14.2 Enrolling devices using the Apple Device Enrollment Program

The Device Enrollment Program (DEP) is part of the Apple Deployment Programs and provides administrators with a streamlined way to deploy multiple corporate owned iOS devices. Upon device activation, over-the-air configuration of the device is immediate and enrollment with the MDM server is automatic. There is no need for IT administrators to physically access each device to complete the setup. The benefits of this program are:

  • Zero-touch enrollment of devices to the MDM Server

  • Wireless supervision of devices

  • Enforce MDM Enrollment of devices

  • Lock MDM Profiles on the devices

  • Streamlined setup process

The procedure to enroll devices to the Apple Device Enrollment Program (DEP) using ZENworks is summarized in the following workflow. However, as a prerequisite, you need to first set up a DEP account and associate your sales information with it. For more information on setting up a DEP account, see the Apple Support Documentation.

NOTE:With the iOS 11.x release, you can associate any iOS 11.x device to an existing DEP account (even if these devices are not purchased directly from Apple or an Apple reseller) using the Apple Configurator tool. For more information on associating these devices using the Apple Configurator tool, see Enrolling existing devices to the Apple Device Enrollment Program for simplified provisioning with ZENworks.

NOTE:Enrollment of Apple TV devices using the Apple Device Enrollment Program is currently supported on an experimental basis. The enrollment of these devices are the same as enrolling an DEP enabled iOS device.

To know more about the Apple Deployment Program, you can also watch the following videos to know more about the Apple Deployment Program:

IMPORTANT:If you are enrolling devices using Apple School Manager, ensure that the Device Manager role is assigned to your Apple School Manager account. For more information, see the Apple School Manager Help.

The workflow associated with enrolling DEP devices are as follows:

14.2.1 Linking ZENworks to the Apple Deployment Programs Account

A DEP Server links the ZENworks MDM Server to the virtual MDM Server that you need to create in the DEP portal.

A ZENworks MDM Server can be linked to multiple virtual MDM Servers. However, a virtual MDM Server that is already linked with a ZENworks MDM Server, cannot be linked to another ZENworks MDM Server. The devices assigned to these virtual MDM Servers will enroll to the associated ZENworks MDM Server.

To add a DEP Server:

  1. On the Getting Started with Mobile Management page, click Add DEP Server. Alternatively, navigate to Configuration > Management Zone Settings > Discovery and Deployment > Apple Device Enrollment Program.

  2. Click Add to link a ZENworks MDM Server to your deployment program account.

  3. Click the Browse icon, select an MDM Server and click Download to download and save the Public Key certificate of the selected MDM Server.

  4. Click the Apple Business Manager or the Apple School Manager portal and sign in using your DEP account credentials. On this portal:

    1. Navigate to Settings on the left pane of the page.

    2. Click Device Management Settings in Organization Settings. Click Add MDM Server on the right pane.

    3. Specify a name for the DEP Server.

    4. Upload the Public Key of the ZENworks MDM Server that you had saved earlier in the MDM Server Settings section. Click Next.

    5. Click Download Token and download the token issued by Apple and click Next.

  5. In ZCC, click Upload to upload the DEP token issued by Apple to the selected ZENworks MDM Server. This token enables the ZENworks MDM Server to securely connect with the Apple DEP web service.

  6. Click Add DEP Server. You have now created a DEP Server in ZCC.

14.2.2 Assigning Devices

You need to create at least one virtual MDM Server in the Apple portal before you begin assigning devices.

  1. Click the Apple Business Manager or the Apple School Manager portal and click Device Assignments on the left pane of the page.

  2. You can assign devices based on:

    • Serial Number: Specify each serial number separated by a comma.

    • Order Number: The quantity and type of devices are displayed.

    • Upload CSV File: Upload a comma-separated value (CSV) file that contains a list of device serial numbers.

    NOTE:Apple TV devices can be assigned using a serial number.

  3. Select the virtual MDM Server to which you want to assign the devices, in the Choose Action drop down menu.

  4. Click OK.

NOTE:Only those devices that are assigned to the virtual MDM Server in the Apple portal are identified as DEP devices in ZCC. If a DEP enabled device is enrolled to ZENworks (using ZENworks User Portal) but is not assigned to the virtual MDM Server in the Apple portal, this device will not be identified as a DEP device.

