Adding a profile to the Apple Device Enrollment Program (DEP)

Information regarding adding a profile to the Apple Device Enrollment Program (DEP).

About this task

The Add Profile option in the Apple Device Enrollment Program (DEP) workflow includes three tabs: Configuration (administrators configure device settings for a DEP profile), Apple shared device settings (administrators configure the shared iPad settings), and Skip Items (administrators choose setup configuration settings that a device user can skip during DEP device enrollment).

Procedure

  1. Go to Devices > Enrollments. The Enrollments (Add Device Requests) page is displayed.
  2. Click Other Enrollment Options > Apple Device Enrollment (DEP).
  3. Click Profiles > Add Profile. The Add Profile window is displayed.
    You can also add a profile at Apple Device Enrollment Program (DEP) > Profiles > Add Profile from the DEP page.
  4. Click the Configuration tab, and then configure the following options:
    Option Description
    Name The name of the profile.
    Require MDM Enrollment If this option is enabled, the user must enroll the device in MDM during the setup process. The user is not shown the option to skip the MDM profile during DEP enrollment.

    Note: This option is automatically enabled for iOS 11.3+ devices.
    Supervise Device If this option is enabled, the device is marked as a Supervised device. Supervised iOS devices provide more restrictions, enhanced profile features, and multiple device configurations. Note: iOS 13+ devices are supervised by default. This option is not supported for macOS.
    • Lock MDM Profile: If this setting is enabled, the user profile cannot be unenrolled from the device. This option applies only if the Require MDM Enrollment setting is enabled and the device is supervised.

    • The following list explains some of the benefits of supervising iOS devices:

      • Automatically installs apps without user intervention.
      • Restricts an iOS device from using AirDrop to transfer a file to another device.
      • Allows or blocks web content on iOS devices.
      • Restricts the use of iMessage on the device.
    Authenticate User If this option is enabled, user authentication is required during device boot up in DEP enrollment. The Authenticate User option is supported on iOS 7.1+ and macOS 10.9 devices. The SAML-based authentication is supported on iOS 13 and macOS 10.15 devices. To set the authentication type that you want to use, go to the Authentication Mode for Enrollment section on the Basic Enrollment Settings page (Configuring directory and enrollment settings in the MaaS360 Portal).

    If you choose to authenticate against the corporate Active Directory, a device user must provide their <domain>\<username or email> credentials and their password to enroll their device in DEP.

    • Device Ownership: The device is either corporate-owned or corporate-shared. The device ownership option is available only if user authentication is selected.
    • Corporate Usage Policy: If this option is enabled, the user is prompted to accept the corporate usage policy when a new DEP device is added in the MaaS360® account. The user must accept this policy and the standard End User License Agreement (EULA). You can add the corporate usage policy as a TXT or HTML file from Advanced Enrollment Settings > Unified Enrollment Flow.
    Allow Pairing Pairs iOS devices. This option applies only to Supervised iOS DEP-enrolled devices. If this option is enabled, the iOS DEP devices are paired with any macOS device. If this option is disabled, iOS devices pair with macOS devices by using the pairing certificate that is provided in the Pairing Certificates option.

    Note: This option is not supported on iOS 13+ devices. As an alternative, you can use the Allow Host Pairing setting in the iOS MDM policy > Supervised Settings > Restrictions & Network.
    Pairing Certificates When a pairing certificate is used, a device continues to pair with a host that also uses this certificate (even if Allow Pairing is not selected.) If Allow Pairing is not selected, the Pairing Certificates option is available.

    Pairing certificates are chosen from the Certificates option on the Apple Device Enrollment page. This certificate is created by an administrator macOS device that uses the Apple Configurator with Organization Identity to pair iOS devices that are enrolled with the certificate.
    Department The department name that the enrolled device belongs to.
    Support Phone Number The phone number that device users can contact for DEP setup support. The administrator can update this phone number when they add a DEP profile.
    Assign The token that is assigned to a profile. All devices that use this token are assigned to the profile. For this option, you can assign the profile to all unassigned devices, to all devices, or to none of the devices.
  5. Click the Skip Items tab, and then select the options that you want device users to skip during DEP enrollment.
    Viewing an example of skip items setup during profile addition
  6. Click the Apple shared device settings tab, and configure the following options:
    Option Description
    Apple Shared Device If this option is enabled, the user can configure the shared iPad settings.
    Manage Apple ID default domains

    A list of domains displays. The user can pick a domain from the list to complete their Managed Apple ID.

    Tip: A maximum of three domains can be picked from the list.
    Online authentication grace period Enter the grace period time in days for the shared iPad online authentication. The shared iPad verifies the passcode locally during login for users that exists on the device. However, the system requires an online authentication after the number of days specified by this setting is passed.

    Setting this value to 0 enforces online authentication every time.

    The range of the values accepted is 0-14400 seconds.

    Passcode policy If this option is enabled, the passcode policies are displayed.
    • Auto lock time: The minimum time before the devices goes into sleep mode after staying idle for some time. The minimum time period is 120 seconds.
    • Passcode lock grace period: This controls the duration of the device lock period before passcode is required.

      This setting is disabled if Temporary session is enabled.
    Temporary session If this option is enabled, the guest welcome page is displayed and the user can log in as a guest user.
    • Temporary session timeout: The session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout.

      This setting is disabled when the Passcode policy setting is enabled.
    Partition type Select one of the following values in the Partition type. This is a mandatory field selected to create a shared device profile:
    • Resident Users: The expected number of users that can log in to a shared iPad. If this value is greater than the value of the maximum number of users that the device supports, MaaS360 uses that value instead.
    • Quota Size: The maximum storage allocated for each user. The quota size, in megabytes (MB), for each user on the shared device, or if the quota size is too small, the minimum quota size.
    Skip language and locale setup for new users If enabled, the system picks the system language and locale automatically for the new Shared iPad user.
    User session timeout The session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout.
  7. Click Add to save and add the profile configurations.
  8. Enter the administrator password to add the profile, and click Submit.

Results

The profile is added successfully and listed on the Profiles page.