flag iconBe the first to hear the mobile news. Enter your email to join.

AppleDEP

7 Questions Answered about AirWatch & the Device Enrollment Program from Apple

8147_VM_EUC_Social_Blog_InText_600pxWelcome to the VMware AirWatch Blog and thanks for reading “7 Questions Answered about AirWatch & the Device Enrollment Program from Apple.” This blog is from 2014, so while it still has some really valuable information, here are some newer resources that you might like:

Now, back to the original blog!

What is the Device Enrollment Program from Apple?

The Device Enrollment Program from Apple is designed to help enterprises and educational institutions simplify the MDM enrollment process for IT departments and end-users. The Device Enrollment Program enables enterprises to automatically install MDM profiles onto devices during the initial device setup process as well as supervise iOS devices over-the-air. Prior to the Device Enrollment Program, in order to supervise a device, it had to be tethered via USB to a computer running Apple Configurator. Learn more with Apple’s Device Enrollment Program guide.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What business challenge does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. Enterprises can now install non-removable MDM profiles. A major concern for IT is the ability for the user to remove MDM from their corporate iOS devices.

Administrators now have more control over devices in supervised mode. Prior to the Device Enrollment Program, administrators AirWatch Connect Local Eventshad to connect devices via USB to a master Mac to supervise them. Once a device was connected, the device could be placed under supervision through Apple Configurator. Now, with the Device Enrollment Program, devices can be placed into supervised mode over-the-air (OTA) through the AirWatch administrative console.

Since MDM enrollment begins during the initial device setup, enterprises can skip certain setup options entirely and even require end-users to enroll the device. By making enrollment into MDM part of the device setup, Device Enrollment Program simplifies the entire enrollment process, making it easy for non-tech savvy end-users to enroll into MDM. For example, students given a school owned device can simply unbox the device and complete the setup process to enroll into MDM.

What role does AirWatch play in Apple’s Device Enrollment Program?

AirWatch integrates seamlessly with the Device Enrollment Program to provide streamlined enrollment and management benefits. AirWatch allows organizations to automatically import devices into AirWatch directly from your Apple order history. Through AirWatch, administrators can easily configure different settings and apply them to different devices depending on the use case.

AirWatch also enables the following through the Device Enrollment Program:

  • Support for staging workflows
  • Automatically assign ownership types to different devices
  • Pre-assign devices to users and groups to bypass authentication and automatically organize devices
  • Full support for other standard device lifecycle and MDM features

[Related: Need Instant Support for Your iOS 9 Devices? AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

In order to enroll in the Device Enrollment Program, IT must register your organization’s information with the Apple Device Enrollment Program by navigating to https://deploy.apple.com and creating an account. From there, you can configure your devices for enrollment through the AirWatch administrative console.

Note: To find out if your devices are eligible for the Device Enrollment Program, please refer to the following guide or contact your Apple representative: Apple’s Device Enrollment Program guide.

What are the end-user benefits with the Device Enrollment Program from Apple?

For end-users, MDM enrollment now becomes a familiar user experience and part of the initial device setup. In addition, the Device Enrollment Program drastically reduces the number of post-enrollment steps through the use of silent application installations. Administrators can also easily customize prompts or eliminate setup steps during enrollment to fit their organizations needs.

What are IT benefits?

For IT, manually enrolling thousands of devices is time consuming. However, now with automated enrollment during the device’s round trial CTA buttonsetup, end-users can simply enroll into MDM as soon as the device is taken out of the box. With the Device Enrollment Program, the need for a staging or provisioning processes can be completely eliminated and devices can be sent directly to end-users. The Device Enrollment Program enables IT to easily leverage the advanced capabilities of supervision without the need to physically tether a device to a master computer running Apple Configurator – supervision can be turned on with the click of a button OTA. IT also benefits from the avoided risks associated with unmanaged devices. With the Device Enrollment Program, IT can leverage un-removable MDM profiles and even require devices to re-enroll after being wiped or reset.