14.2.3 Syncing Devices

After a DEP Server is configured in ZCC, ZENworks syncs with the Apple DEP web service and discovers assigned devices and populates the devices in ZCC. Subsequently, ZENworks initiates a periodic sync on a daily basis to update the latest device assignments. To perform this sync immediately, you can also click Sync All on the Apple Device Enrollment Program page (Configuration > Management Zone Settings > Discovery and Deployment > Apple Device Enrollment Program). To view the discovered devices in ZCC, see Viewing DEP Devices.

14.2.4 Viewing DEP Devices

To view the discovered devices, navigate to Devices > Discovered > Apple DEP Devices.

On clicking a device, the following tabs are displayed:

Summary

This page provides a summary of the device’s general information.

  • Device Details

    • Serial Number: Serial number of the device.

    • Model: Model of the device.

    • Description: Short description of the device.

    • Color: Color of the device model.

    • Asset Tag: Asset tag that is used by the organization to monitor a device.

    • Device Assigned Date: Date on which the device was assigned to the virtual MDM Server in the Apple portal.

    • Device Assigned By: Administrator who has assigned the device to the virtual MDM Server in the Apple portal.

    • Deployment Status: Enrollment status of the device. If the device is enrolled in ZENworks then the status is displayed as Managed. If the device is discovered by ZENworks but not enrolled to the ZENworks MDM Server, then the status is displayed as Discovered.

  • Server Details

    • MDM Server: ZENworks MDM Server to which the device will be enrolled.

    • DEP Server: DEP Server to which the device is associated.

  • User and Organization Details

    • Assigned User: User to whom the device is assigned. Only this user can enroll the device through DEP. To edit this field, you need to have Modify Apple DEP Device Rights assigned to you. This option is applicable for DEP enrollment only.

    • Organization Name: Name of the organization associated with the linked deployment program account.

    • Organization Phone Number: Phone number of the organization associated with the linked deployment program account.

    • Organization Address: Address of the organization associated with the linked deployment program account.

  • DEP Profile Details

    • Assignment Status: DEP profile assignment status. The various statuses are:

      • Assigned: DEP Profile assignment on the device is successful.

      • In Progress: DEP Profile assignment is in progress.

      • Failed: DEP Profile assignment to the device has failed.

      • Blocked: Device is blocked due to errors reported after three attempts to assign the profile. You need to contact Apple to resolve any issues with the device. Subsequently, to unblock the device you need to do the following:

        • Delete the device from the virtual MDM Server.

        • Click Sync All on the Apple Device Enrollment Program page in ZCC, to remove the device from ZCC.

        • Assign the device back to the virtual MDM Server. Click Sync All or wait for the periodic sync initiated by ZENworks, to populate the device in ZCC.

      • Device not accessible: Device is either disowned or is re-assigned to another virtual MDM Server.

    • Assignment Time: The time at which the profile was assigned to the device in the Apple portal.

    • Last Push Time: The time at which the profile was last pushed to the device by Apple during device enrollment.

Settings

This page lets you modify the DEP profile. For more information see, Managing the DEP Profile.

14.2.5 Managing the DEP Profile

The settings that govern the enrollment process of a DEP enabled device is known as the DEP Profile. The DEP profile in ZCC is segregated as follows:

On installing ZENworks Configuration Management (ZCM), a DEP profile with default values is assigned to the Apple DEP Devices folder (Devices > Discovered). Subsequently, the discovered DEP devices that appear within this folder inherit the default profile. ZENworks lets you modify this DEP profile as per the needs of the organization. The profile can be modified at the folder level or for a specific device. The modified DEP profile will be applied on only those devices that are to be newly enrolled or are reset to their factory settings.

The updated profile is assigned to the devices in the Apple portal. Before the users begin enrolling their devices, ensure that the modified DEP profile is successfully assigned to the device in the Apple portal. View the Assignment Status of the device by navigating to Devices > Discovered > Apple DEP Devices.

