Julian Joswig: IT Blog

Provisionally add iOS to Apple Device Enrollment Program

Written on 26. Sep 2017, 20:09

Since the release of iOS 11 and Apple Configurator 2 (version 2.5) on September 19, 2017, it is now possible to add iOS devices provisionally to the Apple Device Enrollment Program (DEP). This possibility now offers new opportunities for companies.

What is the Apple Device Enrollment Program (DEP)?

This Apple service is offered to enterprises and schools. Centrally purchased iOS devices can be assigned to a Mobile Device Management system (MDM) using the DEP system. The device will be added to the MDM system automatically, which automates the whole iOS device set up strongly. By using DEP in conjunction with MDM, the so called 'supervised' mode can be enabled on all devices over-the-air and with 'zero-touch'. The supervised mode enables companies to de-couple their devices from an Apple ID to disable the activation lock functionality at the same time. This allows reuse of device even in cases where accessing the Apple ID is not possible. More information regarding DEP can be found here: https://www.apple.com/business/dep/

Why is the new provisional DEP integration helpful?

To date, iOS devices could be added to the DEP system only using the following ways:
  • Centrally purchasing devices from authorized Apple resellers or carriers (unfortunately there is no list publicly available OR
  • Purchasing the devices from Apple directly
Additionally, the DEP service is only available in a limited amount of countries, which limits the use heavily. For instance as of today (September 24, 2017), Apple DEP is not available in Russia (meaning all enterprises in Russia cannot benefit from DEP). By using the new provisional DEP integration it is now possible, to add iOS devices to the DEP system of Apple even in cases the device haven't been bought by using one of the two channels mentioned above. Schools, for example, can use this way to integrate donated iOS devices to the DEP system.

How does the provisional DEP integration work?

Currently, it is only possible to use provisional DEP integration under the following technical conditions:
  • the iOS device must be equipped with iOS 11 and
  • the Apple Configurator 2 (version 2.5) has to be used.
The iOS device is integrated into the DEP system by using the Apple Configurator 2. The integration to DEP is based on provisional bases, that means:
  • The iOS device get a DEP enrollment profile and at first launch, it connects to the DEP system, downloads additional information and connects to the linked MDM server.
  • The DEP profile has a validity period of 30 days (that's why it is provisional). During this period, the user can delete DEP profile from the devices (a delete cases a factory reset).
  • After the validity period of 30 days and if the profile is still present on the device, the device is added to the DEP system permanently. All DEP functionalities are available permanently and to their full extent.

How can a device be added to the DEP system provisionally?

The following pictures outline the enrollment process. Attention: Using the process of provisional DEP integration cases a factory reset of the device, which deletes all data on the device irrevocably! [gallery ids="151,156,152,153,154,155"] After integration the device to the DEP system, a new configuration pane 'Remote Management' is shown on the device: [gallery ids="158,159"]

What has to be done terminatory?

After walking through all above steps, there is nothing more to do. The device will be added to the DEP system permanently after the validity period of 30 days and all functionalities are usable. Conclusion: Added iOS devices to Apple DEP provisionally offers new opportunities for enterprises and closes a gap existing to date. By using one of the above channels to procure devices from authorized resellers or Apple directly, companies were not able to integrate already existing iOS devices to their DEP pool. Now, new opportunities regarding the use of iOS devices in companies arise:
  • There is now a way to migrate existing iOS landscapes into the DEP system.
  • Companies in countries, where is no possibility to procure devices from authorized resellers (e. g. Russia), can integrate devices to existing DEP accounts now.
The possibility created by Apple here now seems to be positive on first sight, because companies that weren't able to benefit from DEP so far are now in the position to do so. If the shown way of iOS deployment is flexible enough and scalable to migrate big landscapes with hundreds of thousands devices, has to be investigated individually. Sources:

Julian Joswig

Julian Joswig Facebook Julian Joswig LinkedIn Julian Joswig Twitter Julian Joswig XING

About this Blog

What is the content of this blog, you may ask? My name is Julian Joswig and I am a big fan of IT and technology (mainly Linux, servers, networks and all related topics). Sometimes I almost bite my teeth on difficult issues. But if I have found a solution, I want to share it with the world. Professionally, I work as a management consultant in Germany with a focus on IT and business.

Newest Articles:

Article Archive:

Twitter Timeline: