After you register devices with Apple, use the Workspace ONE UEM DEP profile wizard to create a DEP enrollment profile. An enrollment profile is a collection of DEP settings assigned to your registered devices. You can create more profiles later if needed.
Create a new DEP enrollment profile or edit an existing profile.
In the Workspace ONE UEM console, navigate to .
Select Upload and select Apple Server Token File (.p7m). Select Next. Now Workspace ONE UEM and Apple can authenticate each other.
For clarity, use only one token at the customer organization group. Only add multiple tokens if your organization has a complex configuration, or if you are enrolling devices with multiple DEP accounts.
Configure the Authentication settings, based on whether you turn authentication On or Off. Authentication settings are only available for devices running iOS 7.1 and higher. If devices running iOS 7.0 and lower are assigned an authentication profile, the devices are automatically enrolled using staging authentication.
If you turn on Authentication, each user must tie a DEP device to their own user account.
If you turn off Authentication, you can enable staging of all devices under a single user account, and extra configuration options appear on the Settings page to accommodate this option.
If you set Authentication to On, then configure:
Device Ownership Type
Determines the ownership type of the device upon enrollment, which can be either Corporate-Dedicated or Employee-Owned.
Device Organization Group
Select the organization group your where your end users authenticate. Only end-user accounts created at this level or a parent above it can authenticate their devices.
End users may authenticate using either their Active Directory credentials or basic Workspace ONE UEM credentials, depending on which authentication type you have enabled under Enrollment settings.
Turn On Custom Prompt to enable custom text to appear on the device authentication screen during the Setup Assistant. Authentication occurs when end users are prompted for their credentials.
Choose a message template to send as a Custom Prompt. (Supported for English-language only.) This option is not available when Custom Prompt is Off.
If you turn Authentication Off, then configure:
Default Staging User
Select the Enrollment User assigned to the device.
Device Ownership Type
Select the ownership type of the device upon enrollment, which can be either Corporate-Dedicated or Employee-Owned.
Device Organization Group
Select the organization group where your devices are enrolled.
Configure MDM features of the device.
Enter the name of the profile as it appears in the UEM console.
Enter the name of your department as it appears in the device's About Configuration panel upon setup and enrollment.
Enter your organizational support contact phone number as it appears in the device's About Configuration panel upon setup and enrollment.
Require MDM Enrollment
Select Enable to require end users to enroll into Workspace ONE UEM MDM. Use this setting to ensure end-user devices cannot be activated unless they enroll into Workspace ONE UEM MDM.
Enable to set the device in Supervised mode, which is an alternative to configuring Supervised devices using Apple Configurator. Supervision is required for shared devices.
Enable this option to use shared devices with education functionality.
Lock MDM Profile
Select Enable to prevent end users from unenrolling from Workspace ONE UEM MDM. This setting ensures that end users cannot remove the Workspace ONE UEM MDM profile installed on the device. This option may only be enabled if Supervision is enabled.
Enable this option to upload certificates as trusted anchor certificate and push to devices during DEP enrollment. These certificates are used as trusted anchor certificates when evaluating the trust of the connection to the MDM server URL. If no certificate is uploaded, the built-in root certificates will be used.
Enable to allow the device to sync with any workstation through iTunes, Configurator, and iPCU. Optionally, set Device Pairing to Disable when deploying education functionality, and Upload a Device Pairing Certificate for supervised identities.
From Workspace ONE UEM 9.2.2, you can upload Device Pairing Certificates whether Device Pairing is set to Enabled or Disabled.
Enable this setting if the MDM server is expected to send extra commands before the device can allow the user to proceed in the Setup Assistant. Await Configuration is required for education functionality.
To override the Await Configuration setting on a device, navigate toand select the device to override. Select to note the device as configured and skip the Awaiting Configuration screen during enrollment.
If you enable Await Configuration, more options appear in the Setup Assistant section.
Auto Advance Setup
Enable this setting to automatically apply DEP configuration to an enrolling device. Users can skip all setup panes, and the device is automatically set to the most restrictive option by default within around 30 seconds after network active. Applies to ethernet-connected tvOS devices only.
Choose the items seen by end users during the Apple Setup Assistant workflow that appears after the device is powered on for the first time.
Select Don't Skip to require user to set a passcode during setup. If an MDM passcode profile is already set up through Workspace ONE UEM, select Skip.
Select Don't Skip to prompt user to configure Touch ID during setup.