[Related: AirWatch Supports Mac OS X El Capitan Enrollment and Management Today]

What do I do if I currently use Apple Configurator?

Organizations that currently use Apple Configurator can choose to transition to the Device Enrollment Program if they desire. However, Apple does not allow organizations to supervise a device with Configurator if that device is registered to a Device Enrollment Program profile. Devices that were previously enrolled into AirWatch MDM with Apple Configurator can be wiped and re-enrolled into the Device Enrollment Program. However, a device should only be given a Device Enrollment Program profile if an organization plans to start enrolling devices through the program.

EMM Mac Management WP horiz CTA

Scott Solomon

Scott Solomon

Scott Solomon is an Atlanta native and University of Georgia graduate who has spent the past six years studying technology, though his passion for the subject has been lifelong.

Comment

  1. Ben Toms

    Hi Scott,

    What version console will we need to support this?

    Also, as it’s currently US only.. Any idea when this will be available elsewhere?

  2. Chris Marshall

    Hi, this sounds great.
    Are any of these features available without using DEP as it’s not available in the UK yet.

    Is it possible to supervise over the air, devices not enrolled to the DEP for example?

    1. Scott SolomonScott Solomon Post author

      Hi Chris, thank you for reading and for your comment. Currently, none of these features are available outside of DEP and there are no other available options for over-the-air supervision outside of DEP at this time.

  3. Eric

    Scott, a question in regards to the last point about currently supervised devices.
    We have ~500 devices configured and supervised by Apple Configurator and live in the field. Is there an advantage to moving those devices to the DEP program, or would be better served to just use DEP on devices moving forward and having a mix of DEP and configurator supervised devices?

    1. Scott SolomonScott Solomon Post author

      Hi Eric, I spoke with one of our product managers and she provided the following answer: If you are interested in taking advantage of the DEP features, such as preventing the removal of the MDM profile and requiring enrollment in order to activate a device, then you would want to migrate those devices to use DEP. Before doing this, contact Apple to make sure your current devices are eligible to register in the program.

      If these features are not of priority for your organization, then it is not a problem. AirWatch is capable of supporting both non-DEP and DEP devices at the same time.

  4. Todd Friedmar

    Hi Scott, The new program will be a great compliment with MDM. I haven’t heard anything about how the Apple ID’s will be associated with the devices. Can Apple apply a list of Apple ID’s and enroll them or will this still be a manual process? In an Enterprise rollout, we have a large number of shared devices in Retail that will need to have a corporate Apple ID so that we can load the AirWatch agent and other public apps. Is this being addressed by Apple? Is there a way to get a custom AirWatch Agent, so we don’t have to enroll through the Public Catalog?

    Thanks,

    Todd

    1. Scott SolomonScott Solomon Post author

      Hi Todd, thank you for your comment. The Apple ID policy remains the same. At the most, Apple requires one Apple ID per every 10 devices. With DEP, the enrollment process is streamlined so once a device is registered with Apple and the DEP profile is applied to the device in the AirWatch console, enrollment is part of the set up process on the device. During activation, MDM enrollment will be an option in Apple’s setup assistant, just like selecting a language or turning on location services. If you’d like to require your users to enroll into MDM, a profile can be put on the device that makes it impossible to use the device unless the end-user enrolls into MDM. If you are using DEP to enroll your devices, then you do not need to enroll them through the AirWatch Agent in the App Catalog – it happens automatically during the devices initial setup.

    1. Scott SolomonScott Solomon Post author

      Hi Bob, thank you for your comment. If the device is has been enrolled into MDM through the Device Enrollment Program, then you can supervise the device over-the-air. If it currently is not enrolled in the program then you must tether the device to a workstation and supervise it via Apple Configurator.

