Apple Automated Device Enrollment (ADE) (2024)

Last updated
Save as PDF

Note: Apple Automated Device Enrollment (ADE) was formerly known as Apple Device Enrollment Program (DEP). ADE and DEP may be used interchangable in documentation, and ADE and DEP should be treated as the same things.

The Apple Automated Device Enrollment(ADE) allows administrators to pre-provision iOS, iPadOS, and macOS devices to automatically self-enroll into Systems Manager before even touching them, and provides an additional level of management control through bulkdevice supervision. This greatlysimplifiesadding and deploying iOS, iPadOS,macOS, and tvOS devices with Automatic Device Enrollment into Meraki Systems Manager. This article will cover how to use the Apple Automatic Device Enrollmentwith System Manager.

For additional information on ADE, including how to qualify for the program, please review Apple'sofficial deployment guide. Additional information can be found directly fromApple Business ManagerportalorApple School Managerportal.

Linking Systems Manager to Apple ADE

In order to use the Apple ADEwith Systems Manager, a Systems Manager deployment must be linked to an organization within ADE. These steps assume an Apple ID for the organization has already been created, as outlined in the Device Enrollment Program Guide. You can also use AppleBusiness Manager portal or AppleSchool Manager portal for the same functionality.

In Dashboard, create an EMMnetworkfor Systems Manager.
Navigate to Organization > Configure > MDM, then scroll down to theApple Automated Device Enrollmentsection.
Download the Meraki_Apple_DEP_cert.pem file provided.
- If someone has downloaded the .pem file previously, and the server token has expired, clickclear tokenin order to download the .pem file again.
In another browser window, go to theApple Business Manager or Apple School Manager portaland sign in with the Apple ID tied to the desired organization.
Click your name at the bottom left of the window, then clickPreferences
Click the + (plus) icon next to "Your MDM Servers"
Enter a Name for the MDM server in ADE, then click Next.
Click Choose File... and upload the .pem public key downloaded in step 3, then click Next.
Download the server token provided, then click Done.
Back in Dashboard, click on the Choose File button in the ADEsection.
Select/upload the server token downloaded in step 9.
Choose the default Systems Manager network where devices tied to this MDM server in DEP will be enrolled.
Click Save Changes.

If you encounter an error uploading the server token to Dashboard, make sure that the file name ends in 'smime.p7m' without any trailing characters like '(1)' that may appear from downloading multiple copies of the file.

The last downloaded DEP token on the Apple portal is the only one that MDMs can sync with. You may see error "Sync failed: Unable to connect to Apple's servers at this time." or"Sync failed. Please try again later." in the event that the current token is unable to sync. The Apple portal shows the following warning if someone tries to download a token twice:

In this case, the token would need to be renewed againin order to continue syncing with Meraki Systems Manager.

Renewing a ADEToken

Apple ADE tokens last for one year by design. To continue enrolling via ADE:

In your Meraki Dashboard navigate to Organization > MDMand click on the Apple ADE Server you want to renew. In theEdit DEP Serverwindow press Update Token.
Then, press download your public key cert to download theMeraki_Apple_DEP_cert.pem file.
Log in to theApple Business Manager or Apple School Manager portal.
Click your name at the bottom left of the window, then clickPreferences
Scoll down toMDM Servers, then Click on the MDM server to renew ("Meraki MDM" in the screenshot below).
Click on Edit and then click on Upload New...
Upload theMeraki_Apple_DEP_cert.pem file and click Apply to save.Then press on Download Token to download the Meraki_Token_smime.p7m file.

See Also
Frequently Asked Questions | Communications & Network Services Can My Boss Monitor Me?: 5 Ways Your Boss May Be Legally Watching Your Remote Work Life What Can My Employer Track | Illegal Employee Monitoring Can Someone See Your Texts if You Use Their Wi-Fi?
Now back in your Meraki Dashboard upload theMeraki_Token_smime.p7m file to Meraki to finish updating your DEP token.

After this process is finished, the token is valid for another 365 days.

If the existing ADE token is cleared or theADEserver is deleted instead of renewing the token, all associated ADE settings profiles will be removed from the Systems Manager > ADE page and will have to be re-created manually.

Importing Devices

Devices purchased with your Apple Customer Number or Reseller Number appear automatically in Apple Business Manager. You can also manually add devices you own usingApple Configurator. Reference to Apple Business Manager User Guide.

To sync the devices from your Apple ADE server into System Manager, there are two ways.

Navigate to Systems Manager > Manage > ADE, this will cause a partial sync between System Manager and Apple ADE server.
If devices are missing, you can try a full sync by clicking on thefull syncbutton in the top right of the page.

