Note: The Apple Device Enrollment Program (DEP) is now commonly referred to as “Apple Automated Device Enrollment Program (ADE)” and exists as part of Apple Business Manager. While some of the information in this article is still relevant regarding DEP, we suggest that you also read the aforementioned linked articles above. |
The Apple Device Enrollment Program (DEP) is a crucial building block for the modern macOS deployment workflow. When configured correctly, Apple DEP enables a business to purchase new Apple computers that automatically configure themselves, install necessary software, and enroll in an MDM upon unboxing and first boot- without hands-on intervention by DevOps or IT.
Before a business goes live with Apple DEP, a validation phase typically takes place. This allows a business to become comfortable with the DEP process as well as confirm that their DEP account and MDM configurations are working as expected.
Testing a DEP workflow can be time consuming. The workflow can only be tested when a device starts up and is initialized for the first time. As a result, using virtualization software such as VMware Fusion, Parallels Desktop, or VirtualBox is often much more practical than reinstalling the OS on a Mac computer after each test. Most, if not all virtualization software supports snapshotting, allowing a user to “roll back” their device state to a designated point in time. This makes it easy to revert a macOS image to a point just before the initial DEP process begins.
Through working with our customers and our own internal development efforts, we’ve put together a guide that we’d like to share with you.
First: Your mileage may vary
It is worth stating that using DEP and MDM with virtual machine technology can be rather finicky and exhibit odd behaviors not seen when testing with physical devices. For this reason, we do not recommend using DEP or MDM with virtual machines in any capacity beyond workflow testing. As examples, if a FileVault configuration isn’t working or a device is not enrolling over the MDM user-channel, it may be due to using virtual machine technology.
Additionally, we cannot recommend using VirtualBox at this time. We’ve provided more information on this below.
Creating a virtual machine
To get started, you will need to create a virtual machine. Various methods exist for creating an initial macOS virtual machine, some specific to a particular VM technology. Here are a few useful resources that walk through the process:
Parallels Desktop: Creating a DEP VM using Parallels Desktop
(jerbecause.wordpress.com)
VMware Fusion: How to create a VM that’ll work with DEP on VMware Fusion (rderewianko.com)
VirtualBox: How to create a macOS High Sierra VM to run on a Mac host system (tobiwashere.de)
A common gotcha: Invalid auto-generated serial numbers
MacOS expects the serial number of the device it is installed on to be alphanumeric. If you plan to link your VM to Apple DEP, you will be setting the serial number of the VM to be equal to the serial number of a real Apple device, so this will not be a problem.
If you are not specifying the serial number of the VM yourself, note that some VM technologies generate a serial number with special characters. For instance, a serial number similar to “fZjdIehS/ds+” can be generated by VMware. If the VM has a serial number that is not alphanumeric, macOS will appear to enroll with an MDM, but will ultimately not complete the process or be able to communicate with the MDM to receive configuration or further commands.
Linking to Apple DEP
Upon first boot, macOS presents the user with the Setup Assistant. Once an internet connection has been established, macOS contacts Apple to determine if the device is configured for DEP. When the device contacts Apple, it provides its device serial number as a form of identification. Apple, in turn, provides the device with a DEP configuration if available. This DEP configuration is fairly minimal; it specifies basic configurations like whether the device is to be placed in supervised mode and if it should enroll in an MDM.
Since the serial number acts as the device identifier for DEP, the virtual machine you create will need to be configured to use a serial number that exists in your DEP account. We suggest using a serial number for a computer that is no longer in use, or at the very least, has a low likelihood of being wiped at any point, since using the serial number in a test DEP workflow would invariably cause the device to also enter the workflow.
Below are configurations for each virtual machine technology. Replace [SERIAL] with the serial number of the device. “mac_hw_model”, at this time, does not need to be accurate for the provided serial number.
Be sure to use straight double quotes and not curly quotes.
Parallels Desktop
Shut down the VM. Within Parallels Desktop, visit the configuration screen for the VM image, select the “Hardware” tab, and navigate to the “Boot Order” option. Expand the “Advanced Settings” disclosure and enter the following in the text box:
devices.mac_serial="[SERIAL]"
devices.smbios.serial="[SERIAL]"
devices.mac_hw_model="MacBookAir7,2"
VMware Fusion
Shut down the VM. Locate the VM file on your computer. These, by default, appear in “~/Documents/Virtual Machines/”. Right click the file and select “Show Package Contents”. Within the resulting window, locate a file with a “vmx” extension and open it with a text editor. Add the following lines:
serialNumber = "[SERIAL]"
hw.model = "MacBookAir7,2"
VirtualBox
Note: VirtualBox’s network virtualization appears to work quite differently than Parallels and VMware and causes macOS to have issues contacting DEP during the Setup Assistant. As a result, we have found VirtualBox to be quite troublesome to work with when testing DEP and advise against it. |
If you wish to try anyway, the following VBoxManage command line interface command can be used to set the serial number of the VM. Note that “[VM NAME]” must match the name of the virtual machine that you are modifying:
VBoxManage setextradata [VM NAME] VBoxInternal/Devices/efi/0/Config/DmiSystemSerial [SERIAL]
Snapshotting before setup assistant
A DEP configuration effectively acts as a bootstrap. It provides a device with enough configuration to complete the Setup Assistant and enroll it with an MDM. That is the extent of its responsibility. As a result, Setup Assistant contacts Apple DEP exactly once during the initialization process. If you change your DEP configuration at any latter, the device will not receive the updated configuration.
It’s important to snapshot the virtual machine image before Setup Assistant has a chance to contact DEP. Because most VMs have access to internet at boot and do not have to wait for WIFI credentials, the outreach to DEP can occur very early on in the Setup Assistant process, before progressing past the first screen.
We recommend taking a VM snapshot before the Setup Assistant becomes visible. This can take a bit of practice; it is easiest to take a few snapshots while the VM is still installing macOS so that you can revert to a previous point and have a second chance to take a “closer” snapshot if needed. Additionally, we have found that reverting to this snapshot is sometimes not enough. With Parallels in particular, we revert the snapshot and then immediately “reset” the VM. Without a reset, we sometimes see old cached DEP data or a company name of “(null)” during the Setup Assistant screens.
Wrapping up
Was this article helpful? Missing something? Help future readers by providing any helpful tips by reaching out to us on Twitter.