In the January, 2019 update of Microsoft Intune, new Apple DEP capabilities became available. With the latest release of iOS, more options are displayed during the initial setup of an iPhone or iPad, for example, Screen Time and Onboarding. Now, with this update, Microsoft Intune can hide these screens with the Setup Assistant Customization settings.
For me, this was perfect timing. I had a customer who wanted to migrate from another MDM solution to Microsoft Intune and also use Apple DEP. They were immediately able to use these new features of Microsoft Intune. This inspired me to write this blog to explain how Apple DEP could be configured within Microsoft Intune and also how to migrate existing DEP devices to Microsoft Intune.
What is Apple DEP?
Every iOS or MacOS devices that startup for the first time (new out of the box or after a factory reset) must be activated by Apple. This process happens automatically. With the Apple Device Enrollment Program (DEP) you can, based on the serial number, indicate which devices are company-owned and start an automatic MDM enrollment process on these devices during the activation. Once this is configured, it is impossible for the end user to bypass this enrollment process. In this way, the company always has control of the device and has the ability to protect company data, even after a factory reset on the device.
In this blog
This blog will cover the following steps;
- Configure Apple DEP within Microsoft Intune
- Create an Apple DEP Profile
- Assign devices to Microsoft Intune
- Test the results
Step 1: Configure Apple DEP within Microsoft Intune
The first step is to connect your Apple DEP account with Microsoft Intune. Login to the Microsoft Azure Portal for the next steps.
Navigate to: Microsoft Intune > Device enrollment and click Enrollment program tokens
Click the + Add button
Checkmark the I agree checkbox (if you do) and Download your public key
Open a new browser of tab and login to the Apple DEP Portal / Apple Business Portal with your Apple ID.
Open the MDM Servers page and click Add New MDM Server
Give the MDM Server a name, in this case Microsoft Intune. Click Upload File and browse to the just downloaded public key from the Microsoft Intune console.
Click Get Token
Click Download Server Token
Go back to the Microsoft Intune console. Fill in your Apple ID and upload the just downloaded Server Token from the Apple DEP console. Click Create
Step 2: Create an Apple DEP Profile
The second step is to create an Apple DEP Profile and assign this profile to devices.
Click the just created Apple DEP server.
Open the Profiles tab and click Create profile
Give this profile a name and a description. Select the Platform (iOS or MacOS). Select whether you want to use the Company Portal app for authentication instead of the Apple Setup Assistant. I will set this to Yes.
If you are using Apple VPP for deploying the Company Portal (recommended) select your VPP token.
You can choose if you want to run the Company Portal in Single App Mode until authentication. I think this is a great feature and I have selected Yes (see the results in the last step of this blog).
Open the Device management settings page. Here you can configure whether you what to configure a lockdown environment (so that users cannot remove MDM profiles) and if the device can be synced with a computer.
Click OK
Open the Setup Assistant customization page. Fill in the Department name and the Department phone. Under Setup Assistant Screens you can configure which screen must appear during the initial setup of the device. For this demo, I set everything to Hide
Click OK and click Create
Devices must be assigned to this profile, however, you can also set this profile as default so every new device will automatically get assigned to this profile. To configure this, click Set default profile
Select the just created iOS Enrollment Profile and click OK
Step 3: Assign devices to Microsoft Intune
Devices needs to be assigned to Microsoft Intune within the Apple Business Portal / Apple DEP Portal. Login to this portal for the next steps.
Click Device Assignments. On this page you can assign devices to a MDM Server. This can also be existing devices that are currently assigned to another MDM Server, like in this case. Fill in the Serial Number(s) and below Choose Actions select Assign to Server and select Microsoft Intune as MDM Server.
Click OK
When you take a look at the MDM Server page, you can see the numbers of devices assigned to each server.
Go back to the Microsoft Intune portal and open the Device page. Click Syn. All assigned devices will appear in a few minutes.
Step 4: Test the results
Now that everything is configured, lets test the results on a new Apple iPad.
Press the Home button
Select your Language
Select your Country or Region
Press Set Up Manually
Connect to the correct Wi-Fi Network
The MDM enrollment will now start. Press Next
And that’s it, just as we configured it with no additional setup screens. Click Get Started.
The Intune Company Portal app is automatically installed and launched. Before authentication the user cannot do anything else. Login with your company credentials.
Click Begin
If a Passcode policy is pushed to the device, like in this case, the user gets prompted to set a new Passcode.
Click Done
All other applications will be installed automatic without any Apple ID (if using Apple VPP) and the iPad is released for use.
Hi! Great post.
What would you say is the advantages and disadvantages with enrolling using company portal?
In my opinion, using Setup Assistant is even more seamless end user experience. The only downside i have discovered so far is no MFA support.
Thanks. It’s what you say. No modern authentication modes are supported with Setup Assistant. Another advantage of using the Company Portal app as authentication is that you can push apps device based before the user authenticate.
”Before the user authenticate”.
Is it possible to push the MS Authenticator App before the user authenticate. Then use the Authenticator app for MFA when enroll in Intune with the Company Portal?
Brilliant blog, thanks so much for putting this together! Could you also cover retrosepctively enrolling devices into DEP? (via Apple Configurator)
Thanks Dean, unfortunately I don’t own a Mac OS device so I’m not able to make this blog at this moment. Hope to make this blog in the near future.
