The Device Enrollment Program (DEP) is part of the Apple Deployment Programs and provides administrators with a streamlined way to deploy multiple corporate owned iOS devices. Upon device activation, over-the-air configuration of the device is immediate and enrollment with the MDM server is automatic. There is no need for IT administrators to physically access each device to complete the setup. The benefits of this program are:
Zero-touch enrollment of devices to the MDM Server
Wireless supervision of devices
Enforce MDM Enrollment of devices
Lock MDM Profiles on the devices
Streamlined setup process
The procedure to enroll devices to the Apple Device Enrollment Program (DEP) using ZENworks is summarized in the following workflow. However, as a prerequisite, you need to first set up a DEP account and associate your sales information with it. For more information on setting up a DEP account, see the Apple Support Documentation.
NOTE:With the iOS 11.x release, you can associate any iOS 11.x device to an existing DEP account (even if these devices are not purchased directly from Apple or an Apple reseller) using the Apple Configurator tool. For more information on associating these devices using the Apple Configurator tool, see Enrolling existing devices to the Apple Device Enrollment Program for simplified provisioning with ZENworks.
To know more about the Apple Deployment Program, you can also watch the following videos to know more about the Apple Deployment Program:
IMPORTANT:If you are enrolling devices using Apple School Manager, ensure that the Device Manager role is assigned to your Apple School Manager account. For more information, see the Apple School Manager Help.
The workflow associated with enrolling DEP devices are as follows:
A DEP Server links the ZENworks MDM Server to the virtual MDM Server that you need to create in the DEP portal.
A ZENworks MDM Server can be linked to multiple virtual MDM Servers. However, a virtual MDM Server that is already linked with a ZENworks MDM Server, cannot be linked to another ZENworks MDM Server. The devices assigned to these virtual MDM Servers will enroll to the associated ZENworks MDM Server.
To add a DEP Server:
On the Modern Management > Getting Started > Managing iOS/iPadOS Devices page, click. Alternatively, navigate to > > > .
Clickto link a ZENworks MDM Server to your deployment program account.
Click the Browse icon, select an MDM Server and clickto download and save the Public Key certificate of the selected MDM Server.
Navigate toon the left pane of the page.
Clickin . Click on the right pane.
Specify a name for the DEP Server.
Upload the Public Key of the ZENworks MDM Server that you had saved earlier in thesection. Click .
Clickand download the token issued by Apple and click .
In ZCC, clickto upload the DEP token issued by Apple to the selected ZENworks MDM Server. This token enables the ZENworks MDM Server to securely connect with the Apple DEP web service.
Click. You have now created a DEP Server in ZCC.
You need to create at least one virtual MDM Server in the Apple portal before you begin assigning devices.
You can assign devices based on:
Serial Number: Specify each serial number separated by a comma.
Order Number: The quantity and type of devices are displayed.
Upload CSV File: Upload a comma-separated value (CSV) file that contains a list of device serial numbers.
Select the virtual MDM Server to which you want to assign the devices, in thedrop down menu.
NOTE:Only those devices that are assigned to the virtual MDM Server in the Apple portal are identified as DEP devices in ZCC. If a DEP enabled device is enrolled to ZENworks (using ZENworks User Portal) but is not assigned to the virtual MDM Server in the Apple portal, this device will not be identified as a DEP device.
After a DEP Server is configured in ZCC, ZENworks syncs with the Apple DEP web service and discovers assigned devices and populates the devices in ZCC. Subsequently, ZENworks initiates a periodic sync on a daily basis to update the latest device assignments. To perform this sync immediately, you can also click Viewing DEP Devices.on the Apple Device Enrollment Program page ( > > > ). To view the discovered devices in ZCC, see
To view the discovered devices, navigate to> >
On clicking a device, the following tabs are displayed:
This page provides a summary of the device’s general information.
Serial Number: Serial number of the device.
Model: Model of the device.
Description: Short description of the device.
Color: Color of the device model.
Asset Tag: Asset tag that is used by the organization to monitor a device.
Device Assigned Date: Date on which the device was assigned to the virtual MDM Server in the Apple portal.
Device Assigned By: Administrator who has assigned the device to the virtual MDM Server in the Apple portal.
Deployment Status: Enrollment status of the device. If the device is enrolled in ZENworks then the status is displayed as. If the device is discovered by ZENworks but not enrolled to the ZENworks MDM Server, then the status is displayed as .
