Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This article addresses common questions, problems scenarios, and best-practices associated with Automated Device Enrollment and Workspace ONE UEM. The Automated Device Enrollment Program, commonly referred to as "ADE" (formerly DEP), belongs to Apple Business Manager and Apple School Manager. It is successor to the Apple Deployment Program.
Introduction to Automated Device Enrollment Program (ADE) (Formerly DEP) Q: What is Automated Device Enrollment Program (ADE)?Q: What are the pre-requisites for integrating Apple Automated Device Enrollment Program?Q: Does it include all apple OS devices?Q: What advantages does this offer over standard device enrollment via the Intelligent Hub application, or Web-Based enrollment, or the new " user-enrollment"? Common Questions/Best Practices Q: What is the Automated Device Enrollment Program (DEP) server token? Do I as an administrator need to manage this?Q. Can multiple Automated Device Enrollment Program (DEP) tokens be used in a console environment?Q: What are the terms and conditions used for? What is this referring to when I see this in the console?Q: What is the sToken server token?Q. Is there a difference between an Automated Device Enrollment "Supervised" device and an Apple Configurator 2 "Supervised" device?Q. To associate devices into the Automated Device Enrollment Program, do you have to enter all of the devices’ serial numbers in the Apple Business Manager site?Q: How often does the Apple Business Manager and UEM console update? Q: If I "release" or "un-assign" a device in the Apple Business Manager (ABM) console, does this affect current enrollment status of this device?Q: If the token is expired in the Apple Business Manager (ABM) console, does this affect current enrollment status of this device?Q: What is the recommended method for authentication in the automated enrollment profile (DEP profile)?Q. What does ‘Not Applicable’ mean on the Token Status of the lifecycle status page in the UEM console? Enrollment Issues, Configurations Queries and Solutions Q: I am having an issue with the automated enrollment profile (DEP profile) I have created for my devices in the Workspace One console. Can this be resolved by an admin?Q: Is it possible to enforce "token-enrollment" as well during the automated enrollment flow?Q. Enrollment is failing. During Automated Device Enrollment (DEP) on devices we are getting "timeout" errors. Why is this getting stuck?Q. Why does the Apple Business Manager portal show less devices than the Workspace ONE Console lifecycle page?Q. Why isn't my device prompting for remote management out-of-the-box. I believe have setup Automated Device Enrollment (DEP) enrollment correctly.Q. Instead of skipping location services within the automated enrollment profile configuration during the iOS Setup Assistant on the device, can you enable it automatically? Introduction to Automated Device Enrollment Program (ADE) (Formerly DEP) Q. What is Automated Device Enrollment Program (ADE)? A: The Automated Device Enrollment Program helps organizations easily deploy and configure Apple devices (iOS, iPadOS, macOS, tvOS). Using the Automated Device Enrollment Program, organizations benefit from a streamlined Out-Of-Box MDM onboarding process. This can be configured to require varying levels of end-user interaction, including "Zero-Touch.” Q: What are the pre-requisites for integrating Apple Automated Device Enrollment Program? A: To integrate with the Automated Device Enrollment Program, you must complete the following requirements: An Apple ADE (DEP) account - You must register for an account, if you are eligible and have not already registered. Enroll with Apple using the Apple Enrollment Procedure if needed. For additional information on using Apple's DEP to automatically enroll new devices with Workspace One MDM, please refer to the VMware Workspace ONE (formerly AirWatch) Guide for the Automated Device Enrollment Program (Formerly DEP) Program. This information is slightly dated but still relevant. Q: Does it include all apple OS devices? A: Organization-owned iOS, iPadOS, macOS, and tvOS devices purchased directly from Apple and Apple Authorized Resellers or Carriers are eligible to leverage Automated Device Enrollment Program functionality. To add devices that you didn't purchase, like a donated iPad, learn how to manually enroll your devices. Q: What advantages does this offer over standard device enrollment via the Intelligent Hub application, or Web-Based enrollment, or the new "user-enrollment"? A: A quick highlight of Automated Device Enrollment Program features include: Mandatory and non-removable MDM enrollment"Over-the-Air" device SupervisionElevated restrictions capabilities over non-supervised iOS devices.Skip panes for a streamlined Apple OS setup assistant on devices. Enforce defaults for setup assistant.Utilize custom enrollment to brand the setup assistant process and offer additional security during enrollment authentication.Enabling OS update management for managed apple devices.Locate supervised iOS/iPadOS devices, regardless of device settings or iOS Intelligent Hub installation status. Common Questions/Best Practices Q: What is the Automated Device Enrollment Program (DEP) server token? Do I as an administrator need to manage this? A: This token is used for the automated device enrollment program to link the MDM instance on the Apple Business Manager console and the