Bulk enrollment of Apple devices

You can enroll large numbers of iOS, macOS, and Apple TV devices in Endpoint Management in two ways.

  • You can use the Apple Device Enrollment Program (DEP) to enroll the iOS, macOS, and Apple TV devices that you buy directly from Apple, a participating Apple Authorized Reseller, or a carrier. That support includes Shared iPads. Endpoint Management supports the Device Enrollment Program for Business and Apple School Manager for Education. This article describes integrating with Business DEP accounts. For information about Apple School Manager DEP accounts, see Integrate with Apple Education features.

    For DEP enrollment of macOS devices, Endpoint Management requires that the devices run macOS 10.10 or later.

  • Or you can use the Apple Configurator to enroll iOS devices whether or not you purchased them directly from Apple.

With Business DEP:

  • You do not have to touch or prepare the devices. Instead, you submit device serial numbers or purchase order numbers through DEP to configure and enroll the devices.
  • After Endpoint Management enrolls the devices, you can give them to users who can start using them right out of the box. In addition, when you set up devices with DEP, you can eliminate some of the Setup Assistant steps that users would otherwise have to complete when they first start their devices.
  • For more information on setting up DEP, see the Apple Device Enrollment Program page.

With the Apple Configurator:

  • You attach iOS devices to an Apple computer running macOS 10.7.2 or later and the Apple Configurator 2 app. You prepare the iOS devices and configure policies through Apple Configurator 2.
  • After you provision the devices with the required policies, the first time the devices connect to Endpoint Management, the devices receive policies from Endpoint Management. You can then start managing the devices.
  • For more information about using Apple Configurator, see the Apple Configurator help.

Prerequisites

You must open required ports for connectivity between Endpoint Management and Apple. For more information, see Port requirements.

Integrate your Business Apple DEP account with Endpoint Management

If you do not have an Apple Business DEP account, see Deploy devices through Apple DEP.

To connect your Apple Business DEP account with your Endpoint Management server deployment, you enter information in the Endpoint Management console and the Apple DEP Portal, as described in the following steps.

Step 1: Download a public key from your Endpoint Management server

  1. Log on to the Endpoint Management console and go to Settings > Apple Device Enrollment Program (DEP).

    Image of Apple DEP settings screen

  2. Under Download Public Key, click Download.

Step 2: Create and download a server token file from your Apple account

  1. Using your corporate Apple ID, log on to the Apple Deployment Program Portal.

  2. In the Apple DEP Portal, click Device Enrollment Program.

    Image of Apple DEP Portal

  3. Click Manage Servers and then on the right side, click Add MDM Server.

    Image of Apple DEP Portal

  4. In Add MDM Server, enter a name for your Endpoint Management server and then click Next.

    Image of Apple DEP Portal

  5. On the Apple DEP Portal, click Choose file, choose the public key you downloaded from Endpoint Management, and click Next.

    Image of Apple DEP Portal

  6. Click Your Server Token to generate a server token, which downloads from the browser, and then click Done.

    Image of Apple DEP Portal

    Your Apple DEP token information appears in the Endpoint Management console after you import the token file. You will upload the server token file when adding the DEP account to Endpoint Management.

Step 3: Add a DEP account to Endpoint Management

You can add multiple DEP accounts to Endpoint Management. This feature enables you to use different enrollment settings and setup assistant options by country, department, and so on. You then associate DEP accounts with different device policies.

For example, you might centralize all of your DEP accounts from different countries on the same Endpoint Management server, to import and supervise all DEP devices. By customizing enrollment settings and setup assistant options per department, organizational hierarchy, or other structure, you can ensure that policies provide appropriate functionality across your organization and that device users receive the appropriate setup assistance.

  1. In Endpoint Management console, go to Settings > Apple Device Enrollment Program (DEP) and, under Add DEP Account, click Add.

