In the January, 2019 update of Microsoft Intune, new Apple DEP capabilities became available. With the latest release of iOS, more options are displayed during the initial setup of an iPhone or iPad, for example, Screen Time and Onboarding. Now, with this update, Microsoft Intune can hide these screens with the Setup Assistant Customization settings.
For me, this was perfect timing. I had a customer who wanted to migrate from another MDM solution to Microsoft Intune and also use Apple DEP. They were immediately able to use these new features of Microsoft Intune. This inspired me to write this blog to explain how Apple DEP could be configured within Microsoft Intune and also how to migrate existing DEP devices to Microsoft Intune.
Every iOS or MacOS devices that startup for the first time (new out of the box or after a factory reset) must be activated by Apple. This process happens automatically. With the Apple Device Enrollment Program (DEP) you can, based on the serial number, indicate which devices are company-owned and start an automatic MDM enrollment process on these devices during the activation. Once this is configured, it is impossible for the end user to bypass this enrollment process. In this way, the company always has control of the device and has the ability to protect company data, even after a factory reset on the device.
This blog will cover the following steps;
The first step is to connect your Apple DEP account with Microsoft Intune. Login to the Microsoft Azure Portal for the next steps.
Navigate to: Microsoft Intune > Device enrollment and click Enrollment program tokens
Click the + Add button
Checkmark the I agree checkbox (if you do) and Download your public key
Open a new browser of tab and login to the Apple DEP Portal / Apple Business Portal with your Apple ID.
Open the MDM Servers page and click Add New MDM Server
Give the MDM Server a name, in this case Microsoft Intune. Click Upload File and browse to the just downloaded public key from the Microsoft Intune console.
Click Get Token
Click Download Server Token
Go back to the Microsoft Intune console. Fill in your Apple ID and upload the just downloaded Server Token from the Apple DEP console. Click Create
The second step is to create an Apple DEP Profile and assign this profile to devices.
Click the just created Apple DEP server.
Open the Profiles tab and click Create profile
Give this profile a name and a description. Select the Platform (iOS or MacOS). Select whether you want to use the Company Portal app for authentication instead of the Apple Setup Assistant. I will set this to Yes.
If you are using Apple VPP for deploying the Company Portal (recommended) select your VPP token.
You can choose if you want to run the Company Portal in Single App Mode until authentication. I think this is a great feature and I have selected Yes (see the results in the last step of this blog).
Open the Device management settings page. Here you can configure whether you what to configure a lockdown environment (so that users cannot remove MDM profiles) and if the device can be synced with a computer.
Open the Setup Assistant customization page. Fill in the Department name and the Department phone. Under Setup Assistant Screens you can configure which screen must appear during the initial setup of the device. For this demo, I set everything to Hide
Click OK and click Create
Devices must be assigned to this profile, however, you can also set this profile as default so every new device will automatically get assigned to this profile. To configure this, click Set default profile
Select the just created iOS Enrollment Profile and click OK
Devices needs to be assigned to Microsoft Intune within the Apple Business Portal / Apple DEP Portal. Login to this portal for the next steps.
Click Device Assignments. On this page you can assign devices to a MDM Server. This can also be existing devices that are currently assigned to another MDM Server, like in this case. Fill in the Serial Number(s) and below Choose Actions select Assign to Server and select Microsoft Intune as MDM Server.
When you take a look at the MDM Server page, you can see the numbers of devices assigned to each server.
Go back to the Microsoft Intune portal and open the Device page. Click Syn. All assigned devices will appear in a few minutes.
Now that everything is configured, lets test the results on a new Apple iPad.
Press the Home button
Select your Language
Select your Country or Region
Press Set Up Manually
Connect to the correct Wi-Fi Network
The MDM enrollment will now start. Press Next
And that’s it, just as we configured it with no additional setup screens. Click Get Started.
The Intune Company Portal app is automatically installed and launched. Before authentication the user cannot do anything else. Login with your company credentials.
If a Passcode policy is pushed to the device, like in this case, the user gets prompted to set a new Passcode.
All other applications will be installed automatic without any Apple ID (if using Apple VPP) and the iPad is released for use.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.