Workspace ONE UEM console. This token must be valid, is renewed annually, and is responsible for continuous operation between Workspace One UEM and Apple. This token is managed by the Workspace One Console admin. Like the APNs certificate, it is not renewed by VMware for customers. Q: Can multiple Automated Device Enrollment Program (DEP) tokens be used in a console environment? A: You can certainly use multiple Automated Device Enrollment (DEP) tokens in "separate but equal" Parent organization group (OG) levels within the console. However the level at which this is set for the parent organization group, will inherit down one branch of parent to child organization group levels. Generally speaking, it is best to have one token/ device enrollment program integration for the entire environment. This configuration then inherits from the Global (highest level) parent organization group to all child (sub-organization) groups. This way there is only one Automated Device Enrollment Program token needs to be managed, much like the Apple APNs certificate, which are renewed both renewed annually. Q: What are the terms and conditions used for? What is this referring to when I see this in the console? A: These are Apple's terms and changes based on releases of new products or software enhancements - typically annually. To see the potential impact and method of acceptance, please review Apple Business Manager - Terms and Conditions Update Alert. Q: What is the sToken server token? A: This token is utilized to associate volume purchases with users or devices using endpoints for Mobile Device Management (MDM), provided by the Volume Purchase Program (VPP). This token must be valid, and is also renewed annually. Simply put, it is the token which allows iOS apps licenses to be distributed for easy iOS app deployment. Please see FAQs: Integrating Apple's Volume Purchase Program (VPP) with Workspace ONE for more details. Q: Is there a difference between an Automated Device Enrollment "Supervised" device and an Apple Configurator 2 "Supervised" device? A: Yes. To force OS updates on devices below iOS 10.3, the device must be "Supervised" by the Automated Device Enrollment Program when enrolling into Workspace One UEM. It is possible to prepare an apple device before enrolling into Workspace One as "supervised" using the Apple Configurator 2 utility for macOS, but this is generally only done in corner-case scenarios where Automated Device Enrollment is unavailable. Devices "supervised" with this method are ineligible for update management. Q: To associate devices into the Automated Device Enrollment Program, do you have to enter all of the devices’ serial numbers in the Apple Business Manager site? A: Yes, the devices need to be tied to a MDM server. This can be accomplished by associating the serial numbers to the MDM server within Apple Business Manager. You can either do this by entering in the exact serial number of each device or by associating it with an order number that you received when you purchased the devices. Q: How often does the Apple Business Manager and UEM console update? A: The ABM console syncs changes with Workspace One UEM console every 24 hours automatically. This can be triggered manually using the "fetch" or "sync" button based on your UEM console version at Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program. This frequency can also me adjusted for (on-premise) deployments. Please see Use the DEP Sync Scheduler for more details. Q: If I "release" or "un-assign" a device in the Apple Business Manager (ABM) console, does this affect current enrollment status of this device? A: No. This will only affect the device behavior for re-enrollment purposes. These changes will change the records seen on the "lifecycle" status page Devices > Lifecycle > Enrollment Status. In theory the configuration between ABM and Workspace ONE UEM can be removed entirely, and this will not cause currently enrolled devices to lose their connection to the MDM server. This will however, alter the re-enrollment flow and remove it from the automated enrollment cycle, defeating a key aspect of using automated device enrollment in the first place. Q: If the token is expired in the Apple Business Manager (ABM) console, does this affect current enrollment status of this device? A: No. Same answer as above - all currently enroll devices will remain enrolled. Q: What is the recommended method for authentication in the automated enrollment profile (DEP profile)? Note: This does not cover all use cases. For a more in depth analysis on different use-cases for automated enrollment , see this blogpost. A: The Automated Device Enrollment Program supports two specific authentication scenarios during the Setup Assistant for new device onboarding: ON and OFF. Please review the following: Authentication = ON By enabling authentication, the person onboarding a device must provide valid organization credentials (Username, Email, Managed Apple ID) before the device configures. Authentication in this flow prevents sensitive information (including credentials, applications, etc.) from installing on a device that is not associated with a pre-existing account. Authentication = OFF If Authentication is OFF, the device enrolls into device management without any user-authentication prompts during the setup assistant. This flow involves a preset "staging" account to be used. This account is then associated in the automated device enrollment