The key to end-user computing

ras-slava - Fotolia


How Apple DEP works and why it's important

Apple's DEP was the groundbreaking template for the future of endpoint provisioning. The program helps businesses and educators simplify enrollment and management.

Apple DEP is a convenient way to make sure that IT can enroll enterprise and school-owned iPhones, iPads, Macs and Apple TVs into mobile device management and keep them in a locked-down state, no matter what.

Apple's Device Enrollment Program (DEP) is also the forerunner of an important change that is beginning to sweep through all types of endpoint management: Cumbersome manual imaging and enrollment processes are being replaced with what's known as an "out of box experience," or more automated, standardized methods.

How Apple DEP works

The Apple DEP was announced in 2013 and rolled out in 2014. It combines features of prior Apple device management concepts, including Apple's over-the-air management protocol, configuration profiles, the Apple Configurator desktop utility and Supervised Mode, a set of more powerful mobile device management (MDM) controls intended for institutional devices.

The key aspect of Apple DEP is that enrollment is automatic and continuous. Apple's previous management tools required end users or administrators to enroll via a multistep process, which had the additional requirement of a USB connection for using Supervised Mode. Users could remove devices from management at any time, simply by removing profiles or MDM, or by erasing them. This was not very secure, as demonstrated in a highly-publicized incident in 2013 where students in the Los Angeles Unified School District "hacked" their devices to remove management restrictions. The Device Enrollment Program now ensures that this cannot happen.

For a typical Apple DEP enrollment flow, an organization gives Apple details about its MDM server, and then it purchases new devices from Apple or an authorized reseller. The program flags the devices, so that when they're powered on and check in with Apple as part of the normal initial setup process, Apple can associate them with the organization's MDM server. Enrollment then happens automatically during the setup process. If someone wipes the device, the same automatic process will happen again. When a device is ready to be retired, IT can disown it from DEP so that the organization can sell or repurpose it.

Organizations should know that they still need to have their own third-party MDM service, but using Apple DEP itself is free. Also good to know is that since 2017, any device (such as a device donated to a school) can be added to DEP. These devices must be enrolled using the Apple Configurator utility, and they are subject to a 30-day provisional period.

The Device Enrollment Program, along with Supervised Mode, is a key enabler for many business uses. Supervised Mode applies to iOS and tvOS, and it has enterprise lockdown features such as a single app mode, silent app installation, control over OS updates, the ability to arrange icons and set wallpapers, and many other settings that wouldn't be appropriate for personal devices.

Together, Apple DEP and Supervised Mode have helped iOS devices become common in use cases such as high security industries, retail, field work, education and healthcare.

The device provisioning revolution

It was the popularity of BYOD that initially forced IT administrators to get used to many new management concepts, but now, modern management features such as Apple DEP are important across all types of devices and uses.

Apple DEP
Apple Device Enrollment Program configuration.

Today, other platforms have similar automatic provisioning programs, such as Samsung Knox Mobile Enrollment and Android Zero Touch. Even Microsoft is getting on board with Windows Autopilot. This has the potential to have a huge effect on endpoint management, because Windows PC provisioning is time-consuming and complicated when using the traditional imaging process. It will take years for Autopilot to become common because it requires a comprehensive refresh to enterprise PC management strategy. But eventually, it will cut many hours out of the provisioning process, and it will even enable devices to be shipped directly to end users.

Article 3 of 6

Dig Deeper on Mobile operating systems and devices

Unified Communications