Apple Device Enrollment Program?

ajf · 3 Oct 2016 at 13:51

Does anyone here use the Apple Device Enrollment Program to deploy iPhones?
I am getting a bit lost as to how it works.

Does the DEP simply allow for the activation of the handset, or work as an MDM as well?
Can you use the DEP to push free apps to selected handsets, or just purchased apps?
It also looks like it works via the carrier as well?
Does this mean the devices that are sent are simply powered on and are activated automatically with no user input?
Does DEP require any software installing to manage devices?
If so is it only Mac compatible or Windows as well?

I assume then they have no Apple IDs assigned?
How does this work regards iCloud backups etc?

We are looking at deploying around 80 handsets. Simply require some sort of automated/central activation and the ability to push updates and/or occasional free app to selected phones when needed.
Probably also look at basic management like force device PIN, restrict app installs etc.

Felix · 3 Oct 2016 at 14:59

I haven't looked too much into it but I was told it works along side an MDM solution.

Jamesyboyjim · 3 Oct 2016 at 15:48

In order to enrol a device it has to come from either apple or an authorised supplier so check with your network supplier first.

Grab a trial with Air watch. Its a great product.

MDM products require a profile is installed on the device, you'd send the device an email with a link to follow.

glenimp617 · 3 Oct 2016 at 19:52

Yep, we ran it in the department for a few months with SCCM. Then we swapped to Casper. Both were utter garbage, so much so, that I threw the entire project out and palmed it off onto Marketing lol

They now use cisco meraki which is a billion times better

Deleted member 77746 · 3 Oct 2016 at 20:09

Casper is fantastic when done right.

Caged · 3 Oct 2016 at 21:18

If you think Casper is garbage then you were doing it wrong.

glenimp617 · 4 Oct 2016 at 08:54

I think the issue we had was within a multi user environment, apple likes to assign a user to a device but the devices were owned by the company not any one individual. Twenty different people would be using the same device throughout the day. We went about creating generic accounts to manage them that way. One went walkies and we had a hard time locating it. It wasn't me personally tasked with that project so only relaying second hand information.

Caged · 4 Oct 2016 at 22:18

I'd blame whoever took a brief of a 1:many device:user relationship and went with Apple products, personally. They don't even pretend to be good for anything other than 1:1 deployments.

teaboy5 · 4 Oct 2016 at 22:29

The issue with deploying any kind of phone is the need for a store account.

Window doesn't need one to enroll to say in tune, but needs one if you want to push an app.

Android needs one to download the company app portal for intune and install apps. But at the same time adds the email account which you cannot remove unless you remove the whole gmail profile from the phone, which means when you push an app the user must login which just adds the email account again.

Same issue with apple needing an account if you want to push apps.

Caged · 4 Oct 2016 at 23:07

You can allocate apps to the serial numbers of devices as of iOS 9

teaboy5 · 5 Oct 2016 at 00:11

Caged said:
You can allocate apps to the serial numbers of devices as of iOS 9

Yeah only just seen this since we decided to move away from meraki MDM to in tune.

Still we have a large mix of windows, android and apple device and in general it's a pain in the ass. I have done the polices etc and it's up to support to get them enrolled with guidance set to user to try and get them to enroll the device themselves. But it's quicker talking to a brick wall at times.

ajf · 5 Oct 2016 at 08:40

Thanks for the replies.
Still looking into this.
With the DEP the thing I cannot get my head around, is what does it do regards the app store for each device?
By using DEP are we restricting this so any apps HAVE to be pushed to the handset or can the users still install ones they want?

I am starting to wonder whether it might just be better to set up iTunes accounts for all the users and activate them that way rather than centrally as we still want to give the users flexibility to install apps as required.
Primary requirement really is to be able to lock and wipe device if it gets lost, stolen or the person leaves.

Main issue with DEP is you cannot just try it out as it requires registering with the carrier and Apple.

Felix · 5 Oct 2016 at 09:19

Caged said:
I'd blame whoever took a brief of a 1:many device:user relationship and went with Apple products, personally. They don't even pretend to be good for anything other than 1:1 deployments.

Problem is people want ipads, ipads and more ipads. All their friends have ipads, other schools have ipads, we want ipads. Forgot the technical side of things, but we need ipads....

Caged · 5 Oct 2016 at 10:08

Well yeah, but it's a stretch to blame Apple because their devices don't do a thing that they never claim to be good at. If it's your job to put these projects out there then you should be aware of what you're buying, if you get overruled then stop caring about the success of the deployment.

Felix · 5 Oct 2016 at 10:23

Caged said:
Well yeah, but it's a stretch to blame Apple because their devices don't do a thing that they never claim to be good at. If it's your job to put these projects out there then you should be aware of what you're buying, if you get overruled then stop caring about the success of the deployment.

Yup! But they want ipads! Apple are getting better though and certainly with the last few iOS releases eg the Classroom app. But we are still expected to make them work flawlessly.

glenimp617 · 5 Oct 2016 at 11:11

Caged said:
I'd blame whoever took a brief of a 1:many device:user relationship and went with Apple products, personally. They don't even pretend to be good for anything other than 1:1 deployments.

^^ This

unfortunately it was another one of "senior management" ideas

Jamesyboyjim · 5 Oct 2016 at 13:13

Looks like as a company we are about to deploy In Tune, which falls to me and my infrastructure manager. Have trialled and been impressed with Air Watch, although their constant hard line buy buy buy sales approach is annoying. How does In Tune compare? I'm not expecting it to be as feature rich, which isn't a problem I'm just curious to hear actual user experience.

teaboy5 · 5 Oct 2016 at 20:02

It's generally fine and does what it says on the tin. But that's about it, but they are adding features often so I can see it getting a lot better.

Some of the polices for android I find don't apply at all. Simple things like the screen just doesn't apply.

We use it as it's part of EMS.

Caged · 5 Oct 2016 at 20:28

Microsoft are going to do incredibly well by just being dirt cheap since you already need to buy 80% of the EMS anyway. By the time you've got Office 365 and Azure AD Premium to manage your mobile users on Windows 10 then it's not a large jump to go all the way and spring for the Secure Productive Enterprise suite. If you do that then you aren't going to be fussed about finding a 3rd party single sign-on product or MDM.

teaboy5 · 6 Oct 2016 at 00:40

Caged said:
Microsoft are going to do incredibly well by just being dirt cheap since you already need to buy 80% of the EMS anyway. By the time you've got Office 365 and Azure AD Premium to manage your mobile users on Windows 10 then it's not a large jump to go all the way and spring for the Secure Productive Enterprise suite. If you do that then you aren't going to be fussed about finding a 3rd party single sign-on product or MDM.

Indeed. We started to use it due to EMS, but also the fact you can use groups via AD etc. It's just a nice all in on package without the need to set up another product.