Adding Devices to DEP Retroactively

What is Apple Configurator 2 used for? #

Apple Configurator 2 is a free app available in the Mac App Store, used for manually configuring Apple devices (connected via USB) before they are distributed to users. With it, profiles can be created and installed on devices. Additionally, Apple Configurator 2 allows for the retroactive addition of Apple devices to the Device Enrollment Program (DEP) that were not already assigned by an authorized reseller.

This process is exclusively possible for iOS, iPadOS, and tvOS devices. macOS devices must be purchased from an authorized reseller to benefit from the advantages of automatic DEP enrollment. Generally, it’s recommended to acquire DEP-enabled devices directly, as retroactive addition involves several manual steps.

What preparations are necessary before adding a device to DEP retroactively? #

To ensure comfortable and automatic DEP registration, it’s advisable to create a Wi-Fi profile beforehand. This profile can be created on the Mac via the menu item “File” -> “New Profile” -> “Wi-Fi” and then saved as a file.

How to add Apple devices retroactively using Apple Configurator 2? #

Connect the Apple devices to your Mac via a USB cable and launch Apple Configurator 2. The following dialog will appear:

Right-click the displayed device and select “Prepare…”. In the next step, choose the following options:

• Add to Apple Business Manager (for business customers) or Apple School Manager (for educational institutions)
• Allow devices to pair with other computers

Note: The option “Activate and complete enrollment” must NOT be selected, as this would cause the device to attempt enrollment directly. After adding to DEP, further configurations in Apple Business Manager/Apple School Manager and Relution are still required.

In the next step, select “New Server…” and click “Next”.

Now, specify the name and URL of the corresponding Relution server. The name can be chosen freely. The URL begins with https://. For example, for the Relution test system in conjunction with iOS devices, it is https://live.relution.io/.

For tvOS devices to be managed in the Relution test system, the following path must be specified: https://live.relution.io/api/v1/devices/appleMdm/depenroll

Subsequently, select the displayed certificate. If there are multiple certificates, choose the first one.

The server is now defined, saved in Apple Configurator 2, and will be available again for later additions of other devices to the Device Enrollment Program.

In the subsequent dialog, select “New Organization…” and confirm with “Next”.

The next step involves connecting to the Apple DEP server. Enter the Apple ID and password of your respective Apple Business Manager or Apple School Manager account.

If necessary, this login must be confirmed via 2-factor authentication (entering a 4-digit code sent via SMS).

Now select “Create New Supervision Identity” and confirm with “Next”. The organization data will also be saved by Apple Configurator 2, so it can be reused later, and a new organization won’t need to be created.

Next, in the following dialog, select the setup steps that should NOT be skipped during device setup. The “Location Services” option should be chosen to ensure correct time zone assignment for the Apple device.

In the next step, select a Wi-Fi configuration profile previously created in Apple Configurator 2 via “File” -> “New Profile”. This profile will be automatically adopted by the device after restart, establishing an internet connection.

This allows the Apple device to transmit the retroactive DEP registration to Apple’s servers. Alternatively to the Wi-Fi profile, the Mac’s internet connection can also be shared with the connected device via the USB connection.

If no profile is selected, Wi-Fi settings must be entered manually when the devices restart. Clicking “Prepare” will restart the device. It will automatically enroll in DEP and then be manually assigned to the corresponding Relution MDM server in Apple Business Manager or Apple School Manager (by default, it’s assigned to Apple Configurator 2).

What configurations are necessary in Apple Business Manager or Apple School Manager? #

After manually adding Apple devices to DEP, they must be assigned to the desired MDM server in Apple Business Manager or Apple School Manager. Alternatively, a setting can be configured in Apple Business Manager or Apple School Manager to automatically assign “New Devices” to a defined MDM server. All configuration options are described in Apple’s online documentation.

Once the Apple devices are assigned to an MDM server in Apple Business Manager or Apple School Manager, they can then be synchronized into the corresponding Relution organization under “Devices” -> “Auto-Enrollments”.

How is the enrollment of new DEP devices completed? #

After an Apple device has been retroactively added to DEP, assigned to an MDM server in Apple Business Manager or Apple School Manager, and a DEP profile has been assigned to the corresponding auto-enrollment in Relution, automatic enrollment can be performed on the device.

If no default DEP profile is set up in Relution or if a different DEP profile should be used, a DEP profile must be assigned to the newly synchronized devices. See the Insight on automatically enrolling Apple DEP devices in Relution for more