/qforms/open/register/index/avs

I'll assume at this point that you have applied for the DEP program with Apple, you're purchasing your devices from an Authorised DEP reseller, and you have a Mobile Device Management platform in place. Next you need to link all of the pieces together. The reseller needs your Apple DEP ID so they can link your serial numbers to that ID. You then need to link your Apple DEP ID to your MDM, and create the enrolment profile which determines what the device is allowed to do and what it isn't.

Supervision is the first thing on the list. This allows the MDM platform to control a lot of additional features with iOS that it couldn't normally access and is a must for anybody wishing to use DEP. Most importantly, this is the feature that allows your MDM to override Find my iPhone / iPad service should you need to.

Next is the ability to force the device to enrol into your MDM and prevent the user from removing management from the device itself, after all what is the point of putting controls and restrictions in place if your staff can remove them at any point?

Then you have the choices of which of the features offered in the Apple device setup wizard are available. Restore from backup, Apple ID, Touch ID, Siri, Apple Pay, etc. You can customise these options as you wish to the point where the user is prompted to chose their setup language, connect to a Wi-Fi network, login with their enrolment account and the device is ready for use with no further prompts and fully managed by your MDM.

For any device that you purchase from this point on, you simply ask the reseller to add them to your DEP account and as soon as the device is turned on and connects the Apple during the setup wizard, the DEP profile in your MDM is applied.

What of your existing devices though? Technically, any device Apple supplied since mid 2011 can be linked with your DEP enrolment. Your first challenge is to identify where the device was supplied from and this is where it often becomes too hard to figure out. In Australia, it's quite common for businesses to switch from one telecom provider to another, so if you bought devices from Optus 3 years ago, but are now with Telstra, you'll have to contact Optus to have the old devices enrolled in DEP.

You've also got the issue of devices that have been repaired. For example, lets say that you purchased 20 iPads from Vodafone 3 years ago. 2 of them were broken over that time and your staff took them to an Apple Store to have them fixed. Apple supplied replacement devices to you and you've been using them ever since without any issues. The problem here is that these two devices are not able to be added to DEP by Vodafone as they did not supply them. All is not necessarily lost though, Apple have thought of this and link the old device serial numbers to the replacement serial numbers so if you or Vodafone still have the original serial numbers, adding those to DEP will flow through to the replaced devices.

Next challenge is how you actually apply the DEP profile to the devices. It's been applied by Vodafone, and the devices are showing up in your Apple DEP portal, but they're still being used by the staff with all of the features that you have blocked with DEP, so what's going on?

DEP is only applied when a device starts the Apple setup wizard, so even though the devices are registered for DEP, they can't use it without going through the Apple setup wizard again, and this means that they need to be wiped. Ok, so I'll backup the device, enrol it in DEP and then restore the backup you're thinking....? Sorry, no can do... The reason for this is that when an iOS device is backed up, the serial number of the device making that backup is recorded within it. When that backup us restored to a device, the serial number in the backup is compared to the device it's being restored to. If the two match, the device is effectively cloned to it's former state, including that it had no DEP management.

There are a couple of ways to address this, first, don't restore a backup and setup the device from scratch. This isn't always the most popular solution, but it is the simplest. Second, swap out the device. This is the method that most organisations take, often buying a few new devices to swap out with existing ones, then bringing those old ones back in to wipe, update iOS and swap out with the next batch, and so on. This allows you to perform backups and restore data should you chose to do so, and has the least impact on the end users.

Despite the pitfalls that often catch out many organisations highlighted in this article, the Device Enrolment Program is simply put, the most comprehensive and easiest method of enrolling, controlling and protecting business data on Apple devices.

If you'd like advice or consultancy on how to integrate DEP with your business, reach out to us.