Understanding Apple's Device Enrolment Program (DEP)

DEP or Device Enrollment Program is a new service from Apple that lets you automatically enrol new devices (OS X & iOS) with your MDM as they progress through the setup assistant. Up until now, connecting devices to a management system has required some user interaction, either by IT or the end user.
We have been able to setup user self-enrollment but there has been the risk that the user doesn’t do it, which means the business doesn’t have an inventory record and has no way to manage the device. For the first time, we can take a brand new device out of the box, go through the setup assistant and have it enrol with the management service without any technical input.
As you can imagine, this opens up some new scenarios with regards to device deployment.
Depending on your configuration, you can theoretically ship the devices direct to the users, knowing that the devices will appear in MDM once they set it up.
We were naturally very interested in the real world applications and challenges with this new service so in this blog post we describe a bit about how it works and some of our experiences as we were testing it.

How does DEP work?

This is by no means a deep dive into the inner workings of DEP, but should suffice to give you some understanding of the processes at work.
Devices that run through the Apple setup assistant are programmed to contact Apple to see if there is a DEP registration that matches their serial number. If there is, they will receive the details of the specified MDM service from Apple and then enrol into the management system.
In the case of The Casper Suite from JAMF Software, the device enrols, installs the JAMF binary (if it’s an OS X device), installs Self Service (if the JSS is set to do so) and configures any other computer management framework tasks like startup, login and logout triggers.
From that point on you can start dropping the devices into smart groups, running policies and all the other good stuff you need to get the devices setup and ready for use.
Getting set up
To get up and running with DEP, you need to register on Apple’s website here.

apple dep registration

To complete the registration process, a new Apple ID will get created.  The first contact form will ask you for an email address (amongst other things) which will be used to automatically create a new Apple ID for administration:
submit your details dep apple
It didn’t seem that you could use an existing Apple ID for this purpose. In fact, this was the same for adding additional administrators. I had to create a new Apple ID before I could be added as a DEP administrator by my colleague.
Once you’ve verified the Apple ID, the next step is to complete some of the institutional information:
dep institutional details apple
Most of these details are straightforward, but there are a few things to note.
Company D-U-N-S
This is an identification number for businesses regulated by Dun & Bradstreet (D&B) that assigns a unique numeric identifier, referred to as a “DUNS number” to a single business entity.
Devices Purchased From
This is an important bit. It will be used to associate the serial numbers of any devices you purchase with your DEP account. You can add multiple sources including Apple and third-party resellers, as long as they are official Apple resellers and registered with the DEP service. So if you purchase some of your Macs from Apple and some from a reseller, they will all link back to your DEP account and in turn your MDM.
Once you have submitted the application, Apple will check the details and process the registration. In our case, we only have a single Apple account, so we entered our account number. Shortly after submitting the registration we received a phone call from Apple to verify our details and to get authorisation from a company representative.
Some people have mentioned that the registration process can take a few days to complete. In our case, we were up and running within a few hours, but I guess your mileage may vary.
Link the The Casper Suite JSS to DEP
The next step is to link your DEP account to your MDM. In the case of The Casper Suite, we needed to:

  • Select Device Enrollment Program from the Global Management screen and download the Public Key
  • Use the public key to add the JSS to the Apple DEP portal. Adding the server to the DEP portal provides a Server Token File
  • Take the Server Token File and use it to add the account to the JSS

Once you have added the server to the DEP portal, you can set whether newly purchased devices are automatically enrolled into your MDM.
Configure PreStage Enrolments
Next you need to configure PreStage Enrolments. This is used to set what happens when a device is directed to the JSS by DEP. Click New, set the scope and options.
Amongst other things, you will have the option to decide which setup screens are to be shown on the clients:
configure prestage enrolments
Some other points
Network – As you can imagine, this process only works if the clients are connected to a network that allows communication with Apple and the JSS.  In larger corporate environments or schools, this is likely to cause problems as there are often port filtering, 802.1X, and other security systems in place that will prevent communication.  One solution is to create an enrollment SSID that can only communicate with the Apple and JSS servers.  Users can connect to that network for the initial setup, after which the JSS can configure the devices for the main network.  If your corporate wireless network requires the devices to be connected to Active Directory for device certificates (for example), that SSID won’t be suitable for DEP.
User accounts – As you can see above, there isn’t an option to stop the user creating a local admin account.  If this is OK for your organisation, then there is nothing more to do.  If however you need the users to work with standard user accounts, or even directory users, you will need to run policies from the JSS after enrollment to perform the additional configuration, and possibly delete the local admin user account that the user created.
Targeting DEP enrolled Macs for policies – If you do want to target the DEP enrolled Macs with policies from the JSS, there is a Smart group criteria option called “Enrollment Method.”  Select “PreStage enrollment” as the value, and this will identify those devices.  I would avoid adding too many policies, particularly those that install software unless you can be sure the device will be on a fast enough link.  If the user sets up their device from home and a policy starts installing the Adobe Creative Suite, this will be a problem.
Adding legacy Macs – It is possible to add existing devices to your DEP account.  We tested this with a few Macs going back to 2012 which worked OK.  We just needed to add the serial numbers to the DEP portal.
So all in all it looks like a pretty useful service.  There are, of course, some challenges for larger corporations with enterprise networks and other security policies, but from our perspective Apple have given us more options and functionality, which is a good thing.  The added bonus in the case of The Casper Suite, is that the JAMF binary is installed on new Macs, allowing you to fully manage the device, without it ever being touched by the IT team.
Other useful links

Speak to our team of fully certified Apple experts today to see how we can help you by calling 0208 660 9999 or emailing henryc@amsys.co.uk.