MDM Server: ZENworks MDM Server to which the device will be enrolled.
DEP Server: DEP Server to which the device is associated.
User and Organization Details
Assigned User: User to whom the device is assigned. Only this user can enroll the device through DEP. To edit this field, you need to have Modify Apple DEP Device Rights assigned to you. This option is applicable for DEP enrollment only.
Organization Name: Name of the organization associated with the linked deployment program account.
Organization Phone Number: Phone number of the organization associated with the linked deployment program account.
Organization Address: Address of the organization associated with the linked deployment program account.
DEP Profile Details
Assignment Status: DEP profile assignment status. The various statuses are:
Assigned: DEP Profile assignment on the device is successful.
In Progress: DEP Profile assignment is in progress.
Failed: DEP Profile assignment to the device has failed.
Blocked: Device is blocked due to errors reported after three attempts to assign the profile. You need to contact Apple to resolve any issues with the device. Subsequently, to unblock the device you need to do the following:
Delete the device from the virtual MDM Server.
Clickon the Apple Device Enrollment Program page in ZCC, to remove the device from ZCC.
Assign the device back to the virtual MDM Server. Clickor wait for the periodic sync initiated by ZENworks, to populate the device in ZCC.
Device not accessible: Device is either disowned or is re-assigned to another virtual MDM Server.
Assignment Time: The time at which the profile was assigned to the device in the Apple portal.
Last Push Time: The time at which the profile was last pushed to the device by Apple during device enrollment.
This page lets you modify the DEP profile. For more information see, Managing the DEP Profile.
The settings that govern the enrollment process of a DEP enabled device is known as the DEP Profile. The DEP profile in ZCC is segregated as follows:
General and Skip Item Settings: Lets you modify the initial setup process of the device. For more information, see Editing General and Skip Item Settings.
Host Certificates: Lets you configure the certificate of the host device to allow pairing of devices. For more information, see Uploading a Host Certificate for Pairing.
On installing ZENworks Configuration Management (ZCM), a DEP profile with default values is assigned to thefolder ( > ). Subsequently, the discovered DEP devices that appear within this folder inherit the default profile. ZENworks lets you modify this DEP profile as per the needs of the organization. The profile can be modified at the folder level or for a specific device. The modified DEP profile will be applied on only those devices that are to be newly enrolled or are reset to their factory settings.
The updated profile is assigned to the devices in the Apple portal. Before the users begin enrolling their devices, ensure that the modified DEP profile is successfully assigned to the device in the Apple portal. View theof the device by navigating to > > .
The modified DEP profile is received by the device when the device is activated. Ensure that you do not modify the settings while the users are enrolling their devices. If the incorrect settings are assigned to the device, then a factory reset is required.
To edit the DEP profile atfolder level,
Navigate to> . Click next to the folder.
To edit the DEP profile for a specific device:
Navigate to> > > > . To override the DEP Profile settings configured at the folder level and to configure new settings, click . Click , to use the inherited settings.
General Settings: The general profile settings are as follows:
Allow pairing of devices with a host computer: Enables the user to pair a device. If set tothen the device can pair with any device. If set to , then the device can pair with only those host devices that have their certificate configured in the DEP Profile.
Set device as supervised: Enables supervision of devices. This setting is ignored on iOS 13 and later devices devices, as supervised mode is mandatory for these devices.
Allow user to remove the MDM profile from the device: Enables the user to remove the configured MDM profile. This setting is enabled if the device is set as Supervised.
NOTE:If the device is not Supervised, then the user has the option to remove the MDM profile. If the device is Supervised, it is recommended that you do not enable this setting, as devices cannot be managed if the MDM profile is removed.
Allow user to skip applying the MDM profile on the device: Enables the user to skip enrollment of the device with the MDM Server. This setting is ignored on iOS 13 and later devices devices, as DEP enrollment is mandatory for these devices.
Specify the support phone number displayed during enrollment: Displays the defined customer support phone number.
Specify the support email address displayed during enrollment: Displays the defined customer support email address.
Specify the department name displayed during enrollment: Displays the defined department or location name.
