Notes from the Field:
SCCM/Intune and Apple Device Enrollment Program
Hi there! Thinking about taking advantage of the new integration of Apple DEP (Device Enrollment Program) capabilities of Microsoft Intune and System Center Configuration Manager 2012 R2 SP1? Then this post is for you!
What is Apple DEP?
Apple DEP is a program that allows companies to purchase Apple products that can be assigned to an MDM platform such as Microsoft Intune and automatically enroll the device upon activation. You use an online portal (deploy.apple.com) to assign devices, either individually or in bulk from csv files or order numbers, to a configured MDM Server. In order to take advantage of this, the device must be purchased from either Apple Direct or from an authorized 3rd party reseller, such as AT&T, Verizon, Insight Global, etc. and be tied to your Apple DEP ID.
There is a great PDF located here that dives a little deeper.
When this new feature came to SCCM 2012 R2 with SP1 I was super excited. Wireless Supervision (disabling activation lock when Find my iPhone/iPad is turned on), automatic enrollment in Intune upon iOS activation, what’s not to love!? Well hold on just a sec… Before you go down this road let’s talk about this.
Should you used Apple DEP?
Well I am glad you asked! There are some limitations of using DEP that require you to answer a couple of questions before deciding.
- Do you want to take advantage of Conditional Access? If the answer is Yes, do not use Apple DEP.
Condition Access is the ability to restrict access to company email, or SharePoint online, until the devices is enrolled in Microsoft Intune. More info here - Do you want to deploy Microsoft mobile Office apps like Word, Excel, OneNote, etc.? If the answer is Yes, do not use Apple DEP.
- Do you want to be able to use the Microsoft Intune Company Portal app to make optional applications available to your users? If the answer is Yes, do not use Apple DEP.
Note: The Microsoft Intune Company Portal App is available for free in all major app stores.
If you answered Yes to any of the above, then must enroll each device using the Microsoft Intune Company Portal App and skip DEP. None of the features mentioned above work at this time. In fact, if you install the Company Portal on a device that is DEP enrolled, you will be prompted to enroll the device. If you proceed with that process the statement from a Microsoft employee on TechNet was “Bad things will happen”. Unfortunately no detail was given, but I am assured they are working on better integration with DEP.
If you answered No to ALL of the above and want to take advantage of Apple DEP integration, read on.
Note: Microsoft has stated that they are working on a solution that would allow DEP and Company Portal functionality to coexist. Stay tuned!
Step By Step: Adding Apple DEP support to Intune Integrated with SCCM
Note: This post assumes you are running SCCM 2012 R2 SP1 (Required) and have already integrated your Intune Subscription.
So first things first, you must enroll your organization into the Device Enrollment Program. Visit https://deploy.apple.com to get started. This process can take a few days before you can use it so start that process now, then come back once enrolled. 😉
- From your SCCM Admin Console, navigate to Administration > Cloud Services > Microsoft Intune Subscriptions
- Select your Microsoft Intune Subscription, then click Create DEP Token Request
- Type or browse to a location you want to save the token request file to and click Download
- Sign-in with an Intune Administrator account (any admin account will do)
- Once the download completes click the Apple Device Enrollment Portal Link
- Sign-in to the Apple DEP portal
- Click Device Enrollment Program
- Click Add MDM Server
- Enter a descriptive Name and click Next
- Click Choose file
- Navigate to the downloaded .PEM file and click Open
- Click Next
- Click Your Server Token to download. This is the file we will use within SCCM to connect Intune to our DEP MDM Server.
- Save the file (preferably in the same location as the .pem) then click Save.
- The Apple DEP portal portion of the configuration is now complete. Your MDM server will be listed with 0 devices assigned.
- Back in the SCCM Admin console, click Close if the request token dialog is still open, then click Configure Platforms > iOS
- Select the Apple Device Enrollment Program, click to enable and click Browse
- Browse to the location you downloaded the DEP token to and click Open
- In the Apple ID field, enter the Apple ID account name that will be used to authenticate to the AppStore for downloading iOS Apps, then click Upload
- Sign-in with an Intune Administrator account (any admin account will do)
- Click OK to complete the process of Apple DEP integration with SCCM
SCCM will begin syncing with Apple DEP. Any devices you assign to the configured MDM Server in the Apple DEP portal will appear shortly in the in Assets and Compliance > All Corporate-Owned devices > iOS > Devices node.
Now that Apple DEP integration is complete you will want to create one or more Enrollment Profiles and assign to your Dep synced devices prior to activating them. Lets create one!
- From the SCCM Admin console, navigate to Assets and Compliance > All Corporate-Owned devices > iOS > Enrollment Profiles
- Give the profile a name, then decide if you want to Prompt for User Affinity. If you select this, the user will prompted during the initial iOS Setup screens to enter their corporate account (in UPN format). This will create an affinity association in SCCM so if this device is going to an individual I would recommend setting to Prompt for User Affinity, then click Next.
- Enter a Department name and Support phone number, then choose to Supervise the device (again, disables activation lock!) and whether or not the profile is locked to the device (i.e. the user cannot remove it, unlike Company portal enrollment), then click Next.
- Select the options you want displayed to the user during the setup assistant and click Next.
- Determine if you want to allow the device to be configured via Apple Configurator and click Next.
- Review the Summary then click Next.
- Click Close when complete.
- Assign one or more devices by click the Assign to Devices button.
- Select the device and click Add.
- Click OK
The device is now assigned to the enrollment profile. You can ship the device directly to a user and when the device acquires an internet connection during setup assistant the profile will be applied, the device will enroll in Intune, and will appear shortly thereafter in the All Mobile Devices collection in SCCM.
Any additional configuration such as compliance settings you have targeting a collection that the device is a member of will come down shortly after as well.
So there you have it. Apple DEP can be very useful, under the right circumstances!
Update 1/11/2016: Microsoft has released an update to the Company Portal app for iOS that allows integration now with DEP. I haven’t personally tested this but encouraging news! Read more here:
https://blogs.technet.microsoft.com/intunesupport/2015/12/28/update-to-company-portal-brings-benefits-to-corporate-owned-ios-devices/