iOS 11 & Provisional DEP: Questions and Answers

Your rating: None (5 votes)

What is Provisional DEP?
Apple Configurator 2.5 can add any iOS device to Apple’s Device Enrollment Program (DEP), so you can use this streamlined process for setup and enrollment.

Before this change, Apple required proof of ownership of a device in order to approve DEP enrollment. In practice, this usually meant that only new devices purchased from specific resellers were eligible. Now any iOS device can be enrolled into DEP. But there are some specific conditions to pay attention to.

What are the requirements?

  • Your devices must be updated to iOS 11.
  • The process will erase devices. It will not preserve data.
  • You need to plug in devices into a Mac (once) to start the process.
  • The technicians running the process will need credentials to the DEP portal.
  • You may need to manually assign devices in the Apple DEP portal and/or MDM server to complete the process.
  • For 30 days after enrollment, users may choose to leave DEP (and MDM). DEP is permanent only after the 30 day provisional period has elapsed.

What? Users may leave DEP within 30 days?
For a period of 30 days after provisional enrollment, users are able to remove MDM and opt out of DEP. The lock screen will display small text, instructing users that they can “leave remote management in Settings:”

And in Settings > General > Device Management, users have the ability to “Leave Device Management.”

These options appear even if you set MDM enrollment as mandatory. After 30 days, these notices disappear. At that point the device is permanently in DEP.

What happens when a user decides to leave remote management?
When a user ops out of DEP the device erases itself, removing any corporate (and personal) data. The device also removes itself from your MDM server. Finally, the device serial number no longer appears in the DEP portal.

After a user leaves remote management, you may use Apple Configurator 2 to add the device to DEP again. The device will begin a new 30-day provisional enrollment.

Is there a way to remove that button and notice, so users can’t opt out?
No. The notice and button are there for 30 days.

While provisional, if I erase the device does it remain in DEP?
Yes. The device remains in DEP after it is erased, just like standard DEP.

Does Configurator allow me to assign an MDM server to the device?
No. MDM server assignment must be done in the DEP portal (deploy.apple.com) just like standard DEP. Within the DEP portal, devices are placed in a container called “Devices Added by Apple Configurator 2.” You must log into the DEP portal and manually assign devices to an MDM server. Until you do that, devices will not behave as DEP devices.

There is a checkbox in Configurator to “Activate and complete enrollment.” This checkbox can be confusing, since it takes the newly-added DEP device and enrolls it as a non-DEP device. You may find it simplest to perform the actions in the following steps:

  1. Use Configurator to add devices to DEP, but do not “Activate and complete enrollment”
  2. Log into the DEP portal, find the serial numbers of the recently added devices, and assign these to your MDM server
  3. Continue setting up the devices, which should now use streamlined enrollment, as usual

I have multiple DEP profiles in my MDM. Does Configurator allow me to assign a profile to the device?
No. Profiles must be assigned using your MDM server, just like standard DEP. But if you have a default profile assigned, the choice is respected.

If I “disown” a device using the DEP portal, can I use provisional DEP enrollment to return it to DEP?
Yes. This is good news, since previously “disown” was permanent.

Does this help with BYOD or personal devices?
No. DEP and supervision remain appropriate only for corporate-owned devices.

I have 1,000 devices that I want to put into DEP. What can I expect from the process?
Provisional DEP is intended to deal with exceptional devices, a small percentage of an otherwise all-DEP fleet. If you want to enroll a large number of devices, you may expect some challenges.

First, devices will need to tether devices to a Mac. Provisional DEP is not an over-the-air operation. You may, however, use a USB hub to work on several devices at once.

Second, be aware that Configurator will prompt for a DEP portal login. Most companies restrict employee access to the portal, for good reasons. You will need to provide credentials to your technicians. Note that Apple requires all DEP portal logins to use two-factor authentication, typically via SMS, so you may not be able have technicians share an account.

Third, the enrollment process will erase devices. So you must expect to re-provision devices as part of this process. If you already have a streamlined provisioning process for DEP devices, you’ll be in good shape. But if DEP is new to your organization, or to this particular use case of your devices, you may need to architect a new process. (A tool like GroundControl can dramatically speed device provisioning, especially for shared DEP devices.)

Finally, all devices will need to be updated to iOS 11 before the process begins. Configurator or GroundControl can update devices efficiently. You will want a high quality USB hub for this part, to make the process as robust as possible. Hubs from Datamation and Cambrionix are recommended.

Do these provisional devices work with GroundControl’s DEP workflows?
Yes. To GroundControl, these devices behave like every other DEP device, during and after the 30-day provisional period. Once you use Configurator to add these to DEP, you may use GroundControl to image the devices, restore a common backup, manage your MDM, etc. Add a supervision identity to your DEP profile to streamline GroundControl’s management.

Will GroundControl incorporate these new Configurator features?
Provisional DEP enrollment is a one-time operation. Today, we recommend you plan to use Configurator for this one-time addition of devices, then use GroundControl to provision the devices and for ongoing automated maintenance.

We are looking at options to support this without Configurator. The requirement for DEP portal login, with two factor authentication, makes this process difficult to incorporate at scale. But we continue to do research, because we understand our customers don’t always have Macs available.

Apple could easily improve the process with a spreadsheet upload to the DEP portal, or a public API. Perhaps you’ll help us make a feature request?

Recent Activity