Enroll Corporate-owned iOS Devices Using the Apple Device Enrollment Program (DEP) in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager SP1

Beginning with System Center 2012 Configuration Manager SP2, you can enroll corporate-owned iOS devices using the Apple Device Enrollment Program (DEP). Devices enrolled through DEP cannot be un-enrolled by users.

Enroll corporate-owned iOS devices in Configuration Manager using the Apple Device Enrollment Program

To manage corporate-owned iOS devices with the Apple Device Enrollment Program (DEP), companies must complete the steps with Apple to participate in the program and acquire devices through that program. Details of that process are available at: https://deploy.apple.com.

Before you can enroll corporate-owned iOS devices with the DEP, you need a DEP Token from Apple. This token allows Intune to sync information about DEP-participating devices owned by your corporation. It also lets Intune to upload Enrollment Profiles to Apple and assign devices to those profiles.

To enroll corporate-owned devices using DEP

1. Start managing iOS devices with Configuration Manager 
   Before you can enroll iOS Device Enrollment Program (DEP) devices, you must complete steps to Prepare to enroll iOS Devices.

2. Create a DEP token request 
   In the Configuration Manager console, in the Administration workspace, expand Hierarchy Configuration, expand Cloud Services, and click Windows Intune Subscriptions. Click Create DEP Token Request on the Home tab, click Browse to specify the download location for the DEP token request, and then click Download. Save the DEP token request (.pem) file locally. The .pem file is used to request a trusted token (.p7m) from the Apple Device Enrollment Program portal.

3. Get a Device Enrollment Program token 
   Go to the Device Enrollment Program Portal (https://deploy.apple.com) and sign in with your company Apple ID. This Apple ID must be used in future to renew your DEP token.

   1. In the Device Enrollment Program Portal portal, go to Device Enrollment Program > Manage Servers, and then click Add MDM Server.

   2. Enter the MDM Server Name and then click Next. The server name is for your reference to identify the MDM server. It is not the name or URL of the Intune or Configuration Manager server.

   3. The Add <ServerName> dialog box opens. Click Choose File… to upload the .pem file that you created in the previous step, and then click Next.

   4. The Add <ServerName> dialog box displays a Your Server Token link. Download the server token (.p7m) file to your computer, and then click Done.

   This certificate (.p7m) file is used to establish a trust relationship between Intune and Apple’s Device Enrollment Program servers.

4. Add the DEP token to Configuration Manager 
   In the Configuration Manager console, in the Administration workspace, expand Hierarchy Configuration and click Windows Intune Subscriptions. Click Configure Platforms on the Home tab and click iOS. Select Enable Device Enrollment Program, Browse to the certificate (.p7m) file, click Open, click Upload, and then click OK.

5. Add a Corporate Device Enrollment Policy 
   In the Configuration Manager console, in the Assets and Compliance workspace, expand Overview, expand All Corporate-owned Devices, expand iOS, and click Enrollment Profiles. Click Create Profile on the Home tab to open the Create Profile wizard. Configure the settings on the following pages:

   1. On the General page, specify the following information, and then click Next.

      • Name – Name of the device enrollment profile. (Not visible to users)

      • Description - Description of the device enrollment profile. (Not visible to users)

      • User affinity – Specifies how devices are enrolled.

        • Prompt for user affinity: The device must be affiliated with a user during initial setup and could then be permitted to access company data and email as that user.

        • No user affinity: The device is not affiliated with a user. Use this affiliation for devices that perform tasks without accessing local user data. Apps requiring user affiliation won’t work.

   2. On the Device Enrollment Program page, specify the following information, and then click Next.

      • Department: Enter a department associated with this profile.

      • Support phone number: Enter a phone number assigned to this profile.

      • Preparation mode: Specify whether the assigned devices are in supervised mode or are unsupervised.

      • Lock enrollment profile to device: Choose whether to lock this enrollment profile on the assigned devices.

   3. On the Setup Assistant page, configure the settings that customize the iOS Setup Assistant that starts when the device is first powered on, and then click Next. These settings include:

      • Passcode

      • Location Services

      • Restore

      • Apple ID

      • Terms and Conditions

      • Siri

      • Send diagnostic data to Apple

   4. On the Additional Management page, specify whether additional management settings can be configured during device enrollment, and then complete the wizard. When you select Require certificate, you must import an Apple Configurator management certificate to use for this profile.

6. Assign DEP Devices for Management 
   Go to the Device Enrollment Program Portal (https://deploy.apple.com) and sign in with your company Apple ID. Go to Deployment Program > Device Enrollment Program > Manage Devices. Specify how you will Choose Devices, provide device information and specify details by device Serial Number, Order Number, or Upload CSV File. Next, select Assign to Server and select the <ServerName> that you specified in step 3, and then click OK.

7. Synchronize DEP-Managed Devices 
   In the Assets and Compliance workspace, go to All Corporate-owned Devices > iOS > Device Information. On the Home tab, click DEP Sync. A sync request is sent to Apple. After synchronization completes, the DEP-managed devices are displayed. The Enrollment Status for managed devices reads Not contacted until the device is powered on and runs the Setup Assistant to enroll the device.

8. Distribute devices to users 
   You can now give your corporate-owned devices to users. When an iOS device is turned on it will be enrolled for management by Intune.

Next steps

Once devices are enrolled, use the following resources to manage the devices:

• Company Resource Access in Configuration Manager

• How to Create and Deploy Applications for Mobile Devices in Configuration Manager

• How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager

• Help protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager

• How to Configure Hardware Inventory for Mobile Devices Enrolled by Microsoft Intune and Configuration Manager