What is Apple Device Enrollment Program (Apple DEP)?
Apple Device Enrollment Program (Apple DEP) enables enterprises to deploy and configure multiple Apple devices, including iPad, iPhones, and Mac computers. Apple Device Enrollment Program provides easy configuration and enrollment into an iOS MDM platform of devices purchased from Apple or participating Authorized Resellers and carriers. DEP simplifies the initial setup of Apple devices with automatic supervision and MDM enrollment. Apple Device Enrollment Program (DEP) aids businesses and educational institutions in quickly deploying newly purchased devices.
With DEP, IT admins can configure the devices without actually touching them. The devices are supervised during activation, and the users can start using the devices straight out of the box. The admins can also configure the device setup screens, reduce complicated steps, and the users can promptly start using the devices. DEP eliminates the need for self-enrollment and the potential risk of users not enrolling the device into an MDM at all. These devices can be pre-configured and enrolled into a trusted MDM platform. Using DEP, IT admins can supervise and enroll multiple devices, mitigating IT efforts.
To manage any Apple device effectively, it should be supervised. Apple Device Enrollment Program imparts supervision at the time of device setup. Although devices not purchased through DEP can be manually enrolled into DEP, there is a provisional period of 30 days since device activation. During this period, device users can remove the devices from enrollment as well as supervision. Hence, having DEP preconfigured in Apple devices is suggested for locking the device using MDM enrollment. Apple Device Enrollment Program (DEP) is highly recommended for the effective remote management of enterprise-owned Apple devices.
Which Devices Are Eligible for Apple DEP?
As mentioned above, devices having iOS versions 7 or later and purchased directly from Apple or participating Authorized Resellers and carriers are eligible for DEP. The devices must be added to your Apple Device Enrollment Program (DEP) account at the time of the purchase.
Alternatively, you can manually enroll Apple devices with iOS 11 and above using Apple Configurator 2.5 and later. Devices purchased before the 1st of March 2011 cannot be added to DEP.
Where is Apple Device Enrollment Program (DEP) Available?
Apple Device Enrollment Program (DEP) is available in the following countries/regions:
Hong Kong, India, Japan, Singapore, United Arab Emirates, Turkey, Taiwan, Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Netherlands, Hungary, Ireland, Italy, Luxembourg, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom, Australia, New Zealand, Mexico, Brazil, South Africa, Canada, and the United States.
What Are the Benefits of the Apple Device Enrollment Program (DEP)?
Apple Device Enrollment Program (DEP) is packed with benefits that can create a reliable device management experience without complicating the enrollment process.
The benefits of the Apple Device Enrollment Program (DEP) are listed below:
- Devices are mandatorily enrolled into an MDM – When devices are added to DEP, they must be compulsorily enrolled into an MDM platform. This ensures that the company-specific policies are pre-applied on the device before it reaches the user.
- Devices are wirelessly supervised – The devices added to DEP are wirelessly supervised during the setup process. Supervision provides granular control to the IT teams on managed devices.
- Devices are configured over the air – Using Apple Device Enrollment Program (DEP), IT teams can execute large-scale deployments of iOS and macOS devices over the air, immediately after on-device activation. This nullifies the need to physically access the device or use staging services to apply policies on the device.
- Setup Assistance is streamlined – The device setup of iPads, iPhones, Mac computers, and Apple TVs into MDM is simplified by the built-in setup assistant. It can be further streamlined by specifying the screens that can be skipped during the setup process.
Security Vulnerabilities of Apple’s Device Enrollment Program (DEP)
Apple’s Device Enrollment Program (DEP) is designed to streamline the configuration and deployment of Apple devices in enterprises and educational institutions. However, it’s not without its security flaws.
Vulnerabilities
- Serial Number Exploitation: DEP relies on device serial numbers for enrollment. Malicious actors can exploit this by either stealing or spoofing serial numbers to gain unauthorized access to a corporate network.
- Lack of Rate-Limiting: The DEP API does not rate-limit queries, making it susceptible to brute-force attacks aimed at guessing serial numbers.
- Optional User Authentication: Some organizations configure their Mobile Device Management (MDM) servers to not require additional authentication beyond the serial number, which is a security risk.
- Predictable Serial Numbers: Serial numbers are constructed using a well-known schema, making them predictable and easier for attackers to guess.
- Information Leakage: Once a serial number is known, it can be used to query the DEP API for additional information about the organization, aiding in further attacks.
Mitigation Strategies
- User Authentication: Require users to authenticate during the MDM enrollment process, not just rely on the device serial number.
- Network Restrictions: Limit MDM enrollment to devices on the corporate network.
- Multi-Factor Authentication: Use additional layers of security like multi-factor authentication.
- Secure Serial Number Data: Protect the list of device serial numbers to prevent unauthorized access.
- Regular Security Audits: Conduct regular security checks to ensure that the DEP and associated MDM solutions are configured securely.
It’s crucial to integrate DEP with a robust MDM solution, implement strong security policies, and continuously monitor for any suspicious activities.
How to Use Apple DEP?
Step #1:
Start by enrolling in Apple Deployment Programs (ADP). You should possess the authority to sign for the business that you are using Apple Device Enrollment Program (DEP) for.
A) Visit deploy.apple.com and create a program agent account. Provide an email address associated with your business for the same. This same email-id will be used as your Apple ID for ADP. Verify your email address and enable two-step verification to secure your account. If you have already enrolled for VPP (Volume Purchase Program), you can use the same program agent ID to enroll in DEP. You can continue to sign in.
B) Enter the verification contact of the individual who can verify your authority to enroll your organization into DEP. This individual should be the legal authority to sign for your organization. Third-party service providers will have to be verified by the participating organization and will be added as admins.
C) Enter your business information including D-U-N-S number, zip code, and postal address.
D) If you purchase devices directly from Apple, add your Apple Customer Number. If your organization has multiple Apple Customer Numbers, add all of them to your DEP account information.
E) If you purchase Apple devices from an authorized reseller or carrier, enter the reseller’s DEP reseller ID. The reseller should also submit your device purchases to the DEP program for this step to be completed.
F) If you purchase from both Apple and its authorized resellers, add both Apple Customer Number and DEP reseller ID in your information.
G) Apple will review your information. It will also conduct verification over calls and email. Once your business is approved, you’ll receive an email for the same. Please read and agree to the Administrator Terms Agreement to continue.
Step #2:
Once your ADP is approved, start preparing policies for your devices.
A) Visit business.apple.com and log in. Add multiple administrators who are authorized to access the account. Enter business email-id to add an admin, this ID will also act as an Apple ID. Do not use the existing personal Apple IDs of the admins.
B) You can now link your MDM solution. Establish a virtual server for your desired mobile device management solution for Apple devices. Secure your server by two-step authentication.
C) Start assigning devices by order number or serial number. Apply your policies through MDM onto the devices.
Your devices will be now enrolled into your chosen MDM solution and your defined policies will be automatically applied when the devices are activated. You can further track the device inventory details like assignment date, type of device, the name of the MDM server, and the total number of devices registered under your DEP account.
Apple Device Enrollment Program (DEP) can help businesses and organizations to streamline their device enrollment and policy application process reducing the efforts of the IT team. IT admins can enjoy micro-control over company-owned devices with the help of the Apple Device Enrollment Program (DEP) and an intuitive MDM solution.
Coupling Apple DEP with Scalefusion Apple Device Management helps streamline the enrollment process to remotely manage devices through one dashboard. The supplementary features of Scalefusion MDM can further result in a beneficial management solution for schools and businesses alike.
