With Apple Configurator 2.5 and iOS 11 it is possible to add iOS devices to your Device Enrollment Program (DEP) account. This is an interesting development and I want to show you how that works, including some interesting finds.
The feature was introduced at WWDC 2017 and is now available for everyone with:
-a Mac with Apple Configurator 2.5
-an iOS device running iOS 11 (not yet in DEP or ASM)
-a DEP or ASM account
-USB to Lightning cable
At LAI we are lucky to have both ASM and DEP. Technology wise the (automated) Enrollment part for both is the same, but Apple School Manager adds a lot of managment of teachers, classes and courses to DEP. Apple School Manager is only available for educational organisations.
Workflow in Configurator
Then you can (not required, but handy) enter the details of you MDM server under Servers.
When you connect the iOS device (or create a blueprint) the ‘Prepare’ workflow shows you the following steps:
This is the most imporant option: ‘Add to Device Enrollment Program. I have enabled the other options because that is the usual workflow for Apple Configurator.
the next step tells the iOS device to enroll to the MDM server as specified in the preferences.
Then you can select which DEP account this iOS device will be added to. This includes the supervision identity.
It is easy to add a profile with your wifi settings, that saves you the time to enter the wifi password after reboot.
This is the optional name to use for enrolling the iOS device to the server specified in step 2.
When you do this workflow the iOS device will show this on the bottom of the home screen:
This is the message that offers the user to opt-out of DEP. It you open Settings you see this:
You are supervised (top left) and you can Leave Remote Management. (only the first 30 days after enrolling into DEP) After these 30 days the iPad will be in DEP as any other device in DEP. (I have not been beyond that period with my demo devices yet 🙂
Whoot! This iPad is now in DEP without the help of resellers or Apple!
Reminder: with this workflow the iPad is now managed by your MDM but if you want to force the device to enroll to the MDM server you have to assign this device to the MDM in the DEP/ASM portal, and enforce enrollment for this device in the MDM.
How does this look in Apple School Manager?
In the portal you see an extra ‘server’
It is not really logical to show the devices in the same list as the MDM servers you can assign devices to, but I guess there was no better place in the GUI.
Tip: if you search for ‘All Orders’ you will see that for each ‘import’ to DEP there is an ‘order number’ created that starts with CE (Configurator Entry?)
How does it look in DEP?
(note there should be more that 0 devices, but I already assigned the device to a MDM server before I took the screenshot)
1 ) I tried to add the device I had just added to ASM to DEP. It will be changed to the other DEP without any warning or error! I think that is due to the fact that the device is still in the 30 day ‘trial’ period.
2) When you try to add a device that is already in DEP the workflow fails with a strange error:
MCCloudConfigErrorDomain – x80EF (33007)
Solve this by disowning the device in the DEP portal, and you can use Configurator to add it to a DEP account. This is expected, otherwise every admin with a DEP account can add any device (even those ‘found’ on eBay) to his/her DEP account.
3) When I assigned the device (now in DEP) to a server, erased the device, the setup assistant will show the user the option to ‘Leave Remote Management’ (i.e. opt-out of DEP)
4) If you install iOS10 on the same device, the user does not get the opt-out messages. This is understandable because the mechanism to opt-out does not exist in iOS10, and of course totally unsupported nor recommended.
Related training courses
The 3 days Managing Apple Devices training covers Apple Configurator, DEP, Apple School Manager and VPP for both iOS and macOS.
Questions? See my info on the contact page.