Apple Device Enrollment Program streamlines deployment, MDM

The Apple Device Enrollment Program allows IT pros to automate deployment, and they can also preset mandatory MDM configurations out of the box.

The Apple Device Enrollment Program will make it easier for businesses to deploy iOS and OS X devices.

IT administrators have been able to centrally configure and monitor iPhones and iPads using basic third-party MDM products ever since Apple added native mobile device management (MDM) capabilities several years ago in iOS 4. Users, however, still had to independently enroll their devices with Apple and then activate workplace MDM coverage themselves. Users could either accept or opt out of MDM and also had the option of removing MDM control at any time.

Apple isn't on the fence over MDM like it was back in 2010. The Device Enrollment Program (DEP) mandates MDM for iPhones, iPads and Macs purchased by businesses and schools. However, it also streamlines the enrollment process, allowing companies to fully automate enrollment. With DEP, devices are effectively purchased in a pre-enrolled state, ready to use and manage from afar. Moreover, DEP prevents device use without MDM, deterring unauthorized resale or theft.

How the Apple Device Enrollment Program works

When a user powers on a new Apple device purchased under DEP, that iPhone, iPad or Mac is automatically programmed to notify Apple. When it recognizes the device is associated with a DEP account, Apple then redirects the device to a designated MDM server to finish enrollment and provisioning. Companies may choose to display or skip the usual Apple device setup screens. Either way, the user receives a fully configured, IT-managed device out of the box, with no need to click on MDM links and no option to remove MDM control.

Here's the bonus: Companies can also use that auto-activated MDM control to remotely install configuration and application profiles that prepare a device for safe and productive business use. For example, IT can apply device restrictions during this phase. That includes configuration options like requiring a passcode or turning off Game Center. IT also has the option to receive a notification when the device is first activated and can track its location thereafter.

If a DEP-enrolled device is ever lost, there is no possibility of any business apps or data ever being placed there without MDM supervision. DEP also serves to discourage Apple device theft, as the mandate on MDM prevents thieves from simply wiping and reselling a DEP-enrolled device.

DEP deployment considerations

The Apple Device Enrollment Program is not compatible with a bring your own device policy. However, DEP is designed for company-purchased devices, so it's an ideal complement to corporate-owned, personally enabled  iPhones and iPads. DEP applies only to devices purchased directly from Apple or from an authorized Apple reseller or cellular provider. Apple requires a binding contract with any business that owns DEP-enrolled devices, so third parties that acquire and distribute Apple devices cannot complete DEP enrollment on behalf of their customers.

DEP is currently available only in certain countries and regions, but that coverage does include North America, most of Western Europe, and a handful of countries in the Asia-Pacific region. Workers based in South America, Africa and India, to name a few, will not be eligible for the Apple Device Enrollment Program if they use a device purchased in those locations.

Companies also must sign themselves up for the Apple Deployment Program (ADP) to become eligible for DEP. In the U.S., companies must supply their DUNS number -- these are issued by Dun & Bradstreet as part of their proprietary system to identify businesses -- and an email address associated with the company. In other words, not a third-party email. Also, the email address cannot be associated with an individual Apple ID. Ideally, the contact would be a person with authority to sign contracts for your company. Businesses already enrolled in Apple's Volume Purchase Program may reuse that existing email/account, but they are still required to complete additional steps for DEP enrollment.

Setting up the Device Enrollment Program

During the initial enrollment, Apple requires two-step verification, during which a company must designate a trusted device to receive a recovery key from Apple. The recovery key serves as the second factor of verification, and can also be used later on if you somehow get locked out of your account.

Ultimately, each company's DEP account must be linked to one or more physical MDM servers that Apple already approves. Thus, DEP is not a good fit for companies that have yet to provide MDM coverage for Apple devices.

Once registered to use DEP, your company's MDM server will be able to complete fully automated, hands-free enrollment of each newly purchased Apple device. Taking the leap with the Apple Device Enrollment Program will leave IT pros smiling in the long run. With DEP, all new devices come preconfigured with IT-defined profiles and policies out of the box. And the mandatory MDM on each device should provide IT a bit more peace of mind when it comes to protecting corporate assets.

Dig Deeper on Mobile operating systems and devices

Unified Communications