  5. Jim Shellhamer

    Can past orders of iPads, that are not supervised but managed by AirWatch, be incorporated into the Device Enrollment Program?
    Also, Can the supervision profile be configured to not prompt for any setup screens, but still have the settings chosen by the administrator?

    1. Scott SolomonScott Solomon Post author

      Thank you Jim for reading and for your comment. Yes, devices up to three years old can be enrolled into the program – you can learn more about eligible devices via the Device Enrollment Program Guide. The screens that can be skipped during the Setup Assistant are: Passcode, Location Services, Restoring from Backup, Sign in with Apple ID and iCloud, Terms of Use and Conditions, Siri, Diagnostics. However, setting any of them to “Skip” in the AirWatch console defaults the setting to disabled on the device.

  6. Eizy Meizy

    Hi! Thanks for a good article. If we don’t use Device Enrollment Program (DEP), but using Apple Configurator and want to use device supervision features with Airwatch: Can we enable device supervision with Apple Configurator once and then supervision stays on? Or is the device supervised only as long as it is connected through USB? Sorry if this is a stupid question, but we don’t have DEP in our country.

  7. Kyle Schroeder

    Hi Scott,
    We will be starting in with DEP soon and trying to integrate into our various AW environments. Do you know if you can require 2-factor enrollment via DEP, or if you are limited to single-factor only (assuming username/password for LDAP-sourced users)? Our standard self-service enrollment sends users their enrollment token after they register in the SSP and they need that second factor (i.e. they have access to their company email to read the token) and what they know (their username/password) to get enrolled.
    Thanks,
    Kyle

    1. Maddie CookMaddie Cook

      Hi Kyle,

      Since Apple’s DEP enrollment protocol only supports username/password for authentication, the token-based, two-factor enrollment is not currently available for DEP devices

      However, it’s worth discussing internally within your company to see if this is still a hard requirement for DEP enabled devices.

      Technically, DEP authentication could be considered two-factor authentication, since the device serial number is used to identify the device with the Apple DEP servers before the user is prompted to authentication.

      While this would require a process change and a configuration change, it may be worth exploring this option to simplify your enrollment process for DEP devices while still supporting a level of two-factor authentication. If you have more questions or concerns, please contact Support and myAirWatch.

      Thanks,

      Maddie

  8. Ray Yanez

    I just wanted to try and get some clarification around Apple’s DEP. So I currently have about 4,000 iOS devices (iPads/iPhones) in our environment. I am currently using AirWatch as my MDM.

    If I sign up with the DEP, do I have the ability to go back to these devices and enroll them into the DEP in order to have non-removable MDM profiles installed? or am I out of luck? We did NOT purchase these directly from Apple, and work through a 3rd party supplier/provisioner for all our devices.

    If I am out-of-luck, does anyone know of a way (a tool) to somehow profile our devices so they are known as our devices in the event of being lost or stolen, without having to jailbreak the device?

    1. Maddie CookMaddie Cook

      Hi Ray,

      Devices purchased through an Apple Authorized third-party service provider are DEP eligible. To confirm, you will have to contact your Reseller to obtain your Reseller ID. More details for the criteria to sign up with DEP can be found through Apple’s site at: http://images.apple.com/business/docs/DEP_Guide.pdf. Once your organization is registered with the DEP program and configured in the AirWatch Admin Console, currently enrolled devices need to be factory reset and can re-enroll into AirWatch, where the MDM profile will no longer be removable.

      Thanks,

      Maddie

  9. Daniel Valois

    I was told that token authentication would work with DEP with Airwatch 9.03
    I am however only getting prompted to enter a username and password rather than the url and group if where I would enter the token. Please enlighten me as to how this can be achieved.

  10. Roland Hoffman

    If a device has been order through DEP, is there a time frame where the profile will be removed from the device it the authentication process has not been performed ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

hamburger

Blog By Region

Blog By Category:

Well, hi, there! You're one click away from reaching mobile enlightenment.


Maybe next time