As I am sure you are aware, using the Apple Device Enrollment Program (DEP) to enroll devices simplifies the process of provisioning devices with ZENworks and allows you to perform over-the-air supervision of the device. Supervising an iOS device opens a variety of additional settings and profiles that can be applied to restrict the device. In the past, if you wanted devices to be associated with your company’s DEP account you had to make sure that you purchased the device from Apple directly or through a DEP-enabled Apple reseller.
With iOS 11.x you can now use the Apple Configurator tool to enroll existing devices with your DEP account. This means you can enroll secondhand devices or any other device running iOS 11.x so long as you have a corporate DEP account. The purpose of this Cool Solution is to show you how this is done and how to configure the devices to automatically enroll with ZENworks.
Important: Adding a device to DEP is a destructive task since the device will be wiped out as part of the process. Please ensure that before following the instructions in this cool solution that you have backed up any data you require.
To add devices to your DEP account you need the following:
An Apple DEP account and credentials for a DEP Administrator attached to that account
An iOS 11.x or higher device
A MacOS device running at least 10.13.3
Apple Configurator 2.5 or higher, this solution uses Configurator 2.7
Be sure to disable Find My iPhone to disable the Activation Lock feature
At least one Primary Server in the zone must be configured as an MDM server and be registered as a DEP server with Apple
If the device is currently being managed with ZENworks or another MDM solution you should unenroll it before proceeding.
Once you have gathered the necessary devices and credentials you are ready to add your device(s) to your DEP account.
Start by plugging your iOS device into the MacOS device that has Configurator installed. After a few moments, the system should detect the device.
On the iOS device, you will be asked to trust the Mac device and provide the PIN to trust the device. Once complete you should see the device show up in Configurator as shown below:
In the top toolbar, click the Prepare button. The prepare dialog is displayed as shown below:
Check the options for at least Add to Device Enrollment Program and Activate and complete enrollment.
At the enroll in MDM Server screen, either select the Server you have already added, or select New Server… and click Next.
In the name field, enter a server name such as ZENworks Configuration Management.
In Safari, open ZCC and browse to Configuration > Infrastructure Management > MDM Servers. Select the MDM server you want to enroll the device with and then click the Apple Enrollment URL. You should see something similar to the screenshot below.
Copy the URL to the clipboard and then paste it into the Host name or URL field in Configurator; then click Next.
You will likely receive an “Unable to verify the server’s enrollment url…” error. This is a known issue with Configurator. You can simply click Next to continue.
You will then have the option if needed to add additional certificates needed for devices to connect to the MDM server. Because the ZENworks server should already have all of the needed certificates you should be able to just click Next.
You are next prompted to log in to DEP. Login using credentials of a designated DEP Administrator.
Once you are successfully authenticated, you will be asked to select a supervision identity. If you already have one you can select it, otherwise select Generate a new supervision identity; then click Next.
You are then prompted to Configure the iOS Setup Assistant. This will be used when the device is set up, once it is properly registered with DEP you can also override these settings from the DEP profile settings in ZCC. Click Next.
You are then given the opportunity to upload a Wi-Fi profile that the device can use to automatically connect the device to a network after being erased. If not specified then the device will ask you to join a network the first time it boots.
Finally, you are asked for enrollment credentials. Since you will provide these at enrollment time you can leave these blank and click Prepare.
Because the device is already configured, you will get a message indicating that the device has already been prepared. At this point to continue forward you must erase all data and content from the device. Click Erase to cause the device to be erased.
When the device is rebooted, if the device has activation lock enabled then you will receive an error indicating that the device could not be activated. You will need to get the device to the point where you enter the iTunes ID and specify the ID to unlock the device, then choose to retry the activation in Configurator. This should cause the device to reboot one more time with activation lock disabled.
At this point if you have a configured a default MDM server in the DEP portal or Apple Business Manager, then the device should get its configuration. If not you will get an error in Configurator indicating that the configuration could not be pushed. You will need to use the DEP portal or Apple Business Manager to assign the device to your MDM server manually and then refresh DEP from the Configuration > Discovery and Deployment > Apple Device Enrollment Program settings page. This should cause the device to be displayed in the Discovered Devices > Apple DEP Devices folder. The device should now be ready to be given to the end user.