    Image of Apple DEP settings screen

  2. In the Account Info page, specify these settings:

    Image of Apple DEP settings screen

    • DEP account name: A unique name for this DEP account. Use names that reflect how you organize DEP accounts, such as by country or organizational hierarchy.
    • Business/Education unit: The business unit or department to which the device is assigned. This field is required.
    • Unique service ID: An optional unique ID to help you further identify the account.
    • Support phone number: A support phone number that users may call for help during setup. This field is required.
    • Support email address: An optional support email address available to end users.
  3. In the Server Tokens page, specify your server token file and then click Upload.

    Image of Apple DEP settings screen

    Your server token information appears.

  4. In iOS Settings, specify these settings:

    Image of Apple DEP settings screen

    Enrollment settings:

    • Require device enrollment: Whether to require users to enroll their devices. The default is Yes.
    • Require credentials for device enrollment: Whether to require users to enter their credentials during DEP set up. This feature is available for iOS 7.1 and higher. The default is No.

      When DEP is on for the first time setup and you don’t select this option, the DEP components, such as DEP user, Secure Hub, software inventory, and DEP deployment group, are created. If you do select this option, Endpoint Management doesn’t create the components. As a result, if you later clear this option, users who have not entered their credentials cannot perform the DEP enrollment because these DEP components do not exist. To add DEP components, in that case, you should disable and enable the DEP account.

    • Wait for configuration to complete setup: Whether to require users’ devices to remain in Setup Assistant mode until all MDM resources deploy to the device. This is available for iOS 9.0 and higher devices in supervised mode. The default is No.
    • Apple documentation states that the following commands may not work while a device is in Setup Assistant mode:
      • InviteToProgram
      • InstallApplication
      • ApplyRedemptionCode
      • InstallMedia
      • RequestMirroring
      • DeviceLock

    Device settings:

    • Supervised mode: Must be set to Yes if you are using the Apple Configurator to manage DEP enrolled devices or when Wait for configuration to complete setup is enabled. The default is Yes. For details on placing an iOS device in supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.
    • Allow enrollment profile removal: Whether to allow devices to use a profile that you can remove remotely. The default is No.
    • Allow device pairing: For devices enrolled through DEP, whether you can manage them through iTunes and the Apple Configurator. The default is No.
  5. In macOS Settings, specify these settings:

    Image of Apple DEP settings screen

    Enrollment settings:

    • Require device enrollment: Whether to require users to enroll their devices. The default is Yes.
    • Wait for configuration to complete setup: If Yes, the macOS device doesn’t continue in the setup assistant until the MDM resource passcode gets deployed to the device. That deployment occurs before the creation of the local account. This is available for macOS 10.11 and higher devices. The default is No.

    Device settings:

    • Allow enrollment profile removal: Whether to allow devices to use a profile that you can remove remotely. The default is No.
  6. In Apple TV Settings, specify these settings:

    • Require device enrollment: Prevents users from skipping enrollment.
    • Require Credentials for device enrollment: Challenges for credentials during enrollment. When this setting is off, Apple TV gets enrolled as the default “Device Enrollment Program user”.
    • Wait for configuration to complete setup: The device waits in the Setup Assistant screen until all resources deploy.
    • Supervised mode: Gives more capability to the administrator while configuring restrictions.
    • Allow enrollment profile removal: Allows users to remove the enrollment profiles.
    • Allow device pairing: Allows devices enrolled through the Device Enrollment Program to be managed through Apple tools, such as iTunes and the Apple Configurator.

    Image of Apple DEP settings configuration screen

  7. In iOS Setup Assistant Options, select the iOS Setup Assistant steps that your users will not have to take (that is, steps that are skipped) when they start their devices the first time. The default for all items is unchecked.

