The Apple Device Enrollment Program (DEP) does not support scenarios where a customer is using SAML for user authentication. However Workspace ONE has implemented a unique way to support this use case.
Through Workspace ONE UEM device staging, admins can assign the device to a multi-device staging user and allow Workspace ONE to reassign the device the appropriate user when they sign in to the Workspace ONE application.
The Workspace ONE application must be installed on the device as part of the staging user enrollment. When users sign in to Workspace ONE the first time, Workspace ONE authenticates the user through the configured SAML provider. After the user is authenticated, the ownership of the device is switched from the multi-device staging user to the authenticated directory user.
The directory user must exist in Workspace ONE UEM when the user signs in to the Workspace ONE application. You can pre-load users in a bulk load through CSV or apply the following API to generate users on an as needed basis.
The Security Type value must equal the directory.
Flow for Workspace ONE Support of DEP Integration
The following tasks must be completed to implement support of the Apple Device Enrollment Program using Workspace ONE.
Install the Workspace ONE application on the iOS devices.
Ensure that a staging user exists with the following staging configuration in the Workspace ONE UEM console.
Navigate to Accounts > Users > List View and select the user account for which you want to enable device staging to edit.
In the Add/Edit User page, select the Advanced tab. Scroll down to the Staging section and enable Device Staging and Multi User Devices.
Assign the device to the staging user in the Apple DEP portal and deliver the device to the end user.
For more information about the Apple Device Enrollment Program, see the Apple Device Enrollment guide.
How the Integration Works
When the user turns on the device the first time, the device is enrolled and assigned to the multi-device staging user. The user launches the Workspace ONE application that is available on the home screen and signs in. Workspace ONE authenticates the user through the configured SAML provider.
After the user is authenticated, the ownership of the device is switched from the multi-device staging user to the authenticated directory user. Applications, profiles, and resources assigned to the authenticated user are pushed to the device.
The organization group of the device does not change. This feature does not support user group mapping (or manual user selection based on drop-down menu) located in the Enrollment Setting section of the Workspace ONE UEM console.