Specify the default language to be selected during enrollment: The specified language will be automatically selected during the enrollment of the device. You need to specify the language in either the two-letter ISO 639-1 format or the three-letter ISO 639-2 format. An example of these formats are as follows:
For more information, see http://www.loc.gov/standards/iso639-2/php/English_list.php.
Specify the default region to be selected during enrollment: The specified region will be automatically selected during the enrollment of the device. You need to specify the region in the two-letter ISO 3166-1 format, which is the capitalized region code representing a country. An example of this format is as follows:
For more information, see https://www.iso.org/obp/ui/#search.
NOTE:The defined phone number, email address, or department name, might not be displayed on some iOS devices.
Skip Item Settings: If selected, the following screens related to initial configuration settings are skipped:
Thescreen, which enables the user to create a passcode.
NOTE:If this screen is skipped, then Touch ID and Apple Pay cannot be specified.
Thescreen, which helps in determining the user’s current location.
Theoptions screen, which enables the user to restore data from backup.
Theoptions screen, which enables the user to migrate data from an Android device. This option will be disabled, if is selected.
Thescreen, which enables the user to specify the Apple ID.
Thescreen. If this option is selected, these Terms and Conditions are automatically accepted by the device.
Thescreen, which enables the user to use biometrics to unlock the device or authenticate to apps. Applicable for iPhone 5s, 6, 6+, iPad Air 2, and iPad Mini 3 only.
Thesetup screen, which enables the user to make digital payments. Applicable for iPhone 6, 6+, iPad Air 2, and iPad Mini 3 only.
Thescreen, which enables the user to use the standard or zoomed view of the device display. Applicable for iPhone 6 and 6+ only.
Thescreen, which enables the user to setup Siri.
Thescreen, which enables the user to send diagnostic data to Apple.
Theoptions screen, which enables the user to adjust the white balance on the device display. Applicable for devices that use the True Tone display feature such as iPad Pro.
Theoptions, which enables the user to specify how the Home button should be used. Applicable for devices that use the 3D touch-enabled Home button, such as iPhone 7.
Thescreen, which enables the user to specify the keyboard settings. Applicable on iOS 11.0 and later versions .
Thescreen, which contains onboarding informational screens. Applicable on iOS 11.0 and later versions .
Thescreen, which enables the user to migrate Apple Watch from the previous iPhone to the current device. Applicable on iOS 11.0 and later versions .
Thescreen that controls which apps can access information stored on the device. Applicable on iOS 12.0 and later versions .
Thescreen, which enables users to activate their phone number with iMessage or FaceTime.
Thescreen, which provides information on the time spent by users on their devices. Applicable on iOS 12.0 and later versions .
Thescreen, which enables users to install the latest software update. Applicable on iOS 12.0 and later versions .
Thescreen, which enables users to use aerial screensavers on Apple TV. Applicable for tvOS only.
Thescreen, which enables users to set up Apple TV using an iOS device. Applicable for tvOS only.
Thescreen, which enables users to set up Apple TV’s home screen layout. Applicable for tvOS only.
Thescreen, which enables users to sign-in to the TV provider. Applicable for tvOS only.
Thescreen. Applicable for tvOS only.
Thepane, which enables users to skip the Device to Device Migration pane. Applicable on iOS 13 and later versions .
Thepane, which enables users to skip the Add Cellular Plan pane. Applicable for iPhone XS, iPhone XS Max, iPhone XR.
Thepane, which enables users to skip the Get Started pane. Applicable on iOS 13 and later versions .
Thepane, which enables users to skip the Restore Completed pane. Applicable for iOS 14 and later versions and iPadOS.
Thepane, which enables users to skip the Software Update Complete pane. Applicable for iOS 14 and later versions and iPadOS.
The Editing General and Skip Item Settings, lets iOS devices pair with host devices through the feature called host pairing. If this option is set to then the device can pair with any host device. However, if this option is set to , then the device can pair with host devices that have their certificates configured in the DEP profile. This certificate should be configured in the DEP profile for the device to continue pairing with the host device.option appearing in the
To upload the certificate at folder level,
Navigate to> . Click next to the folder. Click .
To upload the certificate for a specific device:
Navigate to> > > > > .
On thepage, click and upload the certificate obtained using Apple Configurator. The certificate files should be in any one of the following formats:
To manage DEP devices using a Reverse Proxy server, Anchor certificates need to be configured. By default, ZENworks packages only a limited set of Anchor certificates with the DEP profile. Hence, in scenarios where a Reverse Proxy is used, more Anchor certificates need to be added.
