What is DEP?
The Device Enrollment Program (DEP) helps businesses and education institutions to automatically enrol their devices into Intune. You can also configure the Enrollment Profile in Intune to skip certain Setup Assistant screens, so users can start using their devices soon after unboxing them and wouldn’t need to enroll them manually.
Has anything changed?
Starting with iOS 11, all iOS devices, no matter where they have been purchased, may be enrolled via DEP. This blog posts covers the steps required to enrol these devices in Intune.
Here are some of the requirements:
- An Apple DEP account, to create a new account, go to deploy.apple.com and create your program account. You will need to provide an email address associated with your business. If you have an existing DEP account, please skip this step
- A macOS with Apple Configurator2 Version 2.5 or above installed
- An iOS device with iOS 11 or above
Configure DEP enrolment and create an Enrolment Profile in Intune. See https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios. Follow steps under the following sections and skip the steps to upload serial number and assigning them to a MDM server in the DEP portal. If DEP enrolment is configured already and an Enrolment Profile exists, please skip this step
- Get the Apple DEP token
- Create an Apple enrolment profile
Remove your iOS device from Find My iPhone using Find My iPhone on iCloud.com to turn off the Activation Lock. It will be managed via Intune once the device is enrolled. You can also turn this off via Settings on the device. If you are going to use a new device, this step can be skipped.
Create a mobileconfig file in Apple Configurator (AC) that has details to automatically connect to a Wi-Fi network. You will need it later. In AC, click on File-New Profile- Wi-Fi -Configure-Enter details such as SSID, Proxy, Security Type etc. and save it.
Connect iOS device to macOS and open Apple Configurator2. Device should now be visible under All Devices Tab. Click on the device and now Prepare should light up.
Click on Prepare - Select Manual Configuration - Add to Device Enrollment Program - Next. All other settings are optional
Please note the new functionality only allows you to add the device to DEP in Apple portal. Rest of the steps such as assigning them to MDM server and assigning profiles in Intune on Azure portal would still need to be performed.
About Activate and complete enrollment setting:
Don’t tick “Activate and complete enrollment” if it's a new device and if the desire is device starts up to the Setup Assistant, and the user completes the enrollment.
Tick “Activate and complete enrollment” If it's an existing device that already has a record in Apple DEP and Intune, and Enrollment Profile has been assigned to it in Intune.
- In Enroll in MDM Server dialog box, Click on Next
- In Define an MDM Server dialog box, Enter Name and URL, and click on Next
If Intune and AAD tenant ID are not known, alternatively, you can create a test Apple Configurator profile in Intune console and export it to grab the URL. See Export the Profile section here
- Select Baltimore CyberTrust Root and click on Next
If you are doing this for the first time, you will be presented with following screen. Click on Next
Enter Apple DEP account details and click on Next
In Create an Organization dialog box, select Generate a new supervision identity and click on Next
In Configure iOS Setup Assistant, Choose any of the three options available in drop down. These settings will be controlled by Intune once Enrollment Profile is pulled by device. Click on Next
In Choose Network Profile dialog box, choose the mobileconfig file you created in Step 3 and click on Prepare
Enter macOS creds and click on Update Settings
Device will now restart. It may take some time before this happens.
Note: If Activation Lock was not turned off, Apple Configurator will throw an error at this stage saying, "The device may be activation locked". In the test I performed it failed once as device was locked. I had to unlock it and go through the entire process again.
When it finishes and if you don't see any errors in AC, on the device, you will see Setup Assistant and will be asked to select language. Do not select anything yet. At this point in time, your device should have been added to DEP.
Go to deploy.apple.com and enter your creds. Under Device Enrollment Programme - Manage Servers, you will now see a new MDM server in the list called "Device Added by Apple Configurator 2". Click on it and in the top right corner, click on Download Serial Numbers. Open the csv file. Confirm Serial_No matches with what you see on the back of the device. Copy the serial number and click on OK
In Apple DEP portal, Click on Manage Devices and paste the Serial Number. Assign it to MDM server linked with DEP Enrollment configuration in Intune. Click on OK and OK
Go to portal.Azure.com - Intune - Device enrollment - Apple enrollment - Enrollment Program Devices. Under Enrollment Program Devices blade - click on Sync - Request Sync. Wait for a few minutes and refresh Enrollment Program Device blade. You should now see the device added to Intune.
Select the newly added iOS device and click on Assign Profile. Choose the Enrollment Profile and click on Assign at the bottom of the blade. This step is important.
If the sync run in Step 17 is still running wait for it to finish and initiate a new sync. Wait for new sync to finish.
On the device, select Language - Country - Connect to Wi-Fi - Next - You should now see a screen saying Remote Management - Click on Next
Notice the Leave Remote Management option at the bottom of the screen. User can click on it to cancel the enrolment and use it as a regular device. Once the device is enrolled, user would have the ability to unenroll it within next 30 days. After 30-day grace period, device will be locked to DEP.
Enter the creds if you enabled User Device Affinity in the Enrollment Profile. Depending upon what settings were configured in Enrollment Profile, Setup Assistant will take you to Homescreen.
Device should now be in supervised mode and enrolled in Intune. Check the Management Profile under General - Device Management on the device.
From Intune on Azure portal:
~ Karan Rustagi | Senior Service Engineer | https://blogs.technet.microsoft.com/karanrustagi/