flag iconBe the first to hear the mobile news. Enter your email to join.

AppleDEP

7 Questions Answered about AirWatch & the Device Enrollment Program from Apple

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don’t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple’s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization’s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple’s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia, Austria, Belgium, Brazil, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Singapore, South Africa, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom and United States.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Claire Feeney

Claire Feeney

Claire Feeney is a senior product marketing manager at VMware focused on mobility.

Comment

  1. Ben Toms

    Hi Scott,

    What version console will we need to support this?

    Also, as it’s currently US only.. Any idea when this will be available elsewhere?

  2. Chris Marshall

    Hi, this sounds great.
    Are any of these features available without using DEP as it’s not available in the UK yet.

    Is it possible to supervise over the air, devices not enrolled to the DEP for example?

    1. Scott SolomonScott Solomon

      Hi Chris, thank you for reading and for your comment. Currently, none of these features are available outside of DEP and there are no other available options for over-the-air supervision outside of DEP at this time.

  3. Eric

    Scott, a question in regards to the last point about currently supervised devices.
    We have ~500 devices configured and supervised by Apple Configurator and live in the field. Is there an advantage to moving those devices to the DEP program, or would be better served to just use DEP on devices moving forward and having a mix of DEP and configurator supervised devices?

    1. Scott SolomonScott Solomon

      Hi Eric, I spoke with one of our product managers and she provided the following answer: If you are interested in taking advantage of the DEP features, such as preventing the removal of the MDM profile and requiring enrollment in order to activate a device, then you would want to migrate those devices to use DEP. Before doing this, contact Apple to make sure your current devices are eligible to register in the program.

      If these features are not of priority for your organization, then it is not a problem. AirWatch is capable of supporting both non-DEP and DEP devices at the same time.

  4. Todd Friedmar

    Hi Scott, The new program will be a great compliment with MDM. I haven’t heard anything about how the Apple ID’s will be associated with the devices. Can Apple apply a list of Apple ID’s and enroll them or will this still be a manual process? In an Enterprise rollout, we have a large number of shared devices in Retail that will need to have a corporate Apple ID so that we can load the AirWatch agent and other public apps. Is this being addressed by Apple? Is there a way to get a custom AirWatch Agent, so we don’t have to enroll through the Public Catalog?

    Thanks,

    Todd

    1. Scott SolomonScott Solomon

      Hi Todd, thank you for your comment. The Apple ID policy remains the same. At the most, Apple requires one Apple ID per every 10 devices. With DEP, the enrollment process is streamlined so once a device is registered with Apple and the DEP profile is applied to the device in the AirWatch console, enrollment is part of the set up process on the device. During activation, MDM enrollment will be an option in Apple’s setup assistant, just like selecting a language or turning on location services. If you’d like to require your users to enroll into MDM, a profile can be put on the device that makes it impossible to use the device unless the end-user enrolls into MDM. If you are using DEP to enroll your devices, then you do not need to enroll them through the AirWatch Agent in the App Catalog – it happens automatically during the devices initial setup.

    1. Scott SolomonScott Solomon

      Hi Bob, thank you for your comment. If the device is has been enrolled into MDM through the Device Enrollment Program, then you can supervise the device over-the-air. If it currently is not enrolled in the program then you must tether the device to a workstation and supervise it via Apple Configurator.

  5. Jim Shellhamer

    Can past orders of iPads, that are not supervised but managed by AirWatch, be incorporated into the Device Enrollment Program?
    Also, Can the supervision profile be configured to not prompt for any setup screens, but still have the settings chosen by the administrator?

    1. Scott SolomonScott Solomon

      Thank you Jim for reading and for your comment. Yes, devices up to three years old can be enrolled into the program – you can learn more about eligible devices via the Device Enrollment Program Guide. The screens that can be skipped during the Setup Assistant are: Passcode, Location Services, Restoring from Backup, Sign in with Apple ID and iCloud, Terms of Use and Conditions, Siri, Diagnostics. However, setting any of them to “Skip” in the AirWatch console defaults the setting to disabled on the device.

