Apple Device Enrollment Program (Apple DEP) enables enterprises to deploy and configure multiple Apple devices, including iPad, iPhones, and Mac computers.
Apple Device Enrollment Program provides easy configuration and enrollment into an iOS MDM platform of devices purchased from Apple or participating Authorized Resellers and carriers.
DEP simplifies the initial setup of Apple devices with automatic supervision and MDM enrollment. Apple Device Enrollment Program (DEP) aids businesses and educational institutions in quickly deploying newly purchased devices.
What is Apple DEP (Apple Device Enrollment Program)?
The Apple Device Enrollment Program (Apple DEP) is a tool designed to make setting up and managing Apple devices easier for businesses and schools. It’s part of Apple Business Manager or Apple School Manager and helps organizations automatically enroll iPhones, iPads, Macs, and Apple TVs into their Mobile Device Management (MDM) system. Apple DEP is ideal for businesses, schools, and organizations that need to manage a large number of Apple devices, making deployment faster, easier, and more secure.
With DEP, IT admins can configure the devices without actually touching them. The devices are supervised during activation, and the users can start using the devices straight out of the box.
The admins can also configure the device setup screens, reduce complicated steps, and the users can promptly start using the devices. DEP eliminates the need for self-enrollment and the potential risk of users not enrolling the device into an MDM at all. These devices can be pre-configured and enrolled into a trusted MDM platform. Using DEP, IT admins can supervise and enroll multiple devices, mitigating IT efforts.
To manage any Apple device effectively, it should be supervised. Apple Device Enrollment Program imparts supervision at the time of device setup.
Although devices not purchased through DEP can be manually enrolled into DEP, there is a provisional period of 30 days since device activation. During this period, device users can remove the devices from enrollment as well as supervision.
Hence, having DEP preconfigured in Apple devices is suggested for locking the device using Apple MDM enrollment. Apple Device Enrollment Program (DEP) is highly recommended for the effective remote management of enterprise-owned Apple devices.
Which Devices Are Eligible for Apple DEP?
As mentioned above, devices having iOS versions 7 or later and purchased directly from Apple or participating Authorized Resellers and carriers are eligible for DEP. The devices must be added to your Apple Device Enrollment Program (DEP) account at the time of the purchase.
Alternatively, you can manually enroll Apple devices with iOS 11 and above using Apple Configurator 2.5 and later. Devices purchased before the 1st of March 2011 cannot be added to DEP.
| Learn More: What is Apple MDM? |
How Does Apple DEP Work?
The Apple Device Enrollment Program (Apple DEP) starts when your organization purchases iOS devices directly from Apple or through an authorized reseller. To begin, you need to log into your Apple DEP Portal or create an account by following the steps in the Device Enrollment Program Guide.
Once logged in, you’ll need to register your Mobile Device Management (MDM) system with the Apple DEP Portal. After this, secure communication is established between your MDM server and the DEP Portal, allowing them to sync information about the devices you’ve purchased through the program.
When the devices appear in the DEP Portal, you can assign them to specific users. The next time the devices are activated, all the restrictions, settings, and configurations from your MDM will be applied automatically Over The Air (OTA).
By setting up Apple DEP, you ensure that every device purchased through the program is automatically managed by your MDM as soon as it is turned on for the first time. This makes the deployment process easier and more efficient for IT teams.
What Are the Benefits of the Apple Device Enrollment Program (DEP)?
Apple Device Enrollment Program (DEP) is packed with benefits that can create a reliable device management experience without complicating the enrollment process.
The benefits of the Apple Device Enrollment Program (DEP) are listed below:
- Devices are mandatorily enrolled into an MDM – When devices are added to DEP, they must be compulsorily enrolled into an MDM platform. This ensures that the company-specific policies are pre-applied on the device before it reaches the user.
- Devices are wirelessly supervised – The devices added to DEP are wirelessly supervised during the setup process. Supervision provides granular control to the IT teams on managed devices.
- Devices are configured over the air – Using Apple Device Enrollment Program (DEP), IT teams can execute large-scale deployments of iOS and macOS devices over the air, immediately after on-device activation. This nullifies the need to physically access the device or use staging services to apply policies on the device.
- Setup Assistance is streamlined – The device setup of iPads, iPhones, Mac computers, and Apple TVs into MDM is simplified by the built-in setup assistant. It can be further streamlined by specifying the screens that can be skipped during the setup process.
Where is Apple Device Enrollment Program (DEP) Available?
Apple Device Enrollment Program (DEP) is available in the following countries/regions:
Hong Kong, India, Japan, Singapore, United Arab Emirates, Turkey, Taiwan, Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Netherlands, Hungary, Ireland, Italy, Luxembourg, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom, Australia, New Zealand, Mexico, Brazil, South Africa, Canada, and the United States.
Security Vulnerabilities of Apple’s Device Enrollment Program (Apple DEP)
Apple’s Device Enrollment Program (DEP) is designed to streamline the configuration and deployment of Apple devices in enterprises and educational institutions. However, it’s not without its security flaws.
Vulnerabilities
- Serial Number Exploitation: Apple DEP relies on device serial numbers for enrollment. Malicious actors can exploit this by either stealing or spoofing serial numbers to gain unauthorized access to a corporate network.