Select Don't Skip to prompt user to enable or disable Location Services during setup. If you plan on tracking GPS locations for your devices, select Don't Skip.
Restoring from Backup
Select Don't Skip to prompt user to restore from backup during setup. You must select Don't Skip to allow users to move data from a previous device, including an Android Device.
Move from Android
If Restoring from Backup is set to Don't Skip, select Don't Skip in this pane to prompt users to move accounts and data from an Android device during setup.
Sign in with Apple ID and iCloud
Select Don't Skip to prompt user to sign in with an Apple ID and iCloud account during setup.
Select Don't Skip to prompt user to configure Siri. If you select Skip, Siri is disabled on enrolled devices.
Select Don't Skip to prompt user to enable or disable sending diagnostic data to Apple. If you select Skip, sending diagnostic data is disabled on enrolled devices.
Select Don't Skip to prompt user to register the device with Apple during setup.
Select Don't Skip to prompt user to set up an Apple Pay account during setup. If you select Skip, Apple Pay is disabled on enrolled devices.
Select Don't Skip to prompt user to enable zoom functionality during setup.
Select Don't Skip to prompt user to set up a FileVault account.
Select Skip to allow users to skip the display tone setup step for enrolling iOS devices.
Home Button Sensitivity
Select Skip to allow users to enroll devices without configuring the Home button sensitivity on enrolling iOS devices.
Tap to Setup
Select Skip to allow enrolling tvOS devices to enroll without an associated iOS device.
Select Skip to allow users to enroll a tvOS device without configuring a screen saer.
Select Skip to omit the prompt for users to select a keyboard type during the Setup Assistant process.
Select Skip to prevent users from viewing on-boarding informational screens for user education during the Setup Assistant process.
Set to Skip to prevent users from viewing options for watch migration during the Setup Assistant process.
Set to Skip to omit a user prompt to send analytics to iCloud during setup.
iCloud Documents and Desktop
Set to Skip to prevent users from viewing iCloud Documents and Desktop screen in macOS.
TV Home Screen Sync
Set to Skip to prevent users from toggling the TV home screen layout during setup.
TV Provider Sign In
Set to Skip to prevent users from signing in to a TV provider during setup.
Where is the TV?
Set to Skip to omit the Where is this Apple TV screen on tvOS devices enrolling through DEP.
Set to Skip to omit the Privacy screen in DEP setup assistant while onboarding.
iMessage And FaceTime
Set to Skip to prevent the iMessage and FaceTime prompt during setup.
Set to Skip to prevent informing users about Software Updates during setup.
Set to Skip to prevent informing users about Screen Time during setup.
For certain configurations detailed in the Setup Assistant configuration, use the Admin Account Creation section to create an admin account for local and remote macOS device admin actions.
This item appears only if Await Configuration is set to Enabled.
Select Don't Skip to require users to create an account during setup. Configure the type of account the user creates in Account Type.
Select Skip if you have created a Directory Profile for the user and they do not need to create an account. Configure the admin account for this selection in the Admin Account Creation section.
This item appears only if Account Setup is set to Don't Skip.
Select Standard to give users access to a standard user account on their macOS device. If you select Standard, you must create an admin account to manage the Standard account.
Select Administrator to allow users to create an Administrator account on their macOS device.
Create a password for the admin account.
Select Enabled to hide the admin account on the macOS device. Hidden admin accounts can enhance security and user experience.
Select Disabled to make the admin account visible when a user logs in.
Choose Your Look
Set to Skip to the prompt for users to choose between Light and Dark mode on macOS Mojave 10.14.
Set to Skip to prevent the Display Tone screen during Setup Assistant.
Select Save to view the Summary page and review the settings you have selected. Assign the settings to devices registered in the Device Enrollment Program.
Sync Now and Assign to All Devices
Select Yes to save and deploy the DEP profile settings to all devices that are currently registered with the MDM server that you just created in the DEP portal.
Selecting No saves the DEP profile settings but does not deploy them to devices.
Auto Assign Default Profile
Select Yes to push the DEP profile settings to all devices that are currently registered once they are synced with Workspace ONE UEM and any devices from that point on as they are newly registered with Apple and synced with Workspace ONE UEM.
Selecting No means newly-registered devices do not automatically receive the DEP profile settings. Enable this setting if you plan to create multiple DEP profiles for different devices.
Once the deployment options are configured, select Save. You are now ready to manage profiles on DEP-enabled devices from the UEM console.