Note: To be eligible, devices must have been purchased directly from Apple within the last three years, or through participating resellers and carriers. This requirement will be changing with iOS 11, which will allow users to add iOSor iPadOSdevices from any purchaser into DEP. For more information regarding this and supported countries, please refer to Apple's Device Enrollment Program page.

iOS 11+ devices can be added into an existing ADE account through Apple Configuratoron macOS, even if it was not purchased from Apple or an Apple reseller. For steps on how to do this, see this article.

And on macOSdevices with Apple Silicon, add them to your organization's ADE account with an iOS device running the Apple Configurator app. More information here.

Applying Settings to Devices

ADE settings are applied during setup assistant, either upon setting up the device for the first time, or after a factory resetfor devices already in use.

ADE Enrollment Status

There are 3 states for the 'ADEenrollment' status column. If you've just synced your devices from the ADEserver into Systems Manager, they will be labeled 'Empty'.

Empty: The default state when devices are first synced from ADE into Systems Manager. This means that the device has no ADE settings assigned to them.
Assigned: This means new ADE settings have been assigned to the device, but not yet applied. Upon initial setup, or after a factory reset, the applied settings will take effect.
Pushed: This means the device has its ADE settings applied. You can see information on what settings were pushed, and when, on the other columns of the table.

NOTE: ADEPush status is onlyrelatedto Device Enrollment status, and does not strictly determine it. This means that you may have devices which show their ADEpayloads as 'Empty' which have already been enrolled (and therefore, have a valid link to their Device Details page in the Name column), and devices which show their ADEpayloads as 'Pushed' but have yet to complete enrollment (most often because they stopped at the authentication step).

Assigning Settings

After devices have been assigned to Systems Manager via ADE, they will automatically be enrolled in the default Systems Manager network upon setup. Additional configurations such as supervising the device or skipping setup steps will further customize and streamline your deployment.

Navigate to Systems Manager > Manage > ADE within the Systems Manager network.
Click the checkbox next to any devices that require settings be applied.
Click Assign settings.
If you have existing setting profile created, select it from the dropdown. Otherwise, create a new one and complete the fields/selections that appear in the setup:

Profile details

Name: A friendly name for the group of settings profile applied.
Department: Display the organization department the iPad is assigned to. This is displayed during setup.
Support phone number: A number provided to users during setup if help is required.
See Also
Register your personal device on your work or school network
Support email address: An email addressprovided to users during setup if help is required.

Options

Skip: Allows you to specify pages during the setup process to skip, e.g. hiding the prompt to set or sign into an Apple ID. These can be completed later if needed.
Use network's user authentication: Meraki Authentication: This is enabled by default for security.When enabled, ensure a Meraki Managedowner is available and network enrollment authentication is enabled from SM > General > Enrollment settings > Authentication. To enroll without authentication disable this option and leave the enrollment URL blank.
Supervising host certificate: Devices are only allowed to pair with computers that have the matching keypair.Note: If left unconfigured and no pairing restriction payload is assigned, the device will have the ability to pair with any computer.
Removable: When checked, the management profile can be removed by the user. When unchecked, the management profile cannot be removed by the user. See here for more info.
Auto-advanced Setup Assistant: automatically clicks through the entire Apple Setup Assistant for the user to get to the desktop/homescreen as fast as possible.

iOS

Enable Shared iPad: Used for shared device deployments with Apple School Manager. Donotselect this unless you intendto use Temporary Guest Sessions or if you have Apple School Managerprovisioned with managed Apple IDs. See official Apple documentation here.
Quota size:The quota size, in megabytes (MB), for each user on the shared device, or if the quota size is too small, the minimum quota size. Provide either the QuotaSize or ResidentUsers. If you provide both values, the MDM server uses QuotaSize.
Resident Users:The expected number of users. If this value is greater than the value for the maximum possible number of users that the device supports, the MDM server uses that value instead. Provide either the QuotaSize or ResidentUsers. If you provide both values, the MDM server uses QuotaSize.
User session timeout:The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. Available in iOS 14.5 and later.
Temporary sessions timeout:The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. Available in iOS 14.5 and later.
Temporary sessions only:If true, the user only sees the Guest Welcome pane and can only log in as a guest user. If false, the user can sign in with a managed Apple ID. Available in iOS 14.5 and later.

macOS

Provisioning package: Installs a signed binary on macOS during the setup assistant.

To add new Provisioning Packages, click on Manage profilesin the SM > ADEpage, and then press the button for Manage provisioning packages.

Create a Name for the provisioning package, and then upload a .pkg, manifestupload .plist, or add a manifest url. This is what will be deployed during macOSSetupAssistant.

The package must be a signed binary. The open-source tool Hanco*ck can be used to assist with .pkg file signatures.

