New options as of iOS 11
With the release of iOS 11, Apple provided businesses a means to add any existing iOS device to their Device Enrollment Program (DEP) account. Previously, only new device purchases and certain devices purchased through eligible channels were able to be added after the fact. The latter still required assistance from Apple and third party vendors to do so. This new functionality allows adding a device to a DEP account using nothing more than Apple Configurator 2.5 or later and a wired connection to the iOS device.
Why add devices to DEP?
When a device is enrolled with SimpleMDM using Apple DEP, iOS grants you, the administrator, privileges that are unavailable for devices enrolled manually. For instance, the SimpleMDM profile can be marked as unremovable, preventing a user from unenrolling their device manually. Additional customizations of the Setup Wizard screens can be made, hiding steps deemed unneeded by your organization. If the device is wiped in the future, it will automatically enroll with SimpleMDM. The process of enrollment using Apple Configurator is only needed when first adding the device to DEP.
Requirements
To add a device to DEP using Apple Configurator, the device must be running iOS 11 or greater and you must have Apple Configurator software 2.5 or greater. This procedure does not work for macOS computers at this time. Apple Configurator can be downloaded from the Apple App Store.
Walkthrough
If you are familiar with the process of supervising a device using Apple Configurator, you will find this process is very similar.
For this walkthrough, we used a beta version of Apple Configurator 2.5. Your version will likely not include the beta banner.
To start, connect the iOS device to a macOS computer using a USB to lightning cable. Open Apple Configurator 2.5 or newer. If the iOS device is not already running iOS 11 or newer, be sure to first upgrade it or else you will encounter errors during the DEP enrollment steps.
Once the device appears in Apple Configurator, click the “Prepare” button. On the resulting screen, check “Add to Device Enrollment Program” and “Activate and complete enrollment”. The other two options can be checked or unchecked to meet your preference.
The next screen asks you to set up MDM server settings. You can provide enrollment settings for your SimpleMDM account here. These settings will be used for this initial enrollment. If the device is reinitialized at a later time, your DEP account configuration will be used instead. We defined a new MDM server in Configurator and used a group enrollment URL from our SimpleMDM account.
A long standing bug exists in Configurator causes an “Unable to verify the server’s enrollment URL” message to appear. You can safely ignore this message and click “Next”.
You will eventually reach an “Assign to Organization” or “Sign in to the Device Enrollment Program” screen. Your device will be added to the DEP account selected here. Provide the Apple ID and password you use to sign into the DEP Account. You will need to complete a two-factor sign in.
You will be asked whether you would like to generate or choose a supervisor identity. We chose to generate a new identity. If you do not know what this is, you probably want to generate a new identity as well.
Apple Configurator will allow you to customize the Setup Assistant during device initialization. These settings are only for the individual device being prepared and do not affect your DEP configuration.
Configurator will prompt you for a Network Profile. This profile will be used by the device to gain access to the internet and communicate with DEP. If you have not already created a network profile, you can do so by clicking the File menu and selecting “New Profile”. Select the Wi-Fi section, input the necessary information for your network, and then select File and then “Save As” to create the profile.
As a final step, Configurator will ask if any automated enrollment credentials are needed to enroll your device in SimpleMDM. You can leave these fields blank.
At this point, Apple Configurator typically prompts with the following message: “Configurator could not perform the requested action because the device has already been prepared. Click Erase to erase and prepare the device again. All content and settings will be deleted. This cannot be undone.”. While the message is ominous, it is just a warning that this process will erase any existing data on the device. Click “Erase” to proceed.
Configurator will begin the process of initializing your device and enrolling it in DEP. The steps we observed are as follows:
Downloading activation record instance
Activating iOS on the device
Downloading activation record for device
Activating iOS on the device
Downloading and applying cloud configuration
Awaiting final MDM configuration
Once complete, the device will be enrolled in SimpleMDM and added to your DEP account. We found that the serial number appeared in the DEP portal almost immediately.
Common problem: MobileDeviceKit error
You may receive the following error: “An unexpected error has occurred: The device returned an unexpected status. (CommandFormatError) [com.apple.configurator.MobileDeviceKit.error]”. We observed this error when trying to update to iOS 11 while enrolling with DEP in the same step. We found that we had to complete two separate steps. First, update the device to iOS 11 and then add the device to DEP.
