Skip to main content

Apple's Automated Device Enrolment

What

From inception known as Device Enrolment Programme (DEP), Apple's Automated Device Enrolment (ADE) is a zero touch enrolment method for Apple devices.

This article aims to cover the generic processes.

When/Why

Typically this process is used with new devices or those erased.

Registration

The basics:

  • Devices, purchased from a supplier singed up to Apple's programme, are registered with Apple
  • FileWave MDM server is registered with Apple
  • Devices are assigned to the FileWave MDM server within the ABM or ASM

Enrolment Profile

Enrolment has options, e.g which Setup Assistant items are shown.  When an Enrolment Profile is associated with one or more devices, the Enrolment Profile is sent to Apple; differing Enrolment Profiles may be configured and associated with different devices.

How

Enrolment Stages

Enrolment Profile delivery

When the device is first connected to a network, the device will first communicate with Apple.  Apple observe the identity of the device and if there is an associated Enrolment Profile with this device, the Profile is sent to the device.

Once the Enrolment Profile is delivered, it will remain on the device, even if rebooted.  Only an subsequent erase of the device will remove the Enrolment Profile and the process can be re-triggered.

A key item in the Enrolment Profile is the MDM Server URL.

Check-in

The device reads the MDM Server URL and the enrolment process can then begin.

Authentication

The next requirement from check-in is authentication.  

Local AuthenticationFileWave is configured with a local username and password encrypted on the FileWave Server (Default)
No AuthenticationFileWave Server is configured to allow devices to enrol with no authentication required
LDAPAn LDAP server, e.g. Active Directory, is configured, allowing directory users to authenticate enrolment
IdPOkta, Google or Entra users may authenticate enrolment

Local and No authentication are configured through the server command line,  LDAP may be configured through FileWave Central, whilst IdP is configured through FileWave Anywhere.

IdP Authentication

IdP requires a special mention here due to the additional steps involved.

After the device check-in, the device is informed of a URL to direct the authentication; the IdP.  The IdP custom authentication screen should be presented to the user and on entering details, if successful, the IdP uses the configured redirect, to contact the FileWave server to inform of success.

Federated Authentication

An extension of IdP, Federated Authentication is an offering from Apple, which synchronises Apple IDs/passwords to be synchronised with an IdP.  This is configured within Apple's Management portal; FileWave is not involved with this configuration.