Enroll devices to Apple Business Manager portal to use with the Workspace ONE UEM MDM profile and settings provisioned onto the device.

Overview

Using a registered device, follow the standard iOS Setup Assistant process, including language, country or region, and Wi-Fi network. From this point, the Setup Assistant flow is determined by settings in the DEP profile that was assigned to the device.

The Setup Assistant will not show features that you decided to skip. It only shows screens related to what you choose not to skip. Once automatic configuration and enrollment is complete, the Setup Assistant closes and the device is ready for use.

For iOS devices enrolled using Apple Business Manager, enrollment restrictions do not apply. This is because device information such as OS version, device model and more is only received after the device has been enrolled through DEP.

Enroll Apple Devices Using Apple DEP

Since the device is registered with the Apple Business Manager, follow the Setup Assistant on the device to complete device enrollment using Apple Business Manager.

The Setup Assistant displays the options that were chosen when the DEP profile was created for that device. If you require end users to generate their own enrollment tokens in the Self-Service Portal, they must complete that step before enrolling their devices. For more information about end-user generated tokens, see Alternate Device Enrollment Flows.

To enroll a device:

  1. When you get a brand new device, complete the steps in the Setup Assistant. If prompted, log in to the device with user credentials. If it is an old device and to enroll the device through automated enrollment, device has to be factory reset.
  2. Verify that Supervised status is enabled by navigating to Settings in a device. Under the Device Name, you will see a notification that the device is Supervised.
  3. Verify that the MDM profile is not removable by navigating to Settings > General > Profiles and selecting the Workspace ONE UEM MDM profile. You will see that there is no option in the form of an icon to remove the profile.

For more information on DEP Enrollment for tvOS devices and macOS devices, see VMware Workspace ONE UEM Apple tvOS Platform Guide and VMware Workspace ONE UEM macOS Platform Guide.

Enable Registration Tokens for DEP Enrollment

If you restrict enrollment to registered devices only, you have the option of requiring a registration token. This option increases security by confirming that a particular user is authorized to enroll.

To enable token-based enrollment:

  1. Select the appropriate organization group and navigate to Devices > Device Settings > Devices & Users > General > Enrollment and ensure the Authentication tab is selected.Scroll down past the Getting Started section and select Registered Devices Only as the Devices Enrollment Mode. A checkbox labeled Require Registration Token will appear in which you should insert a check mark. This will restrict enrollment to only registered devices.

    Registration Token

  2. Select a Registration Token Type.
    • Single-Factor – The token is all that is needed to enroll.
  3. Set the Registration Token Length. This required field denotes how complex the Registration Token is and must contain a value between 6 to 20 alphanumeric characters in length.
  4. While you can set the Token Expiration Time (in hours), note that it does not apply to DEP devices at this time.

Alternative methods for generating an enrollment token exist. For more information, see Alternate Device Enrollment Flows.

DEP Profile Settings for Token Enrollment

Use a DEP profile with Authentication set to On to prompt the user to enter credentials – a username and password – during the Setup Assistant process. If Require Registration with a Single-Factor token is enabled for the organization group which has DEP configured, the user must enter the one-time token that is sent to them into both the username and password fields.

Use a DEP profile with Authentication set to On to prompt the user to enter credentials – a username and password – during the Setup Assistant process. If Require Registration with a Single-Factor token is enabled for the organization group which has DEP configured, the user must enter the one-time token that is sent to them into both the username and password fields.

Generate a Registered Enrollment Token

A DEP token allows your end users to enroll their devices simply and securely.

To generate a DEP token:

  1. In the Workspace ONE UEM console, navigate to Add > Batch Import.
  2. Select Batch type Users And/Or Devices. You may chose to use a Simple Template or Advanced Template depending on your need.
  3. To generate a Token, map an enrollment user to DEP device serial number. This generates a token and deliver it to the user according to their preferred method of notification, which is specified under User Settings.
    • For security reasons, the tokens are not accessible through the UEM console.
Note: Once the MDM profile is installed on the device, the token is considered "used" and cannot be used to enroll other devices. If enrollment was not completed, the token can still be used on another device.

Alternate Device Enrollment Flows

Combining the functionalities of the Apple Business Manager's DEP service and the AirWatch Self-Service Portal, you can enable alternate end-user enrollment flows.

