Test Apple DEP with VMware, Parallels, and VirtualBox

Last updated April 3, 2018

The Apple Device Enrollment Program (DEP) is a crucial building block for the modern macOS deployment workflow. When configured correctly, Apple DEP enables a business to purchase new Apple computers that automatically configure themselves, install necessary software, and enroll in an MDM upon unboxing and first boot- without hands-on intervention by DevOps or IT.

Before a business goes live with Apple DEP, a validation phase typically takes place. This allows a business to become comfortable with the DEP process as well as confirm that their DEP account and MDM configurations are working as expected.

Testing a DEP workflow can be time consuming. The workflow can only be tested when a device starts up and is initialized for the first time. As a result, using virtualization software such as VMware Fusion, Parallels Desktop, or VirtualBox is often much more practical than reinstalling the OS on a Mac computer after each test. Most, if not all virtualization software supports snapshotting, allowing a user to “roll back” their device state to a designated point in time. This makes it easy to revert a macOS image to a point just before the initial DEP process begins.

Through working with our customers and our own internal development efforts, we’ve put together a guide that we’d like to share with you.

First: Your Mileage May Vary

It is worth stating that using DEP and MDM with virtual machine technology can be rather finicky and exhibit odd behaviors not seen when testing with physical devices. For this reason, we do not recommend using DEP or MDM with virtual machines in any capacity beyond workflow testing. As examples, if a FileVault configuration isn’t working or a device is not enrolling over the MDM user-channel, it may be due to using virtual machine technology.

Additionally, we cannot recommend using VirtualBox at this time. We’ve provided more information on this below.

Creating a Virtual Machine

To get started, you will need to create a virtual machine. Various methods exist for creating an initial macOS virtual machine, some specific to a particular VM technology. Here are a few useful resources that walk through the process:

A Common Gotcha: Invalid Auto-Generated Serial Numbers

MacOS expects the serial number of the device it is installed on to be alphanumeric. If you plan to link your VM to Apple DEP, you will be setting the serial number of the VM to be equal to the serial number of a real Apple device, so this will not be a problem.

If you are not specifying the serial number of the VM yourself, note that some VM technologies generate a serial number with special characters. For instance, a serial number similar to “fZjdIehS/ds+” can be generated by VMware. If the VM has a serial number that is not alphanumeric, macOS will appear to enroll with an MDM, but will ultimately not complete the process or be able to communicate with the MDM to receive configuration or further commands.

Linking to Apple DEP

Upon first boot, macOS presents the user with the Setup Assistant. Once an internet connection has been established, macOS contacts Apple to determine if the device is configured for DEP. When the device contacts Apple, it provides its device serial number as a form of identification. Apple, in turn, provides the device with a DEP configuration if available. This DEP configuration is fairly minimal; it specifies basic configurations like whether the device is to be placed in supervised mode and if it should enroll in an MDM.

Since the serial number acts as the device identifier for DEP, the virtual machine you create will need to be configured to use a serial number that exists in your DEP account. We suggest using a serial number for a computer that is no longer in use, or at the very least, has a low likelihood of being wiped at any point, since using the serial number in a test DEP workflow would invariably cause the device to also enter the workflow.

Below are configurations for each virtual machine technology. Replace [SERIAL] with the serial number of the device. “mac_hw_model”, at this time, does not need to be accurate for the provided serial number.

Be sure to use straight double quotes and not curly quotes.

Parallels Desktop

Shut down the VM. Within Parallels Desktop, visit the configuration screen for the VM image, select the “Hardware” tab, and navigate to the “Boot Order” option. Expand the “Advanced Settings” disclosure and enter the following in the text box:


VMware Fusion

Shut down the VM. Locate the VM file on your computer. These, by default, appear in “~/Documents/Virtual Machines/”. Right click the file and select “Show Package Contents”. Within the resulting window, locate a file with a “vmx” extension and open it with a text editor. Add the following lines:

serialNumber = "[SERIAL]"
hw.model = "MacBookAir7,2"


Note: VirtualBox’s network virtualization appears to work quite differently than Parallels and VMware and causes macOS to have issues contacting DEP during the Setup Assistant. As a result, we have found VirtualBox to be quite troublesome to work with when testing DEP and advise against it.

If you wish to try anyway, the following  VBoxManage command line interface command can be used to set the serial number of the VM. Note that “[VM NAME]” must match the name of the virtual machine that you are modifying:

VBoxManage setextradata [VM NAME] VBoxInternal/Devices/efi/0/Config/DmiSystemSerial [SERIAL]

Snapshotting Before Setup Assistant

A DEP configuration effectively acts as a bootstrap. It provides a device with enough configuration to complete the Setup Assistant and enroll it with an MDM. That is the extent of its responsibility. As a result, Setup Assistant contacts Apple DEP exactly once during the initialization process. If you change your DEP configuration at any latter, the device will not receive the updated configuration.

It’s important to snapshot the virtual machine image before Setup Assistant has a chance to contact DEP. Because most VMs have access to internet at boot and do not have to wait for WiFi credentials, the outreach to DEP can occur very early on in the Setup Assistant process, before progressing past the first screen.

We recommend taking a VM snapshot before the Setup Assistant becomes visible. This can take a bit of practice; it is easiest to take a few snapshots while the VM is still installing macOS so that you can revert to a previous point and have a second chance to take a “closer” snapshot if needed. Additionally, we have found that reverting to this snapshot is sometimes not enough. With Parallels in particular, we revert the snapshot and then immediately “reset” the VM. Without a reset, we sometimes see old cached DEP data or a company name of “(null)” during the Setup Assistant screens.

Wrapping It Up

Was this article helpful? Missing something? Help future readers by providing any helpful tips in the comments below.


Comments (6)

You might want to author your own instructions for VMware Fusion. The linked page has a number of errors. (Example: “sudo/usr/local/vfuse/bin” is not a valid command)

It looks like maybe the Advanced Settings for Parallels no longer works. Tried with a VM running 10.15.5 with a known good serial and model id and it didn’t get picked up. Could be me, but I’ve tested a few times with different known-good DEP serials.

Hi Chris- It is working for us, at least as of 10.15.4. A few things to check: it’s set in the file before the machine boots; you’re not restoring to an earlier snapshot (snapshots save the config file values); you’re using regular quotes and not curly quotes (these can cause parsing issues for the config file).

I can confirm that I was able to make it work with Parallels and macOS 10.15.5 using the advanced settings/ boot order as described above. Thanks for the great guide.

Whether using Parallels or Fusion, turn off Networking in the VM before you actually start installing Catalina, Big Sur or Monterey. Then when it gets to the list of countries, Command-Q to quit and shut down. Turn on networking, take the snapshot and then you can revert to that point every time you test.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How To: SAML Authenticated Device Enrollments

    By on September 27, 2021
    Read more
  • Using MDM for SOC 2 and ISO 27001 Compliance

    By on April 12, 2021
    Read more
  • Moving MDMs: How to Migrate macOS Devices Between MDMs

    By on December 12, 2019
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now