Enterprise Mobility and Security Blog

RSS

Recently, the Intune team announced support for the Apple Device Enrollment Program (DEP). DEP enables companies, educational institutions, and government organizations to enroll iOS devices into Mobile Device Management (MDM) directly from the factory or via factory reset. Additionally, this program provides capabilities for supervising devices as well as locking the device into MDM. 

When a customer purchases iOS devices directly from the Apple Business channel or through an authorized reseller, the purchase information is copied over to Apple’s Device Enrollment Program. DEP catalogs the ownership of devices much like the Department of Motor Vehicles tracks titles to vehicles.  When this channel is harnessed, it ensures that a device will respect the authority and management intent prescribed by the corporate device owner.

Establishing a DEP connection to Microsoft Intune

Organizations that rely on Microsoft Intune for mobile device management may perform DEP operations by “onboarding” their Intune account with the DEP program.  This involves three steps:

  1. Obtain a Certificate Signing Request (CSR) from Microsoft Intune.  The CSR indicates that Microsoft is an authorized MDM vendor for iOS devices in the eyes of Apple, and that the customer intends to use Intune to convey enrollment intent into the Device Enrollment Program.

  2. Acquire a DEP token from Apple using the CSR.  All communications between Microsoft Intune and Apple’s Device Enrollment Program must be authenticated with a token representing the customer’s account.  The token is generated by uploading the CSR in step #1 into the DEP portal

  3. Upload the DEP token into Microsoft Intune.  Finally, once the token is acquired it can be uploaded to Intune.  This token will need to be renewed annually.

 Creating and deploying enrollment profiles

An enrollment profile contains instructions used by the iOS devices’ Setup Assistant which is the process that the device goes through when first powered on or factory reset. During this process, you can create enrollment profiles and assign them to devices in Intune. Shortly after acquiring an internet connection, the device will “call home” to Apple. During this exchange, the device uploads its serial number. For DEP-enabled devices, Apple’s iOS service can respond with an enrollment profile if the serial number was assigned to an enrollment profile. The enrollment profile contains enrollment instructions including whether the device is supervised, whether the MDM profile locked, and other semantics of Setup Assistant behaviors. 

A sample enrollment profile created using Microsoft Intune

How this all works together

In summary, Microsoft Intune provides a smooth, convenient enrollment experience for DEP-capable devices. The steps are:

  1. Setup a DEP connection

  2. Create enrollment profiles

  3. Assign devices to the enrollment profiles

  4. Deliver devices to end-users

Any time a DEP device needs a factory reset, you can have confidence that Apple DEP and Microsoft Intune will maintain the proper MDM state throughout the process. 

Additional resources

For more information on using Intune to deploy corporate-owned iOS devices, see the technical article on enrolling corporate-owned iOS devices in Microsoft Intune in the Microsoft Intune Documentation Library. Additionally, you can learn more about the Apple Device Enrollment Program for business here and for education here. If you haven’t already, make sure to also sign up to try Microsoft Intune for free for 30 days.

Thanks for reading, and we hope you enjoy managing iOS devices using Microsoft Intune!

– Ty Balascio, Senior Program Manager