Skip to main content

Apple's Automated Device Enrolment

What

From inception known as Device Enrolment Programme (DEP), Apple's Automated Device Enrolment (ADE) is a zero touch enrolment method for Apple devices.

This article aims to cover the generic processes.

When/Why

Typically this process is used with new devices or those erased.

Registration

The basics:

  • Devices, purchased from a supplier signed up to Apple's programme, are registered with Apple
  • FileWave MDM server is registered with Apple
  • Devices are assigned to the FileWave MDM server within the Apple Business or School account: ABM or ASM

Enrolment Profile

Enrolment Profile has options, e.g which Setup Assistant items are shown.  When an Enrolment Profile is associated with one or more devices, the Enrolment Profile is sent to Apple; differing Enrolment Profiles may be configured and associated with different devices.

Working with Appleā€™s Device Enrollment Program (DEP)

How

Enrolment Stages

Enrolment Profile delivery

When the device is first connected to a network, the device will initially communicate with Apple.  Apple observe the identity of the device and if there is an associated Enrolment Profile with this device, the Profile is sent to the device.

Once the Enrolment Profile is delivered, it will remain on the device, even if rebooted.  Only a subsequent erase of the device will remove the Enrolment Profile and the process can be re-triggered from scratch.

A key item in the Enrolment Profile is the MDM Server URL.

image.png

Check-in

The device reads the MDM Server URL and the enrolment process can then begin.

Authentication

The next requirement from check-in is authentication.  

On initial check-in, FileWave server returns a 401 due to no authentication and then informs the device how to authenticate.

Local Authentication FileWave is configured with a local username and password encrypted on the FileWave Server (Default)
No Authentication FileWave Server is configured to allow devices to enrol with no authentication required
LDAP An LDAP server, e.g. Active Directory, is configured, allowing directory users to authenticate enrolment
IdP Okta, Google or Entra users may authenticate enrolment

Local and No authentication are configured through the server command line,  LDAP may be configured through FileWave Central, whilst IdP is configured through FileWave Anywhere.

Basic Authentication

image.png

IdP Authentication

IdP requires a special mention here due to the additional steps involved.

FileWave server informs the device with a URL to direct the authentication; the IdP.  The IdP custom authentication screen should be presented to the user and on entering details, if successful, the IdP uses the configured redirect, to contact the FileWave server to inform of success.

image.png

Redirects provided to IdP for connection with FileWave Server may be viewed from FileWave Anywhere, for example:

image.png

FileWave Server informs the IDP where to respond to the FileWave Server once complete.  The FileWave returned URL to send on the code from the device will be through port 20443 and includes the auth code as a parameter within the URL.

Federated Authentication

An extension of IdP, Federated Authentication is an offering from Apple, which synchronisesallows Apple IDs/passwords to be synchronised with an IdP.  This is configured within Apple's Management portal; FileWave is not involved with this configuration.

https://support.apple.com/en-gb/guide/apple-business-manager/axmb19317543/web

Back to top