You can enroll large numbers of iOS devices in XenMobile in two ways.
- You can use the Apple Device Enrollment Program (DEP) to enroll devices that you buy directly from Apple or from a participating Apple Authorized Reseller or carrier.
- You can use Apple Configurator to enroll devices whether or not you purchased them directly from Apple.
XenMobile 10.x supports Apple Configurator v2.
With DEP, you do not have to touch or prepare the device. You submit device serial numbers or purchase order numbers through DEP. YOu then configure and enroll the devices in XenMobile. After the devices enroll, you can give them to users who can use them without further configuration. In addition, when you set up devices with DEP, you can eliminate some of the Setup Assistant steps. That eliminates tasks that users would otherwise have to complete when they first start their devices. For more information on setting up DEP, see the Apple Device Enrollment Program page.
With Apple Configurator, you attach devices to an Apple computer running OS X 10.7.2 or later and the Apple Configurator app. You prepare the devices and configure policies through Apple Configurator. After you provision the devices with the required policies and the devices connect to XenMobile, the policies are applied and you can start managing the devices. For more information about using Apple Configurator, see Apple Configurator.
1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
2. Under Server, click iOS Bulk Enrollment. The iOS Bulk Enrollment page appears.
If you're configuring DEP settings, see below. If you're configuring Apple Configurator settings, see Configuring Apple Configurator settings.
Configuring DEP settings
Prerequisites: Before you can continue, you must have created an Apple DEP account on deploy.apple.com. After you have created a DEP account, you set up a virtual MDM server to allow XenMobile and Apple to communicate. To do so, you must upload a XenMobile public key to Apple. After Apple receives the public key, Apple returns a server token that you import into XenMobile.
Follow these steps to establish the connection between XenMobile and Apple.
1. To obtain the public key to upload to Apple, on the iOS Bulk Enrollment page, expand DEP Configuration, and then click Export Public Key and save the file to your computer.
2. Go to deploy.apple.com, log in to your DEP account and follow the instructions for setting up an MDM server. As part of this process, Apple provides a server token.
3. On the iOS Bulk Enrollment page, click Import Token File to add the Apple server token to XenMobile.
4. The Server tokens fields fill automatically after the token file is uploaded to XenMobile.
5. Click Test Connectivity to confirm that XenMobile and Apple are able to communicate.
If the connection test fails, confirm that you have opened all required ports because this is the most likely cause of the failure. For more information on the ports that must be opened in XenMobile, see Port Requirements.
6. Configure these settings to complete the DEP configuration:
- Business unit: Enter the business unit or department to which the device is assigned. This field is required.
- Unique service ID: Enter an optional unique ID.
- Support phone number: Enter a support phone number that users may call for help during setup. This field is required.
- Support email address: Enter an optional support email address.
- Require device enrollment: Select whether to require users to enroll their devices. The default is to require enrollment.
- Supervised mode: Must be set to Yes if you are using Apple Configurator to manage DEP-enrolled devices or when Wait for configuration to complete setup is enabled. The default is Yes. For details on placing an iOS device in supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator later in this article.
- Enrollment profile removal: Select whether to allow devices to use a profile that can be removed remotely. The default is Deny.
- Pairing: Select whether to allow devices enrolled through DEP to be managed through iTunes and the Apple Configurator. The default is Deny.
- Require credentials for device enrollment: Select whether to require users to enter their credentials during DEP set up. This is available for iOS 7.1 and later. Note: When DEP is on for the first time setup and you don't select this option, the DEP components, such as DEP user, Secure Hub, software inventory, and DEP deployment group, are created from the beginning. If you do select this option, the components are not created until the user enters their credentials. As a result, if you later clear this option, users who have not entered their credentials cannot perform the DEP enrollment because these DEP components do not exist. To add DEP components, in that case, you should disable and enable the DEP account.
- Wait for configuration to complete setup: Select whether to require users' devices to remain in Setup Assistant mode until all MDM resources are deployed to the device. This is available for iOS 9.0 and later devices in supervised mode.
- Note: Apple documentation states that the following commands may not work while a device is in Setup Assistant mode:
Select the iOS Setup Assistant steps that your users will not have to take (that is, steps that are skipped) when they start their devices for first-time use.
