How to configure Apple DEP within Microsoft Intune and migrate existing DEP devices from another MDM solution to Microsoft Intune

In the January, 2019 update of Microsoft Intune, new Apple DEP capabilities became available. With the latest release of iOS, more options are displayed during the initial setup of an iPhone or iPad, for example, Screen Time and Onboarding. Now, with this update, Microsoft Intune can hide these screens with the Setup Assistant Customization settings.

For me, this was perfect timing. I had a customer who wanted to migrate from another MDM solution to Microsoft Intune and also use Apple DEP. They were immediately able to use these new features of Microsoft Intune. This inspired me to write this blog to explain how Apple DEP could be configured within Microsoft Intune and also how to migrate existing DEP devices to Microsoft Intune.

What is Apple DEP?

Every iOS or MacOS devices that startup for the first time (new out of the box or after a factory reset) must be activated by Apple. This process happens automatically. With the Apple Device Enrollment Program (DEP) you can, based on the serial number, indicate which devices are company-owned and start an automatic MDM enrollment process on these devices during the activation. Once this is configured, it is impossible for the end user to bypass this enrollment process. In this way, the company always has control of the device and has the ability to protect company data, even after a factory reset on the device.

In this blog

This blog will cover the following steps;

  • Configure Apple DEP within Microsoft Intune
  • Create an Apple DEP Profile
  • Assign devices to Microsoft Intune
  • Test the results
Step 1: Configure Apple DEP within Microsoft Intune

The first step is to connect your Apple DEP account with Microsoft Intune. Login to the Microsoft Azure Portal for the next steps.

Navigate to: Microsoft Intune > Device enrollment and click Enrollment program tokens

Click the + Add button

Checkmark the I agree checkbox (if you do) and Download your public key

Open a new browser of tab and login to the Apple DEP Portal / Apple Business Portal with your Apple ID.

Open the MDM Servers page and click Add New MDM Server

Give the MDM Server a name, in this case Microsoft Intune. Click Upload File and browse to the just downloaded public key from the Microsoft Intune console.

Click Get Token

Click Download Server Token

Go back to the Microsoft Intune console. Fill in your Apple ID and upload the just downloaded Server Token from the Apple DEP console. Click Create

Step 2: Create an Apple DEP Profile

The second step is to create an Apple DEP Profile and assign this profile to devices.

Click the just created Apple DEP server.

Open the Profiles tab and click Create profile

Give this profile a name and a description. Select the Platform (iOS or MacOS). Select whether you want to use the Company Portal app for authentication instead of the Apple Setup Assistant. I will set this to Yes.

If you are using Apple VPP for deploying the Company Portal (recommended) select your VPP token.

You can choose if you want to run the Company Portal in Single App Mode until authentication. I think this is a great feature and I have selected Yes (see the results in the last step of this blog).

Open the Device management settings page. Here you can configure whether you what to configure a lockdown environment (so that users cannot remove MDM profiles) and if the device can be synced with a computer.

Click OK

Open the Setup Assistant customization page. Fill in the Department name and the Department phone. Under Setup Assistant Screens you can configure which screen must appear during the initial setup of the device. For this demo, I set everything to Hide

Click OK and click Create

Devices must be assigned to this profile, however, you can also set this profile as default so every new device will automatically get assigned to this profile. To configure this, click Set default profile

Select the just created iOS Enrollment Profile and click OK

Step 3: Assign devices to Microsoft Intune

Devices needs to be assigned to Microsoft Intune within the Apple Business Portal / Apple DEP Portal. Login to this portal for the next steps.

Click Device Assignments. On this page you can assign devices to a MDM Server. This can also be existing devices that are currently assigned to another MDM Server, like in this case. Fill in the Serial Number(s) and below Choose Actions select Assign to Server and select Microsoft Intune as MDM Server.

Click OK

When you take a look at the MDM Server page, you can see the numbers of devices assigned to each server.

Go back to the Microsoft Intune portal and open the Device page. Click Syn. All assigned devices will appear in a few minutes.

Step 4: Test the results

Now that everything is configured, lets test the results on a new Apple iPad.

Press the Home button

Select your Language

Select your Country or Region

Press Set Up Manually

Connect to the correct Wi-Fi Network

The MDM enrollment will now start. Press Next

And that’s it, just as we configured it with no additional setup screens. Click Get Started.

The Intune Company Portal app is automatically installed and launched. Before authentication the user cannot do anything else. Login with your company credentials.

Click Begin

If a Passcode policy is pushed to the device, like in this case, the user gets prompted to set a new Passcode.

Click Done

All other applications will be installed automatic without any Apple ID (if using Apple VPP) and the iPad is released for use.

36 comments

  • Hi! Great post.
    What would you say is the advantages and disadvantages with enrolling using company portal?

    In my opinion, using Setup Assistant is even more seamless end user experience. The only downside i have discovered so far is no MFA support.

    • Thanks. It’s what you say. No modern authentication modes are supported with Setup Assistant. Another advantage of using the Company Portal app as authentication is that you can push apps device based before the user authenticate.

