Apple's Automated Device Enrolment
What
From inception known as Device Enrolment Programme (DEP), Apple's Automated Device Enrolment (ADE) is a zero touch enrolment method for Apple devices.
This article aims to cover the generic processes.
When/Why
Typically this process is used with new devices or those erased.
Registration
The basics:
- Devices, purchased from a supplier singed up to Apple's programme, are registered with Apple
- FileWave MDM server is registered with Apple
- Devices are assigned to the FileWave MDM server within the ABM or ASM
Enrolment Profile
Enrolment has options, e.g which Setup Assistant items are shown. When an Enrolment Profile is associated with one or more devices, the Enrolment Profile is sent to Apple; differing Enrolment Profiles may be configured and associated with different devices.
How
Enrolment Stages
Enrolment Profile delivery
When the device is first connected to a network, the device will first communicate with Apple. Apple observe the identity of the device and if there is an associated Enrolment Profile with this device, the Profile is sent to the device.
Once the Enrolment Profile is delivered, it will remain on the device, even if rebooted. Only an subsequent erase of the device will remove the Enrolment Profile and the process can be re-triggered.
A key item in the Enrolment Profile is the MDM Server URL.
Check-in
The device reads the MDM Server URL and the enrolment process can then begin.
Authentication
The next requirement from check-in is authentication.
| Local Authentication | FileWave is configured with a local username and password encrypted on the FileWave Server (Default) |
| No Authentication | FileWave Server is configured to allow devices to enrol with no authentication required |
| LDAP | An LDAP server, e.g. Active Directory, is configured, allowing directory users to authenticate enrolment |
| IdP | Okta, Google or Entra users may authenticate enrolment |
Local and No authentication are configured through the server command line, LDAP may be configured through FileWave Central, whilst IdP is configured through FileWave Anywhere.
IdP Authentication
IdP requires a special mention here due to the additional steps involved.
After the device check-in, the device is informed of a URL to direct the authentication; the IdP. The IdP custom authentication screen should be presented to the user and on entering details, if successful, the IdP uses the configured redirect, to contact the FileWave server to inform of success.
Federated Authentication
An extension of IdP, Federated Authentication is an offering from Apple, which synchronises Apple IDs/passwords to be synchronised with an IdP. This is configured within Apple's Management portal; FileWave is not involved with this configuration.