profile in the UEM console > Groups and Settings > Devices and Users > All Settings > Devices and Users > Apple > Device Enrollment Program. On iOS and macOS, the Authentication OFF configuration is typically used for staging flows Single-User Staging and Multi-User Staging or "Check-In/Check-Out." To best secure sensitive user information in a staging workflow, VMware recommends the following: Leverage a staging user account without a real user persona that has access to corporate resourcesLimit user-specific configurations such as Email, Certificate, Mobile SSO, etc.. to only the end-users. Deploy generic configurations (WiFi) and applications (Workspace ONE Intelligent Hub) to the staging userFor iOS, in addition to the above recommendations, leverage Show/Hide restrictions to hide all applications (except Workspace ONE Intelligent Hub) installed and "staged" to the Staging User. This prevents access to staged applications with any automated application configuration that could contain organization sensitive informationFor macOS, in addition to the above recommendations, Workspace ONE UEM solution by default follows native MDM best practices in handling user sensitive information for Authentication OFF flows with both Single User Staging and Multi-User Staging. Workspace ONE UEM requires the device to be domain-joined to authenticate the user before user-specific configurations and profiles are deployed. For More information on staging flows, review the enrollment considerations. Q: What does ‘Not Applicable’ mean on the Token Status of the lifecycle status page in the UEM console? A: Once the devices are enrolled not using a token, the Token Status changes from ‘Registration Active’ to ‘Not Applicable’ since no token was used during enrollment. Enrollment Issues, Configuration Queries, and Respective Solutions Q: I am having an issue with the automated enrollment profile (DEP profile) I have created for my devices in the Workspace One console. Can this be resolved by an admin? A: Depending on the issue please review the following solutions: If the profile is stuck on "Assignment In Progress" status in the Workspace One consoleIf there is a an "Invalid Profile" error when enrolling. Q: Is it possible to enforce "token-enrollment" as well during the automated enrollment flow? A: Yes. Please review Enable Registration Tokens for DEP Enrollment. Q: Enrollment is failing. During Automated Device Enrollment (DEP) on devices we are getting "timeout" errors. Why is this getting stuck? A: Please review Profile Installation Failed - Request timed out. ADE (DEP) devices for Workspace ONE (82472) Q: Why does the Apple Business Manager portal show less devices than the Workspace ONE Console lifecycle page? A: This may be caused when performing "Fetch Devices", as this will only return the current devices on the ABM portal associated to the Workspace ONE Console; any devices which were removed will not be returned. To resolve this, you can compare the serial numbers on the Apple portal and the Workspace ONE Console by downloading the respective CSV files to determine which devices are not in the DEP portal. Upon adding those serial numbers into the ABM portal, perform a Sync. Q: Why isn't my device prompting for remote management out-of-the-box. I believe have setup Automated Device Enrollment (DEP) enrollment correctly. A: There are few common reasons for this scenario. Review the following: Ensure that your Automated Device Enrollment Program (DEP) token has not expired by navigating in the Admin Console to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment ProgramEnsure that you have accepted Apple’s Terms and Conditions within the Apple Portal by logging into Apple’s DEP portalEnsure the device has an ADE (DEP) Profile assigned by navigating in the Admin Console to Devices > Lifecycle > Enrollment Status search for the device by serial number, and confirm record displays in the status as "registered". Factory reset your device using iTunes or Apple Configurator 2. Ensure the device is connected to an open network during the Setup Assistant. Otherwise confirm your network has access to all network hosts and ports required to use your Apple products on enterprise networks. Q. Instead of skipping location services within the automated enrollment profile configuration during the iOS Setup Assistant on the device, can you enable it automatically? A: Currently, there is no way to automatically enforce location services as enabled. When a pane is skipped, the default setting for that feature is used. It is recommended that you do not skip the location services pane so that users can choose to enable it.
For more information on managing device assignments, see Apple Business Manager Help. For more information regarding Automated Device Enrollment Program (ADE) (Formerly DEP), see: Introduction to Apple Business ManagerDEP Profile stuck in “Assignment in Progress”DEP devices not syncing with Workspace ONE UEM Console Unable to assign or remove DEP profile How to unenroll, re-enroll, and reconfigure DEP devicesHow to renew the Apple sToken for DEP deployments on Workspace ONE (50115441)How to unenroll, reconfigure, and re-enroll DEP devices (80539)DEP devices not syncing with Workspace ONE UEM Console (80534)DEP profile status shows "Assignment in Progress" on Workspace ONE (50101161)Custom Enrollment in DEPShared iPads for Business Other Languages: 日本語Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.