Create administrator account: the local admin of the macOS device.
- Hide admin account: Makes the admin account hidden to non-administrator accounts.
- Managed admin account:One user account will be managed. By default, the regular user account created during Setup Assistant will be managed. If you want to manage the admin account instead, select this option.
- Skip creation of primary account:When creating an admin account, you can choose to skip the creation of the primary user account during Setup Assistant.
Configure primary user account: the user's local account on the device.
- User account type: either regularor admin.Regular accounts corresponds to a 'Standard' user in macOS> System Preferences > Users & Groups. Admin accounts are local administrators.These options areonly available when an administrator account is created.
- Pre-fill using Systems Manager owner details: Set a Systems Manager Owner for the devices before enrollment, and the Owner's username and name information will be dynamically setfor each device.
- Lock user account information to prevent editing:macOS Setup Assistantdisables editing of account name and username fields.

Click Save and assign. At this point the 'ADE/DEPenrollment' status will updateto 'Assigned' for all the selected devices.

The devices can now be drop shipped direct to end-users so they can setup the devices using these settings. Or if the device(s) are already in use, they should be factory reset at this point. This is required to ensure the device is activated and configured with ADEsettings, as settings are only applied during the Apple Setup Assistant.

To factory reset to apply the ADEsettings to existing devices:
On macOS, restart in Recovery Mode and reinstall the operating system.
OniOSand/or iPadOS, navigate toSettings > General > Reset, then tap Erase All Content and Settings. Confirm by tapping Erase.

In some cases, this may be required for brand-new device as well, if device was activated(connected to Wi-Fi) before ADEsettings were assigned in Dashboard. For new deployments, it is important to assign these ADE settings before the devices connect online in their initial Setup Assistant.

In iOS and iPadOS, please chooseSet Up as NewDevice,or skip the "Restore from Backup" option entirely when assigning the ADEsettings. Apple does not recommend restoring fromiCloud, iTunes, or Migration Assistance backups if the supervision state of the device is changing. iCloud can be signed into after device setup to sync settings. Apple information related to this can be found here.

To apply configuration profiles andsettings to devices, the appropriate tags will need to be applied. These can be configured in advance so that once a device enrolls, the tags configured below are automatically applied.Profilesand apps tied to those tagswill then be automatically installed upon enrollment for a seamless experience.

Navigate to Systems Manager > Manage > ADE.
Click the checkbox next to any devices the tag must be applied to.
Click Tag.
Within the Add box, type the tag that should be applied to the device(s). If it is an existing tag, select it from the list. Otherwise, click Add option create a new tag. Tags must not contain spaces.
Click Add to apply the tag(s).

Now, any configuration profiles and apps scoped withthistag in Systems Manager will be applied to device upon initial setup.

Removing Settings

In the event a device needs to be reset and managed under different conditions, the settings applied via ADEcan be removed.

Navigate to Systems Manager > Manage > ADE.
Click the checkbox next to the device(s) in question.
Click Remove settings.

To overwrite existing settings, follow the previous steps for applying settings. Note that the newly assigned settings will not apply until the device has been factory reset.

If tags were applied to a device prior to enrollment, they can also be removed to prevent profiles and apps from associating.

Navigate to Systems Manager > Manage > ADE.
Click the checkbox next to the device(s) in question.
Click Tag.
In the Remove box, select any tags that should be removed from the device.
Click Remove.

Show/Hide Settings

To hide unused ADE settings presets from beingdisplayed when applying settings, hit the 'Show/Hide settings' option and uncheck the settings you wish to hide.

Recovering ADE Devices

If a ADE-enrolled device is removed from Systems Manager, it will not automatically reappear without taking additional steps to sync Dashboard with Apple ADE.
For specific instructions on ADE device recovery, please refer to our documentation for more info.

Clearing Apple ADE Token

There are some instances where a ADE token needs to be removed to resolve an issue, or to use a different MDM server on the Apple side. To do this, navigate to theOrganization > MDMpage. UnderApple Automated Device Enrollment, click theClear Server Tokenbutton. This will remove the existing token and allow a new one to be uploaded.

Note:Once the ADE token has been cleared, the client drop-down menu under Systems Manager > Manage > ADE with existing ADE settings will be cleared.

It is important to note that any devices that need to be associated with the organization in Dashboard must also be assigned to the new MDM server withinApple's ADEportal. So if the MDM server is changing, the devices should also be reassigned. Avoid doing this if possible when there are a large number of devices already assigned with settings, as clearing the ADEtoken will purge these assigned settings in the cloud (but not on devices themselves).It is also recommended that a list of assigned devices be exported to a spreadsheet, within the Apple site, to aid in the reassignment process.