    Image of Apple DEP settings screen

    • Location services: Set up the location service on the device.
    • Touch ID: Set up Touch ID on iOS 8.0 and later devices.
    • Passcode lock: Create a passcode for the device.
    • Set up as New or Restore: Set up the device as new or from an iCloud or iTunes backup.
    • Move from Android: Enable transferring data from an Android device to an iOS 9 or later device. This option is available only when Set up as New or Restore is selected (that is, the step is skipped).
    • Apple ID: Set up an Apple ID account for the device.
    • Terms and conditions: Require users to accept terms and conditions for use of the device.
    • Apple Pay: Set up Apple Pay on iOS 8.0 and later devices.
    • Siri: Use or not use Siri on the device.
    • App analytics: Set up whether to share crash data and usage statistics with Apple.
    • Display zoom: Set up the display resolution (either standard or zoomed) on iOS 8.0 or later devices.
    • True Tone: Set up the True Tone Display on iOS 10.0 devices (minimum version).
    • Home Button: Set up the Home Button screen sensitivity on iOS 10.0 devices (minimum version).
    • New feature highlights: Set up the onboarding informational screens, Access the Dock from Anywhere and Switch Between Recent Apps on iOS 11.0 devices (minimum version).
    • Privacy: Prevent users from seeing the data and privacy pane during setup of DEP devices. For iOS 11.3 and later.
    • Appearance: Prevents the user from seeing the Choose Your Look screen during setup of the DEP devices. For iOS 12.0 and later.
    • SoftwareUpdate: Prevents the user from seeing the mandatory software update screen during setup of the DEP devices. For iOS 12.0 and later.
    • ScreenTime: Prevents the user from seeing the Screen Time screen during setup of the DEP devices. For iOS 12.0 and later.

    The DEP account appears on Settings > Apple Device Enrollment Program (DEP).

  8. In macOS Setup Assistant Options, select the macOS Setup Assistant steps that your users will not have to take (that is, steps that are skipped) when they start their devices the first time. The default for all items is unchecked.

    Image of Apple DEP settings screen

    • Set up as New or Restore: Set up the device as new or from an iCloud or iTunes backup.
    • Location services: Set up the location service on the device.
    • Apple ID: Set up an Apple ID account for the device.
    • Terms and conditions: Require users to accept terms and conditions for use of the device.
    • Siri: Use or not use Siri on the device.
    • FileVault: Use FileVault to encrypt the startup disk. Endpoint Management applies the FileVault setting only if the system has a single local user account and that account is signed into iCloud.

      You can use the macOS FileVault Disk Encryption feature to protect the system volume by encrypting its contents (https://support.apple.com/en-us/HT204837). If you run the Setup assistant on a late-model portable Mac that doesn’t have FileVault turned on, you might be prompted to turn on this feature. The prompt appears on both new systems and systems upgraded to OS X 10.10 or 10.11, but only if the system has a single local administrator account and that account is signed into iCloud.

    • App analytics: Set up whether to share crash data and usage statistics with Apple.
    • Registration: Require users to register their device.

      Registration information setup was available through OS X 10.9. The registration process allowed you to send system registration information to Apple. This information associated your contact information with the Mac hardware. Apple primarily used the information to facilitate AppleCare support. If you previously entered an Apple ID, Setup Assistant optionally submitted the registration based on your Apple ID account. If you didn’t enter an Apple ID, you could manually enter your contact information.

      Under Local account setup options, specify the settings to create an administrator account, which is required for macOS. Endpoint Management creates the account, using the specified information.

    • Privacy: Prevent users from seeing the Data and privacy pane during setup of DEP devices. For macOS 10.13 and later.
    • iCloud Analytics: Prevent users from seeing the iCloud analytics screen during setup of DEP devices. For macOS 10.13 and later.
    • iCloud Documents and Desktop: Prevent users from seeing the iCloud documents and desktop screen during setup of DEP devices. For macOS 10.13 and later.
  9. In Apple TV Setup Assistant Options, select the Apple TV Setup Assistant steps that your users will not have to take (that is, steps that are skipped) when they start their devices the first time. The default for all items is unchecked.

    Image of Apple DEP settings configuration screen

  10. To test connectivity between Endpoint Management and Apple, select the account and click Test Connectivity.

    Image of Apple DEP settings screen

    A status message appears.

    Image of Apple DEP settings screen

Configure deployment rules of device policies and apps for DEP accounts

You can associate DEP accounts with different device policies and apps by using the Deployment Rules section under Configure > Device Policies and Configure > Apps. You can specify that a policy or app either:

  • Deploys only for a particular Apple DEP account.
  • Deploys for all Apple DEP accounts except the one selected.