The modified DEP profile is received by the device when the device is activated. Ensure that you do not modify the settings while the users are enrolling their devices. If the incorrect settings are assigned to the device, then a factory reset is required.

To edit the DEP profile at Apple DEP Devices folder level,

  • Navigate to Devices > Discovered. Click Settings next to the Apple DEP Devices folder.

To edit the DEP profile for a specific device:

  • Navigate to Devices > Discovered > Apple DEP Devices > <Select a Device> > Settings. To override the DEP Profile settings configured at the folder level and to configure new settings, click Override. Click Revert, to use the inherited settings.

Editing General and Skip Item Settings

General Settings: The general profile settings are as follows:

  • Allow pairing of devices with a host computer: Enables the user to pair a device. If set to Yes then the device can pair with any device. If set to No, then the device can pair with only those host devices that have their certificate configured in the DEP Profile.

  • Set device as supervised: Enables supervision of devices. This setting is ignored on iOS 13 and later devices devices, as supervised mode is mandatory for these devices.

  • Allow user to remove the MDM profile from the device: Enables the user to remove the configured MDM profile. This setting is enabled if the device is set as Supervised.

    NOTE:If the device is not Supervised, then the user has the option to remove the MDM profile. If the device is Supervised, it is recommended that you do not enable this setting, as devices cannot be managed if the MDM profile is removed.

  • Allow user to skip applying the MDM profile on the device: Enables the user to skip enrollment of the device with the MDM Server. This setting is ignored on iOS 13 and later devices devices, as DEP enrollment is mandatory for these devices.

  • Specify the support phone number displayed during enrollment: Displays the defined customer support phone number.

  • Specify the support email address displayed during enrollment: Displays the defined customer support email address.

  • Specify the department name displayed during enrollment: Displays the defined department or location name.

  • Specify the default language to be selected during enrollment: The specified language will be automatically selected during the enrollment of the device. You need to specify the language in either the two-letter ISO 639-1 format or the three-letter ISO 639-2 format. An example of these formats are as follows:

    Language

    ISO 639-1

    ISO 639-2

    English

    en

    eng

    French

    fr

    fre

    German

    de

    ger

    For more information, see http://www.loc.gov/standards/iso639-2/php/English_list.php.

  • Specify the default region to be selected during enrollment: The specified region will be automatically selected during the enrollment of the device. You need to specify the region in the two-letter ISO 3166-1 format, which is the capitalized region code representing a country. An example of this format is as follows:

    Region

    ISO 3166-1

    United States

    US

    United Kingdom

    UK

    Australian

    AU

    For more information, see https://www.iso.org/obp/ui/#search.

NOTE:The defined phone number, email address, or department name, might not be displayed on some iOS devices.

Skip Item Settings: If selected, the following screens related to initial configuration settings are skipped:

  • The Passcode screen, which enables the user to create a passcode.

    NOTE:If this screen is skipped, then Touch ID and Apple Pay cannot be specified.

  • The Location Services screen, which helps in determining the user’s current location.

  • The Restore apps and data options screen, which enables the user to restore data from backup.

  • The Move from Android options screen, which enables the user to migrate data from an Android device. This option will be disabled, if Restore apps and data is selected.

  • The Apple ID screen, which enables the user to specify the Apple ID.

  • The Terms and Conditions screen. If this option is selected, these Terms and Conditions are automatically accepted by the device.

  • The Touch ID screen, which enables the user to use biometrics to unlock the device or authenticate to apps. Applicable for iPhone 5s, 6, 6+, iPad Air 2, and iPad Mini 3 only.

  • The Apple Pay setup screen, which enables the user to make digital payments. Applicable for iPhone 6, 6+, iPad Air 2, and iPad Mini 3 only.

  • The Display Zoom screen, which enables the user to use the standard or zoomed view of the device display. Applicable for iPhone 6 and 6+ only.

  • The Siri screen, which enables the user to setup Siri.

  • The Diagnostics screen, which enables the user to send diagnostic data to Apple.

  • The Display Tone options screen, which enables the user to adjust the white balance on the device display. Applicable for devices that use the True Tone display feature such as iPad Pro.