      • ”Before the user authenticate”.
        Is it possible to push the MS Authenticator App before the user authenticate. Then use the Authenticator app for MFA when enroll in Intune with the Company Portal?

  • Brilliant blog, thanks so much for putting this together! Could you also cover retrosepctively enrolling devices into DEP? (via Apple Configurator)

    • Thanks Dean, unfortunately I don’t own a Mac OS device so I’m not able to make this blog at this moment. Hope to make this blog in the near future.

  • Thanks
    If the above is configured and devices (iPhone,macbook and iPads) are automatically enrolled, does this mean the devices can never been removed ( by an end user) from Intune ?

  • nice blog. quick question, how can we assign devices to new DEP profile from a different O365 tenant (different MDM server). My situation is that I am moving devices completely from one tenant to another tenant so I need to assign new profile I believe and for that I need to do all these steps from scratch as wells as end users has to do all these steps again? Is there a way to do this switch without any affect on end users?

    • Hi Raj,

      There is always the need to re-enroll the device after moving from one DEP profile to another to take affect.
      What to do is the following;

      1) Add the new MDM server to your current DEP account.
      2) Unassign the devices you want to move to the new tenant.
      3) Assign the devices to the new tenant within DEP
      4) Factory reset the devices to enroll to the new tenant

      Regards,

      Robin

  • This is a great article
    One question I do have. We currently have this setup, new devices purchased from our supplier are added into our DEP account and we can add them into Intune.

    Is it possible to have these migrated to a new Intune tenant ?

  • Robin- The walk through was really helpful. Using a DEP device, I’m stuck at the remote management screen, the configuration is not available. Any ideas?

  • Thanks a million for publishing this article.
    We are migrating a bunch of iPads from MobileIron to Intune and this was a big help.
    I wish we didn’t have to reformat them all, but such is life with Apple and DEP.

  • Hi Robin, How are you doing?
    Thanks a mil for such a nice wonderful Tutorial on In tune configuration for Apple,That was really nice of you,and I really appreciate that. please I have a question….How did you add the VPP Token when you were creating the Device Profile???

      • Hi Robin, Thanks a lot for the quick reply. I configured DEP First and DEP is now in sync with our In tune Server just like I followed your Tutorials but when creating the Profile, I am not sure how to add the VPP token I download from our our Apple Business manager in In tune( Install Company Portal with VPP….Any clue How I can do that, because I don’t want to use Apple Id during enrollment ….Thanks a lot Robin

  • H Robin, Thanks for your quick reply. Pls can you let me know I can add the VPP which should show up automatically or how you got it configured….Thanks a lot

    • Hi Anthony, you can configure Apple VPP on the following location ; Microsoft Intune > Client Apps > iOS VPP tokens. Once configured it will sync automatically.

  • Robin,
    So I’ve migrated from Meraki to MS Intune and with the migration I’m upgrading folks from iPhone SE to iPhone 6s.

    Is this best practice? I run a backup of the user’s old device (iPhone SE) to iCloud, then I’ve been doing a restore to the new device (iPhone 6s) that I have in DEP, then make sure it’s in MS Intune.

    It was working fine for a bit, but I’ve noticed on some that if I do the restore on the new device it will skip the Device Management piece. Since I’ve noticed this I’ve then just setup the device, then logged the user into iCloud and turned on all the options to sync, BUT have noticed not everything will sync back from time to time.

    Thoughts?

    I was going to try what Alexander Bunk commented · November 8, 2018 8:01 AM had suggested at the bottom of the page…
    https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34053418-ios-backup-recovery-apple-dep-program-dep-prof

    Thanks for any assistance you can provide!

    • Hi Chris
      The way to do this is not to restore the backup of the device during the DEP enrollment. You should “just” enroll the device and let the user do a selective restore afterwards. Go into settings->iCloud on your iOS device.
      If you restore a backup during DEP and the device wasn´t DEP´ed when the backup was done – you will run into the issue, you are seeing.

  • Great article. I have one question. Currently i am on office 365 business premium plan. I only have to buy microsoft intune license will do?

  • Hi Robin,
    Great article
    I had few doubt about application getting integrated with Intune after the migration. Can we deploy all the applications available on Apple App stores to Intune. And what kind of application can’t be integrated with Intune

  • Hello,

    Thank you Robin for this wonderful blog.

    I have a question : Can we have multiple DEP on Microsoft Intune, like for example DEP by country (as we have different offices, and each office has his own vendor) ?

    Thanks in advance

    Best regards,
    Raphael

  • Hi Robin,
    Thanks for your article .
    I’ve configured everything by your guide but still getting error by apple .
    when im trying to add new device by serial number to enroll to our Microsoft Intune im getting “Issue”

    any idea how to solve it ?

    Thanks,
    Alex K

  • Hi, great article.
    Whenever I click next on Remote Management, the next screen says “Invalid Profile”. I did everything exactly like you did…

    Can you help?
    Thanks.
    Robert

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close