- Location Services: Set up the location service on the device.
- Touch ID: Set up Touch ID on iOS 8.0 and later devices.
- Passcode Lock: Create a passcode for the device.
- Set up as New or Restore: Set up the device as new or from an iCloud or iTunes backup.
- Move from Android: Enable transferring data from an Android device to an iOS 9 or later device. This option is available only when Set up as New or Restore is selected (that is, the step is skipped).
- Apple ID: Set up an Apple ID account for the device.
- Terms and Conditions: Require users to accept terms and conditions for use of the device.
- Apple Pay: Set up Apple Pay on iOS 8.0 and later devices.
- Siri: Use or not use Siri on the device.
- App Analytics: Set up whether to share crash data and usage statistics with Apple.
- Display Zoom: Set up the display resolution (either standard or zoomed) on iOS 8.0 or later devices.
Configuring Apple Configurator settings
1. Expand Apple Configurator Device Enrollment Configuration.
2. Set Enable Apple Configurator Device Enrollment to Yes.
3. Note and configure these settings:
- MDM server URL to copy in Apple Configurator: This read-only field is the URL for the XenMobile server that communicates with Apple, and which you copy and paste into the Apple Configurator in a later step. In Apple Configurator 2, the enrollment URL is the fully qualified domain name (FQDN) or IP address of the XenMobile server, such as mdm.server.url.com.
- Require device registration: Selecting this setting requires you to add the configured devices to the Devices tab in XenMobile manually or through a CSV file before they can be enrolled. This ensures that no unknown devices can enroll. The default is to require adding devices.
- Require credentials for device enrollment: Require users of iOS 7.1 and later devices to enter their credentials when enrolling. The default is to not require credentials.
If the XenMobile server is using a trusted SSL certificate, skip the next step.
4. Click Export Anchor Certs and save the certchain.pem file to the OS X keychain (login or System).
5. Start Apple Configurator and go to Prepare > Setup > Configure Settings.
6. In the Device Enrollment setting, paste the MDM server URL from step 4 into the MDM server URL field in the Configurator.
7. In the Device Enrollment setting, copy the Root Certificate Authority and SSL Servers Certificate Authority to the Anchor certificates, if XenMobile is not using a trusted SSL certificate.
8. Use a Dock Connector to USB cable to connect devices to the Mac running the Apple Configurator to simultaneously configure up to 30 connected devices. If you do not have a Dock Connector, use one or more powered USB 2.0 high-speed hubs to connect the devices.
9. Click Prepare. For more information on preparing devices with the Apple Configurator, see the Apple Configurator help page Prepare devices.
10. In Apple Configurator, configure the device policies you require.
11. As each device is prepared, turn it on to start the iOS Setup Assistant, which prepares the device for first-time use.
To renew or update certificates when using the Apple DEP
When the XenMobile Secure Sockets Layer (SSL) certificate is renewed, you upload a new certificate in the XenMobile console in Settings > Certificates. In the Import dialog box, in Use as, be sure to click SSL Listener so that the certificate is used for SSL. After you restart the server, XenMobile uses the new SSL certificate. For more information about certificates in XenMobile, see Uploading Certificates in XenMobile.
It is not necessary to reestablish the trust relationship between Apple DEP and XenMobile when you renew or update the SSL certificate. You can, however, reconfigure your DEP settings at any time by following the preceding steps in this article.
For more information about Apple DEP, see the Apple documentation.
For information about a known issue and work around related to this configuration, see XenMobile Server 10.4 Known Issues.
To place an iOS device in Supervised mode by using the Apple Configurator
Placing a device into Supervised mode will install the selected version of iOS on the device, completely wiping the device of any previously stored user data or apps.
1. Install Apple Configurator from iTunes.
2. Connect the iOS device to your Apple computer.
3. Start Apple Configurator. The Configurator shows that you have a device to prepare for supervision.
4. To prepare the device for supervision:
a. Switch the Supervision control to On. Citrix recommends that you choose this setting if you intend to maintain control of the device on an ongoing basis by reapplying a configuration regularly.
b. Optionally, provide a name for the device.
c. In iOS, click Latest for the latest version of iOS you want to install.
5. When you are ready to prepare the device for supervision, click Prepare.