  • The Home Button Sensitivity options, which enables the user to specify how the Home button should be used. Applicable for devices that use the 3D touch-enabled Home button, such as iPhone 7.

  • The Keyboard screen, which enables the user to specify the keyboard settings. Applicable on iOS 11.0 and later versions .

  • The Onboarding screen, which contains onboarding informational screens. Applicable on iOS 11.0 and later versions .

  • The Watch Migration screen, which enables the user to migrate Apple Watch from the previous iPhone to the current device. Applicable on iOS 11.0 and later versions .

  • The Privacy screen that controls which apps can access information stored on the device. Applicable on iOS 12.0 and later versions .

  • The iMessage and FaceTime screen, which enables users to activate their phone number with iMessage or FaceTime.

  • The Screen Time screen, which provides information on the time spent by users on their devices. Applicable on iOS 12.0 and later versions .

  • The Mandatory software update screen, which enables users to install the latest software update. Applicable on iOS 12.0 and later versions .

  • The Screensaver screen, which enables users to use aerial screensavers on Apple TV. Applicable for tvOS only.

  • The Touch to Setup screen, which enables users to set up Apple TV using an iOS device. Applicable for tvOS only.

  • The Home Screen Sync screen, which enables users to set up Apple TV’s home screen layout. Applicable for tvOS only.

  • The TV Provider Sign in screen, which enables users to sign-in to the TV provider. Applicable for tvOS only.

  • The Where is this Apple TV? screen. Applicable for tvOS only.

  • The Device to Device Migration pane, which enables users to skip the Device to Device Migration pane. Applicable on iOS 13 and later versions .

  • The SIM Setup pane, which enables users to skip the Add Cellular Plan pane. Applicable for iPhone XS, iPhone XS Max, iPhone XR.

  • The Welcome pane, which enables users to skip the Get Started pane. Applicable on iOS 13 and later versions .

Uploading a Host Certificate for Pairing

The Allow pairing of devices with a host computer option appearing in the Editing General and Skip Item Settings, lets iOS devices pair with host devices through the feature called host pairing. If this option is set to Yes then the device can pair with any host device. However, if this option is set to No, then the device can pair with host devices that have their certificates configured in the DEP profile. This certificate should be configured in the DEP profile for the device to continue pairing with the host device.

To upload the certificate at folder level,

  • Navigate to Devices > Discovered. Click Settings next to the Apple DEP Devices folder. Click Host Certificates.

To upload the certificate for a specific device:

  • Navigate to Devices > Discovered > Apple DEP Devices > <Select a Device> > Settings > Host Certificates.

On the Host Certificates page, click Add and upload the certificate obtained using Apple Configurator. The certificate files should be in any one of the following formats:

  • .CER

  • .CRT

  • .DER

  • .PEM

Adding Anchor Certificates to Manage DEP Devices Using a Reverse Proxy

To manage DEP devices using a Reverse Proxy server, Anchor certificates need to be configured. By default, ZENworks packages only a limited set of Anchor certificates with the DEP profile. Hence, in scenarios where a Reverse Proxy is used, more Anchor certificates need to be added.

To add Anchor certificates:

  1. Place the CA certificate in the %ZENWORKS_HOME%/conf/security folder of the Primary Server. This CA is the issuer of the reverse proxy server’s SSL certificate.

  2. Name the certificate as DEP-AdditionalCert.der.

  3. Log into ZCC and navigate to Configuration > Discovery and Deployment> Apple Device Enrollment Program.

  4. (Conditional) If not already done, add the Primary Server as a DEP server.

  5. Assign the iOS DEP device to the Primary Server in the Apple Device Enrollment Program (DEP) portal.

  6. Configure the required DEP settings by navigating to Devices > Discovered > Apple DEP Devices (settings) > General and Skip Setup Item Settings.

    NOTE:Every time the DEP-AdditionalCert.der certificate is replaced or changed, the DEP settings have to be modified and applied to make sure that the DEP profile is updated with the newly placed DEP-AdditionalCert.der certificate.

  7. Unbox the DEP enabled iOS device, or erase the device if already enrolled, and then boot it up.

  8. Complete the setup. The device is listed as a managed device in ZCC.

You can now enroll all the DEP devices and manage them using the Nginx Reverse Proxy Server.

