Automatically enroll iOS devices with Apple's Device Enrollment Program
You can set up Intune to enroll iOS devices purchased through Apple's Device Enrollment Program (DEP). DEP lets you enroll large numbers of devices without ever touching them. Devices like iPhones and iPads can be shipped directly to users. When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.
To enable DEP enrollment, you use both the Intune and Apple DEP portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. You create DEP enrollment profiles containing settings that applied to devices during enrollment. Note that DEP enrollment cannot be used with a device enrollment manager account.
DEP sets device configurations that can't be removed by the end user. Therefore, before migrating to DEP, the device must be wiped to return it to an out-of-box (new) state.
DEP and the Company Portal
DEP enrollments aren't compatible with the app store version of the Company Portal app. You can give users access to the Company Portal app on a DEP device. To give them access, push the app to the device using Install Company Portal with VPP (Volume Purchase Program) in the DEP profile. For more information, see Automatically enroll iOS devices with Apple's Device Enrollment Program.
You can install the Company Portal app on devices already enrolled with DEP. To do so, deploy the Company Portal app through Intune with an Application Configuration policy applied.
What is supervised mode?
Apple introduced supervised mode in iOS 5. An iOS device in supervised mode can be managed with more controls. As such, it's especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part the Apple Device Enrollment Program (DEP).
Support for unsupervised DEP devices was deprecated in iOS 11. In iOS 11 and later, DEP configured devices should always be supervised. The DEP is_supervised flag will be ignored in a future iOS release.
- Devices purchased in Apple's Device Enrollment Program
- Mobile Device Management (MDM) Authority
- Apple MDM Push certificate
Get an Apple DEP token
Before you can enroll iOS devices with DEP, you need a DEP token (.p7m) file from Apple. This token lets Intune sync information about DEP devices that your corporation owns. It also permits Intune to upload enrollment profiles to Apple and to assign devices to those profiles.
You use the Apple DEP portal to create a DEP token. You also use the DEP portal to assign devices to Intune for management.
If you delete the token from the Intune classic portal before migrating to Azure, Intune might restore a deleted Apple DEP token. You can delete the DEP token again from the Azure portal.
Step 1. Download the Intune public key certificate required to create the token.
In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens > Add.
Grant permission to Microsoft to send user and device information to Apple by selecting I agree.
Choose Download your public key to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.
Step 2. Use your key to download a token from Apple.
Choose Create a token for Apple's Device Enrollment Program to open Apple's Deployment Program portal, and sign in with your company Apple ID. You can use this Apple ID to renew your DEP token.
In Apple's Deployment Programs portal, choose Get Started for Device Enrollment Program.
On the Manage Servers page, choose Add MDM Server.
Enter the MDM Server Name, and then choose Next. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server.
The Add <ServerName> dialog box opens, stating Upload Your Public Key. Select Choose File… to upload the .pem file, and then choose Next.
Go to Deployment Programs > Device Enrollment Program > Manage Devices.
Under Choose Devices By, specify how devices are identified:
- Serial Number
- Order Number
- Upload CSV File.
For Choose Action, choose Assign to Server, choose the <ServerName> specified for Microsoft Intune, and then choose OK. The Apple portal assigns the specified devices to the Intune server for management and then displays Assignment Complete.
In the Apple portal, go to Deployment Programs > Device Enrollment Program > View Assignment History to see a list of devices and their MDM server assignment.
Step 3. Save the Apple ID used to create this token.
In the Microsoft Endpoint Manager Admin Center, provide the Apple ID for future reference.
Step 4. Upload your token and choose scope tags.
- In the Apple token box, browse to the certificate (.pem) file, choose Open.
- If you want to apply scope tags to this DEP token, choose Scope (tags), and select the scope tags that you want. Scope tags applied to a token will be inherited by profiles and devices added to this token.
- Choose Create.
With the push certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune automatically synchronizes with Apple to see your enrollment program account.