Thanks
If the above is configured and devices (iPhone,macbook and iPads) are automatically enrolled, does this mean the devices can never been removed ( by an end user) from Intune ?
Hi Dan, yes that is correct. After a factory reset, the device will automatically re-enroll itself with Intune again.
Thank you – this is a great up to date blog!
nice blog. quick question, how can we assign devices to new DEP profile from a different O365 tenant (different MDM server). My situation is that I am moving devices completely from one tenant to another tenant so I need to assign new profile I believe and for that I need to do all these steps from scratch as wells as end users has to do all these steps again? Is there a way to do this switch without any affect on end users?
Hi Raj,
There is always the need to re-enroll the device after moving from one DEP profile to another to take affect.
What to do is the following;
1) Add the new MDM server to your current DEP account.
2) Unassign the devices you want to move to the new tenant.
3) Assign the devices to the new tenant within DEP
4) Factory reset the devices to enroll to the new tenant
Regards,
Robin
This is a great article
One question I do have. We currently have this setup, new devices purchased from our supplier are added into our DEP account and we can add them into Intune.
Is it possible to have these migrated to a new Intune tenant ?
Yes, see my previous replay.
Thank you – this is a great up to date blog!
Do you know what the option Sync with computers actually does when creating a profile ?
Robin- The walk through was really helpful. Using a DEP device, I’m stuck at the remote management screen, the configuration is not available. Any ideas?
Got it. Had to do another sync inside of InTune to DEP.
Thanks a million for publishing this article.
We are migrating a bunch of iPads from MobileIron to Intune and this was a big help.
I wish we didn’t have to reformat them all, but such is life with Apple and DEP.
Thanks, good to hear!
Hi Robin, How are you doing?
Thanks a mil for such a nice wonderful Tutorial on In tune configuration for Apple,That was really nice of you,and I really appreciate that. please I have a question….How did you add the VPP Token when you were creating the Device Profile???
Hi Anthony, thanks! I configured VPP before the configuration of DEP.
Hi Robin, Thanks a lot for the quick reply. I configured DEP First and DEP is now in sync with our In tune Server just like I followed your Tutorials but when creating the Profile, I am not sure how to add the VPP token I download from our our Apple Business manager in In tune( Install Company Portal with VPP….Any clue How I can do that, because I don’t want to use Apple Id during enrollment ….Thanks a lot Robin
H Robin, Thanks for your quick reply. Pls can you let me know I can add the VPP which should show up automatically or how you got it configured….Thanks a lot
Hi Anthony, you can configure Apple VPP on the following location ; Microsoft Intune > Client Apps > iOS VPP tokens. Once configured it will sync automatically.
Robin,
So I’ve migrated from Meraki to MS Intune and with the migration I’m upgrading folks from iPhone SE to iPhone 6s.
Is this best practice? I run a backup of the user’s old device (iPhone SE) to iCloud, then I’ve been doing a restore to the new device (iPhone 6s) that I have in DEP, then make sure it’s in MS Intune.
It was working fine for a bit, but I’ve noticed on some that if I do the restore on the new device it will skip the Device Management piece. Since I’ve noticed this I’ve then just setup the device, then logged the user into iCloud and turned on all the options to sync, BUT have noticed not everything will sync back from time to time.
Thoughts?
I was going to try what Alexander Bunk commented · November 8, 2018 8:01 AM had suggested at the bottom of the page…
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34053418-ios-backup-recovery-apple-dep-program-dep-prof
Thanks for any assistance you can provide!
Hi Chris
The way to do this is not to restore the backup of the device during the DEP enrollment. You should “just” enroll the device and let the user do a selective restore afterwards. Go into settings->iCloud on your iOS device.
If you restore a backup during DEP and the device wasn´t DEP´ed when the backup was done – you will run into the issue, you are seeing.
Good one!
Thanks
Great article. I have one question. Currently i am on office 365 business premium plan. I only have to buy microsoft intune license will do?
For Apple DEP Yes, and if you also want to make use of Conditional Access you need Microsoft EM+S E3 (or E5) licenses .
Hi Robin,
Great article
I had few doubt about application getting integrated with Intune after the migration. Can we deploy all the applications available on Apple App stores to Intune. And what kind of application can’t be integrated with Intune
As an application is available with Apple VPP (in think all public App Store applications) you can deploy it with Intune.
Hello,
Thank you Robin for this wonderful blog.
I have a question : Can we have multiple DEP on Microsoft Intune, like for example DEP by country (as we have different offices, and each office has his own vendor) ?
Thanks in advance
Best regards,
Raphael
Thanks Rapheal,Yes, you can have multiple DEP accounts connected to Intune at the same time. Regards, Robin
Hi Robin,
Thanks for your article .
I’ve configured everything by your guide but still getting error by apple .
when im trying to add new device by serial number to enroll to our Microsoft Intune im getting “Issue”
any idea how to solve it ?
Thanks,
Alex K
You cannot add new devices like this. Only assign existing devices to a new MDM server. Are the devices already in your DEP account?
Hi, great article.
Whenever I click next on Remote Management, the next screen says “Invalid Profile”. I did everything exactly like you did…
Can you help?
Thanks.
Robert
I got this error when I did not unassign the devices from the old MDM server first. Do you have this error on all your devices?