14.2.6 Assigning Users

A DEP device can be assigned to a specific user, which will restrict other users from enrolling the device using Apple DEP. However, the same device can be enrolled through the ZENworks User Portal using another user’s credentials. To ensure that the assigned user enrolls using Apple DEP only and not the ZENworks User Portal, disable the Allow user to skip applying the MDM profile on the device option appearing in the Editing General and Skip Item Settings.

To assign a user:

  1. Navigate to Devices > Discovered > Apple DEP Devices.

  2. Select a DEP device.

  3. On the summary page, click Edit next to the Assigned User field and specify the user to whom the device should be assigned.

14.2.7 Enrolling a DEP Device

Enrolling a DEP device is simple for an end user, as you can enable the user to skip most of the device activation prompts by modifying the DEP profile.

Turn on the device and follow the setup prompts to enroll the device. After the user configures the Wi-Fi settings, log-in to the device with the user credentials. If the device is assigned to a specific user, then the credentials of only this user should be specified or else enrollment will fail.

After the device enrolls, you can view the Deployment Status of the device in ZCC, which should have changed from Discovered to Managed. You can view this status on the device’s summary page. For more information, see Viewing Device Information The enrolled device object is also created within the Mobile Devices folder (Devices > Mobile Devices) or in the appropriate folder as defined in the Mobile Enrollment Policy.

NOTE:Before re-enrolling a device, if the ownership (corporate or personal) is modified in the Mobile Enrollment Policy, the modified ownership is not applied on the re-enrolled device. The ownership defined during the initial phase of enrollment is considered.

A device that was enrolled using the ZENworks User Portal is being re-enrolled through Apple DEP using another user’s credentials, then ensure that the earlier device object is deleted in ZCC.

14.2.8 Renewing a DEP Token

A token can be renewed in any of the following scenarios:

  • Token has expired

  • A certificate remint has taken place.

To renew a token:

  1. Navigate to Configuration > Management Zone Settings > Discovery and Deployment > Apple Device Enrollment Program.

  2. Select a DEP Server and click Renew Token.

    NOTE:The Renew Token option can be applied on only one DEP Server at a time. If multiple DEP Servers are selected, then this option will be disabled.

  3. Click Download to download and save the Public Key certificate of the selected MDM Server.

  4. Click Deployment Program Web Portal and sign in using your Deployment Program account credentials. On this portal:

    1. Navigate to Settings on the left pane of the page.

    2. On the left pane, click the MDM Server whose token you would like to renew.

    3. Click Edit and upload the Public Key of the ZENworks MDM Server that you had saved earlier in the Upload New field within MDM Server Settings. Click Apply.

    4. Click Download Token and download the token issued by Apple and click Done.

  5. In ZCC, click Upload to upload the DEP token issued by Apple to the selected ZENworks MDM Server. This token enables the MDM Server to securely connect with the Apple DEP web service.

  6. Click Renew.

14.2.9 Removing a DEP Server

On removing the DEP Server from the ZENworks Management Zone, the DEP Profile from the associated devices are automatically unassigned. The Discovered devices are removed from the zone but the Managed devices will continue to be managed by the ZENworks MDM Server.

To remove the DEP Server from your ZENworks Management Zone:

  1. Navigate to Configuration > Management Zone Settings > Discovery and Deployment > Apple Device Enrollment Program.

NOTE:Before removing the DEP Server in ZCC, if you delete the virtual MDM Server in the Apple portal, then the associated DEP Server is not automatically deleted by ZENworks. As a best practice, we recommend that you remove the DEP Server in ZCC and then proceed to remove the virtual MDM Server.

14.2.10 Re-assigning Devices

You can re-assign devices to another virtual MDM Server (assuming that a DEP Server in ZCC already links ZENworks with this virtual MDM Server). After re-assignment, ZENworks deletes and creates a new discovered device object. If a device is re-ssigned:

  • The Assigned User of this device (if any) is reset.

  • The modified DEP Profile (if any) assigned to the device is reset and the new device object inherits the settings applied to the Apple DEP Devices folder.