Create an Apple enrollment profile
Now that you've installed your token, you can create an enrollment profile for DEP devices. A device enrollment profile defines the settings applied to a group of devices during enrollment. There is a limit of 100 enrollment profiles per DEP token.
Devices will be blocked if there aren't enough Company Portal licenses for a VPP token, or if the token has expired. Intune will display an alert when a token is about to expire or licenses are running low.
In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens.
Select a token, choose Profiles > Create profile > iOS.
On the Basics page, enter a Name and Description for the profile for administrative purposes. Users don't see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.
Select Next: Device Management Settings.
For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.
Enroll with User Affinity - Choose this option for devices that belong to users and that want to use the Company Portal for services like installing apps. If using ADFS and the enrollment profile has Authenticate with Company Portal instead of Setup Assistant set to No, WS-Trust 1.3 Username/Mixed endpoint Learn more is required.
Enroll without User Affinity - Choose this option for device unaffiliated with a single user. Use this option for devices that don't access local user data. Apps like the Company Portal app don’t work.
If you chose Enroll with User Affinity, you can let users authenticate with Company Portal instead of the Apple Setup Assistant.
If you want do any of the following, set Select where users must authenticate to Company Portal.
- use multifactor authentication
- prompt users who need to change their password when they first sign in
- prompt users to reset their expired passwords during enrollment
These aren't supported when authenticating with Apple Setup Assistant.
If you chose Company Portal for Select where users must authenticate, you can use a VPP token to automatically install the Company Portal on the device. In this case, the user doesn't have to supply an Apple ID. To install the Company Portal with a VPP token, choose a token under Install Company Portal with VPP. Requires that the Company Portal has already been added to the VPP token. To ensure that the Company Portal app continue to be updated after enrollment, make sure that you have configured an app deployment in Intune (Intune>Client Apps). So that user interaction is not required, you'll most likely want to have the Company Portal as a iOS VPP app, make it a required app, and use device licensing for the assignment. Make sure that the token doesn't expire and that you have enough device licenses for the Company Portal app. If the token expires or runs out of licenses, Intune installs the App Store Company Portal instead and prompts for an Apple ID.
When Select where users must authenticate is to Company Portal, make sure that the device enrollment process is performed within the first 24 hours of the company portal being downloaded to the DEP device. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.
If you chose Setup Assistant for Select where users must authenticate, but you also want to use Conditional Access or deploy company apps on the devices, you must install the Company Portal on the devices. To do so, choose Yes for Install Company Portal. If you would like users to receive the Company Portal without having to authenticate into the app store, choose to Install Company Portal with VPP and select a VPP token. Make sure that the token doesn't expire and that you have enough device licenses for the Company Portal app to deploy correctly.
If you chose a token for Install Company Portal with VPP, you can lock the device in Single App Mode (specifically, the Company Portal app) right after the Setup Assistant completes. Choose Yes for Run Company Portal in Single App Mode until authentication to set this option. To use the device, the user must first authenticate by signing in using the Company Portal.
Multi-factor authentication isn't supported on a single device locked in Single App Mode. This limitation exists because the device can’t switch to a different app to complete the second factor of authentication. Therefore, if you want multifactor authentication on a Single App Mode device, the second factor must be on a different device.
This feature is only supported for iOS 11.3.1 and later.
If you want devices using this profile to be supervised, choose Yes for Supervised.
Supervised devices give you more management options and disabled Activation Lock by default. Microsoft recommends using DEP as the mechanism for enabling supervised mode, especially if you're deploying large numbers of iOS devices.
Users are notified that their devices are supervised in two ways:
The lock screen says: "This iPhone is managed by Contoso."
The Settings > General > About screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device."
A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS device to a Mac with a USB cable. Learn more about this on Apple Configurator docs.
Choose if you want locked enrollment for devices using this profile. Locked enrollment disables iOS settings that allow the management profile to be removed from the Settings menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the Supervised Management Mode set to Yes.
Choose if you want the devices using this profile to be able to Sync with computers. If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.
If you chose Allow Apple Configurator by certificate in the previous step, choose an Apple Configurator Certificate to import.