- Lack of Rate-Limiting: The DEP API does not rate-limit queries, making it susceptible to brute-force attacks aimed at guessing serial numbers.
- Optional User Authentication: Some organizations configure their Mobile Device Management (MDM) servers to not require additional authentication beyond the serial number, which is a security risk.
- Predictable Serial Numbers: Serial numbers are constructed using a well-known schema, making them predictable and easier for attackers to guess.
- Information Leakage: Once a serial number is known, it can be used to query the DEP API for additional information about the organization, aiding in further attacks.
Mitigation Strategies
- User Authentication: Require users to authenticate during the MDM enrollment process, not just rely on the device serial number.
- Network Restrictions: Limit MDM enrollment to devices on the corporate network.
- Multi-Factor Authentication: Use additional layers of security like multi-factor authentication.
- Secure Serial Number Data: Protect the list of device serial numbers to prevent unauthorized access.
- Regular Security Audits: Conduct regular security checks to ensure that the DEP and associated MDM solutions are configured securely.
It’s crucial to integrate DEP with a robust MDM solution, implement strong security policies, and continuously monitor for any suspicious activities.
Also read: Apple Business Essentials for MDM
How to Use Apple DEP With MDM?
Step #1:
Start by enrolling in Apple Deployment Programs (ADP). You should possess the authority to sign for the business that you are using Apple Device Enrollment Program (DEP) for.
A) Visit deploy.apple.com and create a program agent account. Provide an email address associated with your business for the same. This same email-id will be used as your Apple ID for ADP. Verify your email address and enable two-step verification to secure your account.
If you have already enrolled for VPP (Volume Purchase Program), you can use the same program agent ID to enroll in DEP. You can continue to sign in.
B) Enter the verification contact of the individual who can verify your authority to enroll your organization into DEP.
This individual should be the legal authority to sign for your organization. Third-party service providers will have to be verified by the participating organization and will be added as admins.
C) Enter your business information including D-U-N-S number, zip code, and postal address.
D) If you purchase devices directly from Apple, add your Apple Customer Number. If your organization has multiple Apple Customer Numbers, add all of them to your DEP account information.
E) If you purchase Apple devices from an authorized reseller or carrier, enter the reseller’s DEP reseller ID. The reseller should also submit your device purchases to the DEP program for this step to be completed.
F) If you purchase from both Apple and its authorized resellers, add both Apple Customer Number and DEP reseller ID in your information.
G) Apple will review your information. It will also conduct verification over calls and email. Once your business is approved, you’ll receive an email for the same. Please read and agree to the Administrator Terms Agreement to continue.
Step #2:
Once your ADP is approved, start preparing policies for your devices.
A) Visit business.apple.com and log in. Add multiple administrators who are authorized to access the account. Enter business email-id to add an admin, this ID will also act as an Apple ID. Do not use the existing personal Apple IDs of the admins.
B) You can now link your MDM solution. Establish a virtual server for your desired MDM solution for Apple devices. Secure your server through two-step authentication.
C) Start assigning devices by order number or serial number. Apply your policies through MDM onto the devices.
Your devices will be now enrolled into your chosen MDM solution and your defined policies will be automatically applied when the devices are activated. You can further track the device inventory details like assignment date, type of device, the name of the MDM server, and the total number of devices registered under your DEP account.
Apple Device Enrollment Program (DEP) can help businesses and organizations to streamline their device enrollment and policy application process reducing the efforts of the IT team. IT admins can enjoy micro-control over company-owned devices with the help of the Apple Device Enrollment Program (DEP) and an intuitive MDM solution.
Coupling Apple DEP with Scalefusion Apple Device Management helps streamline the enrollment process to remotely manage devices through one dashboard. The supplementary features of Scalefusion MDM can further result in a beneficial management solution for schools and businesses alike.
FAQ’s
1. What is the difference between Apple DEP and Apple ADE?
Apple DEP (Device Enrollment Program) has been rebranded as Apple ADE (Automated Device Enrollment) under Apple Business Manager. Both offer the same functionality, allowing organizations to automate device setup and configuration during deployment, but ADE is the updated term.
2. Is Apple DEP the same as Apple Business Manager?
Apple DEP is now part of Apple Business Manager, which is a broader platform that includes both device enrollment (ADE) and app/content management (VPP). DEP was rebranded, and Apple Business Manager now provides a unified system for managing devices, apps, and user accounts.
3. Is the Apple Device Enrollment Program free?
Yes, Apple’s Device Enrollment Program is free to use. However, organizations must purchase devices through Apple or authorized resellers to be eligible for enrollment in the program. It requires Apple Business Manager or Apple School Manager for setup.
4. Can I use Apple DEP with my existing MDM solution?
Yes, Apple’s Device Enrollment Program can be integrated with most MDM solutions. As long as the MDM provider supports Apple ADE, you can configure devices to enroll automatically into your existing MDM.
5. How do I configure devices through Apple DEP?
To configure devices, log into Apple Business Manager, assign devices to your MDM server, and set up automatic enrollment. When users activate the devices, they are automatically configured with your specified settings, apps, and restrictions.
