By Jon Xavier
Device deployment is often one of the biggest time sucks for IT administrators. Every time a new employee starts or a new device arrives, there’s a whole process of creating new accounts, installing necessary software, drivers, and WiFi credentials; enabling encryption and storing the keys; and configuring the device to meet security and compliance guidelines. Done manually, this can easily add up to a couple of hours of work per device. It’s not uncommon for admins to spend their entire Sunday setting up devices if a large group of new hires is starting on Monday.
Apple’s Device Enrollment Program (DEP) is the solution to this problem. It’s a component of both of Apple’s device management solutions—Apple Business Manager & Apple School Manager—that makes it possible for devices to set themselves up the first time they’re taken out of the box, no extra work required.
Best of all, it’s free. It does take a little bit of work to set up however, and there’s a few important caveats to keep in mind, however. Here’s an overview of the program and what you should know about it.
How does the Apple Device Enrollment Program work?
At a high level, Apple’s Device Enrollment Program (DEP) works by establishing cryptographic trust between the device, a Mobile Device Management (MDM) server, and Apple itself, and then passing configuration information between them. The process is explained in great detail in our Chief Security Officer Jesse Endahl’s deep dive into MDM security for Blackhat. We’ll summarize it here.
The first time an Apple device powers on, it launches the Setup Assistant, which will begin to setup the device. Although most people think of Setup Assistant as just the graphical prompts the user goes through, steps in the Setup Assistant can also be accomplished remotely by Apple or by an MDM server.
The first time the device connects to the internet as a part of setup, the Setup Assistant connects to Apple’s DEP server and sends information about itself. Apple’s DEP server checks to see if this device is supposed to be managed by any MDM provider. If so, it sends back a “DEP Profile” that “enrolls” it in that server.
From there, the device immediately checks in to the specified MDM server and begins receiving MDM commands that configure it. It can also skip those screens in the Setup Assistant when user input is no longer needed because the configuration is being supplied by MDM, which makes for a quicker and smoother onboarding experience for the user.
From this point on, the device will be enrolled with that MDM provider, such that it can send it commands that can modify different settings, remotely lock or wipe the device, install applications, and more.
The benefits of the Apple Device Enrollment Program
Using DEP, Apple admins gain the following benefits:
- The ability to customize the Apple Setup Assistant that the user goes through when the device is first powered on.
- Automatic enrollment in an Apple MDM server.
- The ability to define the configuration of native Apple settings once and then have these settings applied automatically to every new device.
- The ability to push 3rd party apps to a device after set-up (although see the caveat in the next section)
- The ability to dropship new devices directly to remote employees or offices, rather than receiving them yourself, setting them up, and mailing them out. This often represents a significant cost savings, but it does require either a more advanced MDM solution or relatively simple configuration requirements.
Also, DEP is unique among device enrollment options in three ways:
- macOS devices enrolled through DEP are automatically considered to have User Approved MDM (UAMDM) without requiring any additional approval steps from the user.
- iOS devices enrolled through DEP are automatically consider supervised devices.
- The MDM enrollment cannot be removed by the user if the admin chooses to enforce this option in Apple Business Manager or Apple School Manager.
As with anything, the devil’s in the details. But this means that Apple device management with DEP is potentially less disruptive and more secure than any other method, because it can be largely invisible to the end user and also nearly impossible for them to circumvent.
Limitations of the Apple Device Enrollment Program
An important thing to keep in mind about DEP is that it is not a standalone service. It provides a way to get management onto a device, but it does not provide the management on its own. For that you’ll need to either host your own MDM server, or adopt a cloud device management service that includes support for Apple MDM.
Still, DEP is really nice compared to the ways that admins used to have to deploy new devices. So why doesn’t Fleetsmith consider it to be a “true” zero touch deployment? This is because there’s still usually a few extra touches with MDM+DEP before a device is completely set up: user accounts, apps, app configuration. There are also some limitations to management through MDM which mean it might not be enough to meet your needs on its own.
In our case, Fleetsmith installs the Fleetsmith Agent as its first order of business once enrollment through DEP is complete. That lets us complete any extra deployment steps seamlessly with no additional work from the admin. We call this True Zero Touch Deployment.
Signing up for DEP (AKA What the heck is a D-U-N-S Number?)
The Device Enrollment Program is just a single component of Apple’s enterprise management programs, Apple Business Management and Apple School Manager. So you’ll need to sign up for one or the other, depending on whether you work at a school or a business. The process is broadly similar in either case—fill out a form and wait for approval—but for businesses, Apple requires one extra piece of information: your company’s D-U-N-S Number.
The D-U-N-S number is a unique ID number assigned by Dunn & Bradstreet, a private research firm that tracks corporate data. Your business probably already has a D-U-N-S Number if you’ve been around for a while (you can look it up here). But in case you don’t, it’s easy and free to sign up for one.
In Apple School Manager’s case, you don’t need D-U-N-S Number, but you will need to provide a contact at your organization that will confirm you are an authorized to enroll on its behalf—a school administrator, superintendent, principal, etc. Apple will actually call this person to verify this, so make sure you provide the correct information and let them know that this will be happening to avoid complications that could delay the enrollment. You should expect this process to take anywhere between a few days to a couple weeks.
Once you’ve been admitted into ABM or ASM, DEP is fairly straightforward:
- Connect your MDM server. Enter your Public Key Certificate File for the MDM solution you want to use with DEP, then download a Server Token (an OAuth 1.0a token) and upload it to your MDM solution.
- Update your suppliers with your DEP information. Add your Apple Customer ID to ABM or ASM to register devices purchased directly from Apple. For devices purchased through a reseller, you’ll need to give the reseller the DEP Customer ID you received from Apple, enter the DEP Reseller ID you get back from them, and then request that they submit your orders through their vendor portal.
- Configure profiles in your device manager. Device configuration happens through your MDM solution, and will vary depending on what you’re using. Fleetsmith has a very simple, graphical, set-once-deploy-everywhere experience, but other device providers may be more complicated.
- Assign devices in DEP whenever you make a purchase. Once you purchase a device from Apple or a reseller you’ve set up, the order will appear in your DEP portal within 24-72 hours. For best results, you will want to assign the devices to your MDM server as soon as you can, while they are still in tran