I have had the opportunity to implement Intune together with customers where we have implemented the Apple DEP program together with Intune. DEP stands for Device Enrollment Program and is the recommended way of managing company owned iOS devices as it can configure the iOS device to be enrolled during setup of the device even after a reset. It can also configure the iOS device to be in Supervised mode as well which allows for many more management capabilities. All this is done over-the-air so no cable or handling needed by the IT department just register the device in DEP and then send it directly to the end-user, you can configure the first time setup wizard using Intune and controlling which options should be available. You could say that DEP is the same as Apple Configurator over-the-air also note that DEP is not avilable in all countries which also could be a challenge.
In Intune you can configure one or more DEP policies in Intune where you can control the settings shown below.
A device registered in Apple DEP program cannot be “un-enrolled” if you reset the device it will force you to register with the Intune again in the first time experience. As your DEP enrollment policy dictates. Supervised mode is really important for at least company owned devices as you get more management capabilities like the following policies:
- Global network proxy for HTTP
- Allow iMessage
- Allow Game Center
- Allow removal of apps
- Allow iBooks Store
- Allow podcasts
- Allow user-generated content in Siri
- Allow manual installation of configuration files
- Allow configuring restrictions
- Allow pairing to computers for content sync
- Allow AirDrop
- Allow account modification
- Allow cellular data settings modification
- Allow Find My Friends
- Allow Erase All Content and Settings
- Restrict AirPlay connections with whitelist and optional connection passcodes
- Enable Siri Profanity Filter
- Single App Mode
- Accessibility settings
More information about the Apple DEP program can be found here: https://www.apple.com/business/dep/
You can register iOS devices you have already bought as well in DEP, “Mac or iOS devices purchased on or after March 1, 2011 can be enrolled in DEP Mac or iOS devices purchased from participating Apple Authorized resellers or carriers must be added to your DEP instance to be included” from the DEP frequently asked questions section. This is a nice option once you got management commitments to actually take control of you device as in many companies these policies are still non-existent.
I have done this in a couple of implementations where we have imported iOS devices that are already in use by the end user, and here as some pointers that can be good to know.
- If a device is enrolled in Intune using the Company Portal and then added to DEP and synced to Intune it will be removed from the Intune console and replaced by the object synced from DEP. You will need to reset the device and enroll it using DEP instead.
- If a device is synced from DEP it cannot be enrolled using the Company Portal as it has an active DEP policy deployed to it.
- You cannot “unenroll” a device that is enrolled using DEP
- You can remove a device from DEP if it is stolen for instance but once removed it can never be added back to DEP.
DEP and Intune is best together! DEP is the way I would recommend managing your company owned iOS devices.
I hope that can be helpful
Hi Jörgen
Nice post, good to find anyone that has implementet in real. I have written a post all about befor you get the details and work with
If a device is synced from DEP it cannot be enrolled using the Company Portal as it has an active DEP policy deployed to it. -> you can, set affinity in dep profiles (sccm console) then set supervised and “lock enrolmet process…” enable.
You can use dep and intune client at the same time now
Hey Jorgen –
Any prereqs that you know of regarding DEP and Intune? Are there any specific networking/firewall ports that need to be opened? Do they need to be open bidirectionally?
Do you know?
Thanks!!