  6. Eizy Meizy

    Hi! Thanks for a good article. If we don’t use Device Enrollment Program (DEP), but using Apple Configurator and want to use device supervision features with Airwatch: Can we enable device supervision with Apple Configurator once and then supervision stays on? Or is the device supervised only as long as it is connected through USB? Sorry if this is a stupid question, but we don’t have DEP in our country.

  7. Kyle Schroeder

    Hi Scott,
    We will be starting in with DEP soon and trying to integrate into our various AW environments. Do you know if you can require 2-factor enrollment via DEP, or if you are limited to single-factor only (assuming username/password for LDAP-sourced users)? Our standard self-service enrollment sends users their enrollment token after they register in the SSP and they need that second factor (i.e. they have access to their company email to read the token) and what they know (their username/password) to get enrolled.
    Thanks,
    Kyle

    1. Maddie CookMaddie Cook

      Hi Kyle,

      Since Apple’s DEP enrollment protocol only supports username/password for authentication, the token-based, two-factor enrollment is not currently available for DEP devices

      However, it’s worth discussing internally within your company to see if this is still a hard requirement for DEP enabled devices.

      Technically, DEP authentication could be considered two-factor authentication, since the device serial number is used to identify the device with the Apple DEP servers before the user is prompted to authentication.

      While this would require a process change and a configuration change, it may be worth exploring this option to simplify your enrollment process for DEP devices while still supporting a level of two-factor authentication. If you have more questions or concerns, please contact Support and myAirWatch.

      Thanks,

      Maddie

  8. Ray Yanez

    I just wanted to try and get some clarification around Apple’s DEP. So I currently have about 4,000 iOS devices (iPads/iPhones) in our environment. I am currently using AirWatch as my MDM.

    If I sign up with the DEP, do I have the ability to go back to these devices and enroll them into the DEP in order to have non-removable MDM profiles installed? or am I out of luck? We did NOT purchase these directly from Apple, and work through a 3rd party supplier/provisioner for all our devices.

    If I am out-of-luck, does anyone know of a way (a tool) to somehow profile our devices so they are known as our devices in the event of being lost or stolen, without having to jailbreak the device?

    1. Maddie CookMaddie Cook

      Hi Ray,

      Devices purchased through an Apple Authorized third-party service provider are DEP eligible. To confirm, you will have to contact your Reseller to obtain your Reseller ID. More details for the criteria to sign up with DEP can be found through Apple’s site at: http://images.apple.com/business/docs/DEP_Guide.pdf. Once your organization is registered with the DEP program and configured in the AirWatch Admin Console, currently enrolled devices need to be factory reset and can re-enroll into AirWatch, where the MDM profile will no longer be removable.

      Thanks,

      Maddie

  9. Daniel Valois

    I was told that token authentication would work with DEP with Airwatch 9.03
    I am however only getting prompted to enter a username and password rather than the url and group if where I would enter the token. Please enlighten me as to how this can be achieved.

  10. Roland Hoffman

    If a device has been order through DEP, is there a time frame where the profile will be removed from the device it the authentication process has not been performed ?

  11. Peter

    Hi Scott,
    We are using Apple Configurator at the moment for managing ipads. We block the access to lightning port for security reasons. We are testing DEP at the moment and we see, that a connect via lightning is now possible. Is there a way to block lightning as it was on apple configurator?
    Best regards
    Peter

    1. Ashley SpeagleAshley Speagle

      Hi, Peter! It sounds like you’re referring to the “Device Pairing” option in the DEP Profile. If you “Disable” device pairing, you can upload an optional Supervision Certificate (Exported from Configurator2) so that you can ONLY connect the iOS device to a macOS device that has the supervision identity.

      Thanks for reaching out,
      Ashley

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

hamburger

Blog By Region

Blog By Category:

Well, hi, there! You're one click away from reaching mobile enlightenment.


Maybe next time