The list of DEP accounts includes only those accounts with a status of enabled or disabled. If the DEP account is disabled, the DEP device doesn’t belong to this account. Therefore, Endpoint Management doesn’t deploy the app or policy to the device.

In the following example, a device policy deploys only for devices with the Apple DEP account name “DEP Account NR”.

![Image of Apple DEP settings screen](/en-us/citrix-endpoint-management/media/apple-dep-deployment-rule-policy-example.png)

Configure Apple Configurator settings

  1. In the Endpoint Management console, go to Settings > Apple Configurator Device Enrollment.

    Image of Apple DEP settings screen

  2. Set Enable Apple Configurator device enrollment to Yes.

  3. The Enrollment URL to enter in Apple Configurator is a read-only field. This is the URL for the Endpoint Management server that communicates with Apple. Later in these steps, you copy and paste the URL into the Apple Configurator. In Apple Configurator 2, the enrollment URL is the Endpoint Management server fully qualified domain name (FQDN), such as mdm.server.url.com, or the IP address.

  4. To prevent unknown devices from enrolling, set Require device registration before enrollment to Yes. Note: If this setting is Yes, you must add the configured devices to Manage > Devices in Endpoint Management manually or through a CSV file before before enrollment.

  5. To require users of iOS 7.1 and later devices to enter their credentials when enrolling, set Require credentials for device enrollment to Yes. The default is not to require credentials for enrollment.

  6. Note: If the Endpoint Management server is using a trusted SSL certificate, skip this step. Click Export anchor certs and save the certchain.pem file to the macOS keychain (login or System).

    Image of Apple DEP settings screen

  7. Start the Apple Configurator and go to Prepare > Setup > Configure Settings.

  8. In the Device Enrollment setting, paste the MDM server URL from step 4 into the MDM server URL box in the Configurator.

  9. In the Device Enrollment setting, copy the Root Certificate Authority and SSL Servers Certificate Authority to the Anchor certificates, if Endpoint Management isn’t using a trusted SSL certificate.

  10. Use a Dock Connector-to-USB cable to connect devices to the Mac running the Apple Configurator to configure up to 30 connected devices simultaneously. If you do not have a Dock Connector, use one or more powered USB 2.0 high-speed hubs to connect the devices.

  11. Click Prepare. For more information on preparing devices with the Apple Configurator, see the Apple Configurator help page, Prepare devices.

  12. In the Apple Configurator, configure the device policies you require.

  13. As each device is prepared, turn it on to start the iOS Setup Assistant, which prepares the device for first-time use.

To renew or update certificates when using the Apple DEP

When the Endpoint Management Secure Sockets Layer (SSL) certificate is renewed, you upload a new certificate in the Endpoint Management console in Settings > Certificates. In the Import dialog box, in Use as, be sure to click SSL Listener so that the certificate is used for SSL. After you restart the server, Endpoint Management uses the new SSL certificate. For more information about certificates in Endpoint Management, see Uploading Certificates in Endpoint Management.

It is not necessary to reestablish the trust relationship between Apple DEP and Endpoint Management when you renew or update the SSL certificate. You can, however, reconfigure your DEP settings at any time by following the preceding steps in this article.

For more information about Apple DEP, see the Apple documentation.

To place an iOS device in Supervised mode by using the Apple Configurator

Important:

Placing a device into Supervised mode will install the selected version of iOS on the device, completely wiping the device of any previously stored user data or apps.

  1. Install Apple Configurator from https://itunes.apple.com.

  2. Connect the iOS device to your Apple computer.

  3. Start Apple Configurator. The Configurator shows that you have a device to prepare for supervision.

  4. To prepare the device for supervision:

    • Set the Supervision control to On. Citrix recommends that you choose this setting if you intend to maintain control of the device by reapplying a configuration regularly.

    • Optionally, provide a name for the device.

    • In iOS, click Latest for the latest version of iOS that you want to install.

  5. When you are ready to prepare the device for supervision, click Prepare.