You can specify a naming format for devices that is automatically applied when they enroll and upon each successive checkin. To create a naming template, select Yes under Apply device name template. Then, in the Device Name Template box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number.
Choose Next: Setup Assistant Customization.
On the Setup Assistant customization page, configure the following profile settings:
Department settings Description Department Name Appears when users tap About Configuration during activation. Department Phone Appears when the user clicks the Need Help button during activation.
You can choose to hide Setup Assistant screens on the device during user setup.
- If you choose Hide, the screen won't be displayed during setup. After setting up the device, the user can still go in to the Settings menu to set up the feature.
- If you choose Show, the screen will be displayed during setup. The user can sometimes skip the screen without taking action. But they can then later go into the device's Settings menu to set up the feature.
Setup Assistant screen settings If you choose Show, during setup the device will... Passcode Prompt the user for a passcode. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). Location Services Prompt the user for their location. Restore Display the Apps & Data screen. This screen gives the user the option to restore or transfer data from iCloud Backup when they set up the device. iCloud and Apple ID Give the user the options to sign in with their Apple ID and use iCloud. Terms and Conditions Require the user to accept Apple's terms and conditions. Touch ID Give the user the option to set up fingerprint identification for the device. Apple Pay Give the user the option to set up Apple Pay on the device. Zoom Give the user to the option to zoom the display when they set up the device. Siri Give the user the option to set up Siri. Diagnostic Data Display the Diagnostics screen to the user. This screen gives the user the option to send diagnostic data to Apple. Display Tone Give the user the option to turn on Display Tone. Privacy Display the Privacy screen to the user. Android Migration Give the user the option to migrate date from an Android device. iMessage and FaceTime Give the user the option to set up iMessage and FaceTime. Onboarding Display onboarding informational screens for user education, such as Cover Sheet and Multitasking and Control Center. Watch Migration Give the user the option to migrate data from a watch device. Screen Time Display the Screen Time screen. Software Update Display the mandatory software update screen. SIM Setup Give the user the option to add a cellular plan. Appearance Display the Appearance screen to the user. Express Language Display the Express Language screen to the user. Preferred Language Give the user the option to choose their Preferred Language. Device to Device Migration Give the user the option to migrate data from their old device to this device.
Choose Next to go to the Review + Create page.
To save the profile, choose Create.
Sync managed devices
Now that Intune has permission to manage your devices, you can synchronize Intune with Apple to see your managed devices in Intune in the Azure portal.
In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens > choose a token in the list > Devices > Sync.
To follow Apple’s terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
- A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. If a DEP device is deleted from the Intune portal, it should be unassigned from the Apple MDM server in the DEP portal. If it's not unassigned, it won't be reimported to Intune until the full sync is run.
- A sync is run automatically every 24 hours. You can also sync by clicking the Sync button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled until a sync is completed. This sync will refresh existing device status and import new devices assigned to the Apple MDM server.
Assign an enrollment profile to devices
You must assign an enrollment program profile to devices before they can enroll.
You can also assign serial numbers to profiles from the Apple Serial Numbers blade.
- In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens > choose a token in the list.
- Choose Devices > choose devices in the list > Assign profile.
- Under Assign profile, choose a profile for the devices > Assign.
Assign a default profile
You can pick a default profile to be applied to all devices enrolling with a specific token.
- In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens > choose a token in the list.
- Choose Set Default Profile, choose a profile in the drop-down list, and then choose Save. This profile will be applied to all devices that enroll with the token.
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your DEP devices enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned an Intune license. Devices without user affinity require a device license. An activated device can't apply an enrollment profile until the device is wiped.
Renew a DEP token
Go to deploy.apple.com.
Under Manage Servers, choose your MDM server associated with the token file that you want to renew.
Choose Generate New Token.
Choose Your Server Token.
In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Enrollment Program Tokens > choose the token.
Choose Renew token and enter the Apple ID used to create the original token.
Upload the newly downloaded token.
Choose Renew token. You'll see the confirmation that the token was renewed.