Apple device deployment programs (DEP)

Tools > Modern Device Management > MDM Configurations > Apple > Deployment Programs

Ivanti Enterprise Mobility Management works with Apple's Device Enrollment Program (DEP), allowing enrolled organizations to perform setup-free deployment of macOS devices. By using Apple DEP, you can associate devices purchased through Apple and Apple resellers with Ivanti Enterprise Mobility Management and automatically apply policies during the initial device setup.

CAUTION: You cannot apply DEP policies to devices purchased prior to completing this process. Only devices purchased after set up with the enrolled administrator Apple ID will function as intended.

DEP integration requirements

Ensure your CSA and mobility settings are fully configured. DEP requires the CSA, APNS, and iOS profile certificates to function. For information about configuring these, see Getting started with Apple device management.

Enroll in the Apple Device Enrollment Program. You must enroll an Apple ID with Apple Business Manager to utilize Apple's DEP. To enroll, visit the Apple Device Enrollment Program site.

To enable DEP integration with Modern Device Management

Closed1. Add Mobility Manager as an MDM server. This process associates Modern Device Management as an MDM with the Apple DEP.

1.Navigate to Tools > Modern Device Management > MDM Configurations > Apple > Deployment Programs.

2.Click Add.

3.Enter a DEP Token Alias. (For example, MDMServer.)

4.Click the Create Public Key button and name your public key file.

5.Click the button to go to the Apple Business Manager or the Apple School Manager site.

6.Log in to your account.

7.Click Settings > Device Management Settings > Add MDM Server.

8.Enter a name for the server.

9.(Recommended) Disable Allow this MDM Server to release devices.

10.Click Choose File to upload the public key file you downloaded from Modern Device Management.

11.Click Save.

12.Click the Download Token icon.

13.In the Add Apple DEP Token window in the Management Console, click Browse to upload the server token you downloaded from Apple.

Enrollment is enabled and you can now configure DEP settings and assign devices to the Modern Device Management server from the Apple Deployment Programs console.

Closed2. Configure DEP settings. You can determine which steps of the first-time setup users will see on the device, as well as what level of management you will enforce.

1.Navigate to Tools > Modern Device Management > MDM Configurations > Apple > Deployment Programs.

2.Select an alias and click Edit.

3.For each OS, select any configuration options and setup items to skip during the initial device setup. Users will not encounter any screens selected in this window.

4.If you are managing macOS devices, you can create an administrator account on the device and select what type of account the user will create.

5.In the General section, you can enter the information for your support organization and select if the user will be required to provide credentials as part of enrollment.

6.Click OK to save the changes.

Any devices purchased with this Apple DEP token are automatically configured and enrolled using these settings.

Closed3. Add devices to the program. Devices must be purchased directly from Apple using a DEP enrolled administrator Apple ID. Once purchased, add them to the Apple Deployment web console to enable policy change distribution through Modern Device Management.

1.From the Apple Business Manager or the Apple School Manager site, click Device Assignments.

2.Select if you will add devices using serial numbers or order numbers.

3.Enter the serial numbers or order numbers for the devices, separate each entry with a comma.

4.Under Choose Action, select Assign to Server from the drop-down menu.

5.Select your MDM server.

6.Click Done.

All devices associated with the serial numbers or order numbers entered will perform the DEP setup as configured in Modern Device Management.

Closed4. Pre-configure devices. Use Modern Device Management to assign devices profiles and software, which they will receive the first time they are started.

1.In the network view of the management console, click Configuration.

2.Right-click Automatic Enrollment Devices > Add Devices.

3.Select your server token. Any unconfigured devices associated with the token appear in the table.

4.(Optional) Select a naming template to apply to the devices or create a new one.

5.(Optional) Select a group to add the devices to.

6.Click OK.

The devices appear in the network view. You can schedule policy deployments to these devices.

Closed5. Perform initial device setup. During initial setup, the user connects to a Wi-Fi network and enters corporate credentials to enable management by Modern Device Management. The device will skip any setup screens selected in Modern Device Management.

1.After powering on the device, begin the setup.

2.Select a nationality and language.

3.Connect to a Wi-Fi network. An alert appears to indicate that the device will be managed by Ivanti.

4.Log in using corporate credentials, such as those used for Active Directory.

5.Continue through the remaining setup. This will depend on which screens you selected to skip.

The device is enrolled with Modern Device Management and receives any policies associated with the user account or device.