Workspace ONE and Apple Device Enrollment Program
Summary: Enroll Apple devices in Workspace ONE using the Apple Device Enrollment Program (DEP). Simplify MDM enrollment for Mac and iOS devices with our comprehensive guide.
Instructions
Affected Products:
- Workspace ONE
Affected Versions:
- v7.1 and Later
Affected Operating Systems:
- Mac
- iOS v7 and Later
The Device Enrollment Program (DEP) from Apple is designed to help enterprises and educational institutions simplify the Mobile Device Management (MDM) enrollment process for IT departments and end users. The Device Enrollment Program enables enterprises to automatically install MDM profiles onto devices during the initial device setup process and supervise iOS devices over-the-air. Before the Device Enrollment Program, in order to supervise a device, it had to be tethered using USB to a computer running Apple Configurator. Learn more about this program with Apple’s Device Enrollment Program guide.
Prerequisites
One important prerequisite to be followed for the DEP to be eligible is that the enterprise information must be registered with the Apple DEP. For more information about other prerequisites and to register the enterprise information, customers should go to https://deploy.apple.com 
Safari, Firefox, or Chrome web browser (Internet Explorer is not supported): Ensure to work through all the steps in this guide using the same browser session. The APN's generation process with Apple includes time-based and browser-based credentials for security purposes. This mandates going through all the steps below in the same browser session from start to finish to avoid any security or session-related errors. If one browser does not generate the certificate, try a different browser, but be sure to redo or complete all the steps in one session.
About
The Device Enrollment Program solves several critical requirements for corporate-owned devices. A major concern for IT is the user's discretion to remove MDM from their corporate iOS devices. With DEP, enterprises can now install nonremovable MDM profiles, thus disabling the users from disenrolling the device.
With Apple, more control over devices is given to administrators that put them in supervised mode. Before the Device Enrollment Program, enterprises that wanted to place devices under supervision had to connect the device using USB to a primary Mac. Once a device was connected, it could be placed under supervision through Apple Configurator. Now, with the Device Enrollment Program, devices can be placed into supervised mode over-the-air (OTA) through the AirWatch administrative console. Since MDM enrollment begins during the initial device setup, enterprises can skip certain setup options entirely, and even require end users to enroll them. By making enrollment into MDM part of the device setup, Device Enrollment Program simplifies the entire enrollment process, making it for non-technical end users to enroll into MDM. For example, students given a school-owned device can unbox it and complete the setup process to enroll into MDM.
End-User Benefits
For end-users, MDM enrollment now becomes a familiar user experience and part of the initial device setup. In addition, the Device Enrollment Program drastically reduces the number of post enrollment steps by using silent application installations. Administrators can also customize prompts or eliminate setup steps during enrollment to fit their organization's needs.
IT Benefits
For IT, manually enrolling thousands of devices is time-consuming. However, now with automated enrollment during the device’s setup, end users can enroll into MDM when the device is taken out of the box. With the Device Enrollment Program, the need for a staging or provisioning process can be eliminated and devices can be sent directly to end users. The Device Enrollment Program enables IT to leverage the advanced capabilities of supervision without the need to physically tether a device to a primary computer running Apple Configurator; supervision can be turned on with the click of a button OTA. IT also benefits from the avoided risks that are associated with unmanaged devices. With the Device Enrollment Program, IT can leverage unremovable MDM profiles and even require devices to re-enroll after being wiped or reset.
Integration and Enrollment Requirements
- Workspace ONE (formerly VMware AirWatch) versions 7.1+
- iOS 7+
Integration
Workspace ONE integrates with the Device Enrollment Program to provide streamlined enrollment and management benefits. Workspace ONE allows organizations to automatically import devices into Workspace ONE directly from its Apple order history. Through Workspace ONE, administrators can configure the DEP, create DEP profiles, and apply the configured settings to different devices depending on the use case.
The steps for configuring the DEP for integration with Workspace ONE are:
- Register your Organization with DEP by going to https://deploy.apple.com
- Log in to the Workspace ONE Admin Console and go to Groups & Settings > All Settings > Devices & Users > Apple > DEP and select Configure to configure the settings for Apple
- Download the Public key by selecting MDM_DEP_PublicKey.pem.
- Select Apple Deployment Programs to go to https://deploy.apple.com
- Add the MDM server and upload the Public key to the Apple DEP.
- Download the Apple Server Token file from Apple DEP.
- Register devices to the MDM server
- Upload the Apple Server Token file in the Workspace ONE Admin Console by clicking Upload.
- Define the DEP profile settings within the Workspace ONE Admin Console.
Workspace ONE also enables the following through the Device Enrollment Program:
- Support for staging workflows
- Automatically assigning ownership types to different devices
- Pre-assigning devices to users and groups to bypass authentication and automatically organize devices.
- Full support for other standard device life cycle and MDM features
Enrollment
Once the DEP is configured, DEP profile settings are defined within the AirWatch Admin Console which is then assigned to the registered devices. The device user completes the Setup Assistant actions on the device after which the device is enrolled into MDM.
- AirWatch sends a request to the Apple Server. The requests can be things such as Define a profile, Assign a profile, Fetch and Sync devices, or Delete a device.
- The device begins the Setup Assistant process, communicates with the Apple Server, and receives the DEP Profile settings from the Apple server.
- The device is redirected to the AirWatch Server to receive the MDM profile.
Registering Devices
You can assign devices that are based on either Order Number or Serial Number from Apple's Volume Services page.
Apple Configurator Considerations
Organizations that use Apple Configurator can choose to transition to the Device Enrollment Program if they want. However, Apple does not allow organizations to supervise a device with Configurator if that device is registered to a Device Enrollment Program profile. Devices that were previously enrolled into AirWatch MDM with Apple Configurator can be wiped and re-enrolled into the Device Enrollment Program; however, they should only be given a Device Enrollment Program profile if an organization plans to start enrolling devices through the program.
Using Multiple MDM Providers
Customers can use multiple MDM providers. This is set up at Apple's Volume Services by linking groups of serial numbers to specific MDM instances.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.