Alternate enrollment flows:

  • The end users generate their own enrollment tokens in the AirWatch Self-Service Portal.
    • To enable this option, you must have the Self-Service Portal enabled for your end users.
    • The generated token is valid for the expiration time set in Token Enrollment settings in the Admin Portal.
  • The admin generates an enrollment token in the UEM console without entering a device serial number.
    • Either the admin or the end user can enroll the device with the generated DEP token, which is configured and sent in the usual way.
    • The generated token is valid for the expiration time set in Token Enrollment settings in the Admin Portal.
    • An advantage of this enrollment flow is that neither admins nor end users are required to enter the device serial number during enrollment. This function is useful in deployments where devices are not preassigned to users, such as in a school setting.
  • The admin generates an enrollment token using the bulk upload option in the UEM console, specifying the device serial number.
    • Either the admin or the end user enrolls the device using the generated DEP token, which is configured and sent in the usual way.

    • A token generated using the Bulk Upload method has no expiration date.
    • For more information about uploading device serial numbers in bulk, see Associate and Disassociate Devices in Apple Business Manager Portal.

Perform Enrollment with the Registered Enrollment Token

Once you have sent the DEP Registration Token to the end user, perform the enrollment on the device.

To perform the enrollment with a registration token:

  1. Turn on the device.
  2. Complete the setup screens as part of the Setup Assistant.

    For more information on these settings, see Create or Edit the DEP Enrollment Profile.

  3. On the authentication screen that requires a username and password, the user must enter the token they received into both the username and password fields. The end user must enter the same token information under both Username and Password. To keep the end user informed you can define the message that will be shown on the authentication screen to direct the user to enter the token under both username and password.

    For more information, see Enable Registration Tokens.

Custom Enrollment in DEP

Custom Enrollment is a configurable option within the Automated Enrollment (formerly known as DEP) for admins. Custom Enrollment provides a customized experience to users enrolling into Workspace ONE UEM with devices added to Apple Business Manager. It allows admins to input a custom web view during the Automated Enrollment flow as opposed to the traditional Apple rendered user name and password prompt.

Features of Custom Enrollment

Custom Enrollment provides the option to configure a collection of customized enrollment screens to simplify the user experience and enforce additional security controls. Some of the possible enrollment options you can configure are:

  • Terms of Use
  • Basic authentication
  • Token authentication
  • Multi-factor authentication
  • SAML federation to an identity provider
  • Branding

The Enrollment settings (Groups & Settings > All Settings > Devices & Users > General > Enrollment) at an Organization Group determines the enrollment options.

The Branding settings (Groups & Settings > All Settings > Settings > System > Branding) such as company logo, login page background determines the branding options.

Note: The Organization Group is not the Organization Group of the uploaded DEP token.

Enable Custom Enrollment

Enable the Custom Enrollment feature in the DEP wizard while configuring the first DEP profile during the setup.

Prerequisites

Custom Enrollment is available for iOS 13 and macOS 10.15 and later devices only. If you require assistance in setting up the integration to Apple Business Manager, follow the steps in Configure the Apple Business Manager Portal and Download the Public Key to Integrate with Apple Business Manager.

Procedure

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program.
  2. To create a profile, select Add Profile or to update an existing profile, select Edit Profile.Enable Custom Enrollment.

    When the Custom Enrollment is enabled, it demands for authentication and uses some of the settings from the enrollment settings defined at the Groups & Settings > All Settings > Devices & Users > General > Enrollment page. For more information about the enrollment authentication and restriction settings, refer to the Managing Devices guide

What to do next:

To save the profile, follow instructions from step 3 explained in the Create or Edit the DEP Enrollment Profile section.

View Device Enrollment Status

Check the enrollment status of your devices to view DEP-specific information, and generate reports when needed.

To view:

  1. Navigate to Devices > Lifecycle > Enrollment Statusin the UEM console. In addition, DEP-specific devices can have one of the following Enrollment statuses:
    • Discovered – Devices that are synced into Workspace ONE UEM but are not assigned a DEP Profile. These devices would not receive the MDM enrollment prompt during the Setup Assistant.
    • Registered – Devices are assigned a DEP Profile and you will see the MDM enrollment prompt during the Setup Assistant.
    • Enrolled – Devices are enrolled into Workspace ONE UEM MDM and can now be managed from the Devices > List View page.
  2. Go to Layout and make column selections to view specific information about enrolled devices.
    • Serial Number – Device's unique serial tracking number.
    • Asset Number – Internally allocated device tracking number.
    • Profile – DEP profile assigned to the device.
    • Department – Department attached to the DEP profile assigned to the device.
    • Source – Designates whether the device is associated with the Device Enrollment Program.