Before you can manage any DEP-enabled devices, you must sync them from the UEM console after you register them with Apple.

Sync Apple DEP Devices Manually

If you selected Sync Now and Assign to All Devices, then the registered devices are automatically synced when you save your DEP Profile. If you decide to add more devices later, perform a manual sync using the instructions below or wait for the DEP sync scheduler to run.

  1. Navigate to Devices > Lifecycle > Enrollment Status.Enrollment Status showing the sync devices option
  2. Select the devices to sync.
  3. Navigate to Add > Sync Devices and follow the prompt to complete the process.

    • Sync Devices – This option is available only after the DEP is set up in the console. Selecting this option populates the UEM console with any newly registered devices from Apple Business Manager. It also automatically assigns the current Default Profile Assigned for Newly Synced Devices to devices, if the feature was configured earlier.

Note: The Workspace ONE UEM console supports the ability to Fetch All Devices. See the Best Practices for Using Tokens topic to know when to use each option.

To avoid issues with your DEP sync tokens such as expiration or new Terms of Use acceptance, administrators can set the notifications in Workspace ONE UEM for DEP sync failures. For more information, see Configure Notification Settings in Console Basics guide.

Use the DEP Sync Scheduler

While manual sync can be issued at any time, Workspace ONE UEM syncs with Apple services to add or remove devices to UEM to match what is configured in Apple Business Manager or Apple School Manager every 24 hours by default. Configure the sync schedule by accessing the DEP Scheduler in the UEM console. The Scheduler settings are only available to System Administrators at the Global organization group level.

To use the DEP Sync Scheduler:

  1. Navigate to Groups & Settings > All Settings > Admin > Scheduler.Scheduler page showing DEP update task
  2. In the Scheduler page, click the pencil icon next to the job name Device Enrollment Program Update.
  3. In the Device Enrollment Program Update, determine the recurrence type and enter the following.
    • Schedule Type - Enter the type of the scheduler. For example, Daily/Monthy/Weekly.
    • Frequency - Enter the frequency greater than or equal to 10 minutes.
    • Interval Type - Enter the interval type. For example, hours/minutes.
  4. Determine the range for the schedule. Enter the start date and time.
  5. Select Save to add this schedule to the list.

Renew Your Apple Server Token for DEP Deployments

Your Apple server token file is valid for one year, after which time you must renew it. To renew your Apple server token after configuring the DEP, perform the following steps:
  1. Go to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program
  2. Click the Renew button and the following screen appears.

    The screen shows the Expiration Date and the last successful sync. Displays the buttons to Renew and Fetch All Devices.

    Note: Last Successful Sync indicates the last time a successful DEP device sync was completed for a DEP account. The Fetch All Devices synchronizes all the Apple Business Manager enrolled devices with the UEM console, including the devices that were already synchronized. The Fetch All Devices option must be used when the devices are not synchronizing even after using the Sync Devices from the Enrollment Status page. Use the Fetch All Devices as a final alternative to synchronize devices.

  3. In the Renew screen, click Download the existing token link.

    The Renew screen shows the option to generate a new token from Apple Business Manager and upload the token file.

    Note: If you have erroneously updated the public key in Apple Business Manager, you can not renew the token as the public key which is used to generate the new token in the Apple Business Manager and private key in the console are not matching. So, ensure that you always update the public key in Apple Business Manager before downloading the server token.
  4. Navigate to the Apple Business Manager, click Settings, select your MDM server, and download the Apple server token.
  5. Navigate to the Workspace ONE UEM console and click UPLOAD to upload the token file.
  6. Click Save to renew your Apple server token.

Best Practices for Using Server Tokens

Follow the best practices for uploading tokens to any organization group in the UEM console.

  • The token determines which device you can assign that profile to. Administrators can add profiles for the tokens at the current, parent, or child organization groups where the DEP is configured.
  • Administrators can override DEP settings and add a new token at the child organization groups.
  • Review the Last Successful Sync time to view when the most recent successful DEP device synchronization was completed for a DEP account.
  • Use the Sync Devices option on the Enrollment Status page to manually synchronize the new devices and updates into Workspace ONE UEM.
  • The Fetch All Devices option synchronizes all the devices assigned to this token in Apple Business Manager with the UEM console, including the devices that are already synchronized. This option must only be used as a final alternative to fully refresh and resynchronize all your devices from Apple Business Manager.

Perform Remote Actions on All Devices

You can perform various remote actions on devices that are enrolled to Apple Business Manager using DEP.

  1. Navigate to Devices > List View > Select Device.The Details View appears.
  2. Select More Actions and choose from the following education-specific actions.
    Table 1.
    Option Description
    Device Configured (Admin) Send this command if a device is stuck in an Awaiting Configuration state.
    iOS updates (Admin) Select individual devices or devices in bulk to update devices.
    Enable/Disable Lost Mode Lock a device and send a message, phone number, or text to the lock screen. Lost Mode is deactivated by administrators only. When Lost Mode is deactivated, the device returns to normal functionality. Users are sent a message that tells them that the location of the device was shared.
    Request Device Location Query a device in Lost Mode, and then access the Location tab to find the device. (iOS 9.3 + Supervised)

Delete DEP Device Records

You can remove DEP-enabled device records from the Device List View in the UEM console for enrolled devices while the device remains registered with the Device Enrollment Program in the Apple Business Manager portal.

It is recommended that you do not delete an enrolled DEP device. Instead, you must device wipe it and then you can delete it from the console. Once this device record is deleted, the device status changes from enrolled to unenrolled. Simply factory wipe the device and re-enroll it.

  1. Navigate to Devices > List View.
  2. Select the devices to delete.
  3. Navigate to the More drop-down menu.
  4. Select Admin > Delete .
Note: The UEM console only allows you to delete a device record from the Devices page. You are prevented from manually deleting a DEP-enabled device from the Enrollment Status page. To manually delete a device, see Associate and Disassociate Devices in Apple Business Manager Portal. If you delete a device that is enrolled, it sends an enterprise wipe.

Wiping DEP-enrolled Devices

You should not perform an enterprise wipe through Workspace ONE UEM on an enrolled device. Instead, perform a device wipe, so the user is forced to re-enroll when it is reactivated.

To discourage an enterprise wipe on DEP enrolled devices, Workspace ONE UEM displays an additional warning in the UEM console when performing the command.