Enrolling corporate-owned devices using the Apple Device Enrollment Program
First published on CloudBlogs on Mar 17, 2015
Recently, the Intune team
support for the Apple Device Enrollment Program (
). DEP enables companies, educational institutions, and government organizations to enroll iOS devices into Mobile Device Management (MDM) directly from the factory or via factory reset. Additionally, this program provides capabilities for supervising devices as well as locking the device into MDM.
When a customer purchases iOS devices directly from the Apple Business channel or through an authorized reseller, the purchase information is copied over to Apple’s Device Enrollment Program. DEP catalogs the ownership of devices much like the Department of Motor Vehicles tracks titles to vehicles. When this channel is harnessed, it ensures that a device will respect the authority and management intent prescribed by the corporate device owner.
Establishing a DEP connection to Microsoft Intune
Organizations that rely on
for mobile device management may perform DEP operations by “onboarding” their Intune account with the DEP program. This involves three steps:
Obtain a Certificate Signing Request (CSR) from Microsoft Intune.
The CSR indicates that Microsoft is an authorized MDM vendor for iOS devices in the eyes of Apple, and that the customer intends to use Intune to convey enrollment intent into the Device Enrollment Program.
Acquire a DEP token from Apple using the CSR.
All communications between Microsoft Intune and Apple’s Device Enrollment Program must be authenticated with a token representing the customer’s account. The token is generated by uploading the CSR in step #1 into the
Upload the DEP token into Microsoft Intune
. Finally, once the token is acquired it can be uploaded to Intune. This token will need to be renewed annually.
Creating and deploying enrollment profiles
An enrollment profile contains instructions used by the iOS devices’ Setup Assistant which is the process that the device goes through when first powered on or factory reset. During this process, you can create enrollment profiles and assign them to devices in Intune. Shortly after acquiring an internet connection, the device will “call home” to Apple. During this exchange, the device uploads its serial number. For DEP-enabled devices, Apple’s iOS service can respond with an enrollment profile if the serial number was assigned to an enrollment profile. The enrollment profile contains enrollment instructions including whether the device is supervised, whether the MDM profile locked, and other semantics of Setup Assistant behaviors.
A sample enrollment profile created using Microsoft Intune
How this all works together
In summary, Microsoft Intune provides a smooth, convenient enrollment experience for DEP-capable devices. The steps are:
Setup a DEP connection
Create enrollment profiles
Assign devices to the enrollment profiles
Deliver devices to end-users
Any time a DEP device needs a factory reset, you can have confidence that Apple DEP and Microsoft Intune will maintain the proper MDM state throughout the process.