To add Anchor certificates:
Place the CA certificate in the %ZENWORKS_HOME%/conf/security folder of the Primary Server. This CA is the issuer of the reverse proxy server’s SSL certificate.
Name the certificate as DEP-AdditionalCert.der.
Log into ZCC and navigate to.
(Conditional) If not already done, add the Primary Server as a DEP server.
Assign the iOS DEP device to the Primary Server in the Apple Device Enrollment Program (DEP) portal.
Configure the required DEP settings by navigating to.
NOTE:Every time the DEP-AdditionalCert.der certificate is replaced or changed, the DEP settings have to be modified and applied to make sure that the DEP profile is updated with the newly placed DEP-AdditionalCert.der certificate.
Unbox the DEP enabled iOS device, or erase the device if already enrolled, and then boot it up.
Complete the setup. The device is listed as a managed device in ZCC.
You can now enroll all the DEP devices and manage them using the Nginx Reverse Proxy Server.
A DEP device can be assigned to a specific user, which will restrict other users from enrolling the device using Apple DEP. However, the same device can be enrolled through the ZENworks User Portal using another user’s credentials. To ensure that the assigned user enrolls using Apple DEP only and not the ZENworks User Portal, disable the Editing General and Skip Item Settings.option appearing in the
To assign a user:
Navigate to> > .
Select a DEP device.
On the summary page, clicknext to the field and specify the user to whom the device should be assigned.
Enrolling a DEP device is simple for an end user, as you can enable the user to skip most of the device activation prompts by modifying the DEP profile.
Turn on the device and follow the setup prompts to enroll the device. After the user configures the Wi-Fi settings, log-in to the device with the user credentials. If the device is assigned to a specific user, then the credentials of only this user should be specified or else enrollment will fail.
After the device enrolls, you can view the Viewing Device Information The enrolled device object is also created within the folder ( > ) or in the appropriate folder as defined in the Mobile Enrollment Policy.of the device in ZCC, which should have changed from to . You can view this status on the device’s summary page. For more information, see
NOTE:Before re-enrolling a device, if the ownership (corporate or personal) is modified in the Mobile Enrollment Policy, the modified ownership is not applied on the re-enrolled device. The ownership defined during the initial phase of enrollment is considered.
A device that was enrolled using the ZENworks User Portal is being re-enrolled through Apple DEP using another user’s credentials, then ensure that the earlier device object is deleted in ZCC.
A token can be renewed in any of the following scenarios:
Token has expired
A certificate remint has taken place.
To renew a token:
Navigate to> > > .
Select a DEP Server and click.
NOTE:Theoption can be applied on only one DEP Server at a time. If multiple DEP Servers are selected, then this option will be disabled.
Clickto download and save the Public Key certificate of the selected MDM Server.
Clickand sign in using your Deployment Program account credentials. On this portal:
Navigate toon the left pane of the page.
On the left pane, click the MDM Server whose token you would like to renew.
Clickand upload the Public Key of the ZENworks MDM Server that you had saved earlier in the field within . Click .
Clickand download the token issued by Apple and click .
In ZCC, clickto upload the DEP token issued by Apple to the selected ZENworks MDM Server. This token enables the MDM Server to securely connect with the Apple DEP web service.
On removing the DEP Server from the ZENworks Management Zone, the DEP Profile from the associated devices are automatically unassigned. The Discovered devices are removed from the zone but the Managed devices will continue to be managed by the ZENworks MDM Server.
To remove the DEP Server from your ZENworks Management Zone:
Navigate to> > > .
NOTE:Before removing the DEP Server in ZCC, if you delete the virtual MDM Server in the Apple portal, then the associated DEP Server is not automatically deleted by ZENworks. As a best practice, we recommend that you remove the DEP Server in ZCC and then proceed to remove the virtual MDM Server.
You can re-assign devices to another virtual MDM Server (assuming that a DEP Server in ZCC already links ZENworks with this virtual MDM Server). After re-assignment, ZENworks deletes and creates a new discovered device object. If a device is re-ssigned:
The Assigned User of this device (if any) is reset.
The modified DEP Profile (if any) assigned to the device is reset and the new device object inherits the settings applied to the Apple DEP Devices folder.