The first three parts of this series of posts about Apple’s new Deployment Program focused on back end stuff. They focused on all of the steps we need to complete in the background to make the program functional. Today’s post will focus on what happens on the device itself when we are enrolling the iPad or iPod. This post assumes that these are new (out of the box) or newly erased (wiped) devices. There currently is no way to enroll a device in to the DEP without wiping and re-enrolling the device. Be sure to understand that a wide of the device not only removes all of the apps but also all user data. Anything not backed up will be lost.
When the iOS device is turned on for the first time, the language selection screen appears. Select the default language to be used on the device.
Choose your country or region.
Choose a Wi-Fi Network. In order for the device to activate on Apple’s servers, a wifi connection must be established. You’ll notice that the “Skip this step” option that used to exist on older versions of iOS is no longer there. When the wifi connection has been established, the device “talks” to Apple to activate the device. It is during this step that Apple looks at the serial number of the device and determines if the device is part of an Apple Device Enrollment Program.
Since, in my enrollment profile, I did not skip Location Services, the user is prompted to enable or disable Location Services. In our district, we ask the students and teachers to enable Location Services since our MDM has a device locator built in that requires this setting be enabled.
In this example profile, I chose to SKIP the prompt for an Apple ID. If, instead, I chose Do Not Skip, the end user would now be prompted to enter their Apple ID. When we go through these steps with students, we do not skip this step. We want to make sure the kids can sign in successfully so we can manage their apps via our MDM.
The user then receives a message that the device will be configured by my organization. It pulls this information from the information you specified during the sign up for the Apple Deployment Program. Tap Next in the upper right.
This is the log in screen. In my example yesterday, I left Authentication turned on. Students and teachers are prompted for their active directory credentials since we have our MDM tied to AD via LDAP. If you’re not sure what any of that means, ask one of your system admins. After username and password are entered, tap Next.
My device has now been configured using DEP. No Apple Configurator! Yay! Tap Get Started and it brings me to my home screen. At this point, I can now push down any restrictions profiles or apps from my MDM to the device. If I had profiles and apps set to auto install, the profiles and apps would be downloaded to the device automatically.
Previously, when using Apple Configurator, a separate, non-removable Supervision profile was added to the device under General, Profiles. I can make sure the device is Supervised by tapping on General, then About.
Lastly and, in my opinion, most importantly…
The biggest advantage to using this program is the ability to lock down the MDM Profile. The students’ ability to easily remove this profile caused headaches for us and caused HUGE headaches for those in Los Angeles. When the student removed the MDM profile, it unenrolled the device from the MDM. This, in turn, removed any restrictions profiles installed on the device. Therein lied the issue. Using DEP eliminates this challenge. BUT…that does not mean that using the Device Enrollment Program doesn’t have it’s downsides…