Apple Automated Device Enrollment (ADE) (2024)

FAQs

How does Apple automated device enrollment work? ›

Auto Advance and Automated Device Enrollment (macOS)

The Mac locates the assigned MDM solution and is automatically configured based on settings from the MDM solution, including skipping all Setup Assistant panes. The user then enters a known user name and password at the Login window.

Read On ›

What is the Apple DEP device enrollment program? ›

The Device Enrollment Program (DEP) helps businesses easily deploy and configure Apple devices. DEP provides a fast, streamlined way to deploy organization-owned iPad and iPhone devices, Mac computers, and Apple TV purchased directly from Apple or participating Apple Authorized Resellers or carriers.

Discover More Details ›

How do I remove Apple device enrollment program? ›

To remove an enrollment profile from an iOS device:

On the iOS device, go to Settings > General > Profiles & Device Management (for iOS 16 go to Settings > General > VPN & Device Management).
Select your mobile device management profile.
Click Remove Management or Remove Profile.
Authorize the removal.

More items...

What is the Apple education device enrollment program? ›

The Device Enrolment Program (DEP) is a part of the Apple Deployment Programs (ADP), which help businesses and educational institutions easily deploy and configure iOS and OS X devices.

See Details ›

What is an ADE device? ›

Find Out More ›

What are the benefits of automated device enrollment? ›

Automated mobile device enrollment methods offer many advantages to organizations, such as saving time and resources, improving security and compliance, enhancing user experience and productivity, and simplifying device lifecycle management.

Tell Me More ›

What are the benefits of Apple device enrollment program? ›

Device Enrollment allows organizations to have users manually enroll devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers using macOS 11 or later, Device Enrollment also enforces supervision on the Mac.

Show Me More ›

What is automated device enrollment? ›

Automated Device Enrollment lets you automate Mobile Device Management (MDM) enrollment and simplify initial device setup. You can supervise devices during activation without touching them and lock MDM enrollment for ongoing management.

Explore More ›

Is DEP the same as automated device enrollment? ›

The Apple Automated Device Enrollment program, formerly known as the Device Enrollment Program (DEP), is a device enrollment service that's included with Apple Business Manager (ABM) and Apple School Manager (ASM).

What is Apple user enrollment? ›

User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device. The four stages of User Enrollment into MDM are: Service discovery: The device identifies itself to the MDM solution.

Show Me More ›

What is enrollment device limit restrictions? ›

There are two types of device enrollment restrictions you can configure in Microsoft Intune: Device platform restrictions: Restrict devices based on device platform, version, manufacturer, or ownership type. Device limit restrictions: Restrict the number of devices a user can enroll in Intune.

Read The Full Story ›

How do I disable MDM enrollment? ›

Go to System Settings > Privacy and Security > Profiles to view the MDM Enrollment profile. As an admin user on the device, select the MDM Enrollment Profile in the list and click the “–” button to remove it.

See Details ›

What is the new name for Apple DEP? ›

Apple ADE and Apple DEP are essentially the same, with ADE being the new name for the program. DEP was the original name of the Apple Deployment Program, but it was renamed to Automated Device Enrollment as Apple transitioned to a unified platform in Apple Business Manager/Apple School Manager.

Get More Info Here ›

How do I remove DEP from my iPhone? ›

Method 1. Remove DEP from iPhone/iPad with Password

Go to Settings > General on your iPhone and tap Profiles & Device Management.
Tap Remove Management and enter the passcode for DEP, then tap Remove.

Mar 30, 2023

What is the role of device enrollment management? ›

A device enrollment manager (DEM) is a non-administrator user who can enroll devices in Intune. Device enrollment managers are useful to have when you need to enroll and prepare many devices for distribution.

How long does it take for Apple to process developer enrollment? ›

To check the status of your enrollment, sign in to your account on the developer website with the Apple ID you used to enroll. If you haven't received a membership confirmation within 24 hours of your purchase, contact us.

View Details ›

How does Intune automatic enrollment work? ›

Enable Windows automatic enrollment

If you enable MDM automatic enrollment, enrollment in Intune will occur when: A Microsoft Entra user adds their work or school account to their personal device. A corporate-owned device joins to your Microsoft Entra ID.

How does Apple Mobile Device Management work? ›

MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they're owned by the user or your organization. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices.

Learn More ›

In what circ*mstances would an organization utilize device enrollment instead of automated device enrollment? ›

When organization-owned devices aren't eligible for Automated Device Enrollment in Apple Business Manager, Apple Business Essentials, or Apple School Manager, organizations can use Device Enrollment to manually enroll them in their MDM solution without inconveniencing users.

Discover More Details ›