Deploying iPads Without Opening the Box

At Grant Wood we are rolling out an iPad refresh of 160 iPads to staff.  While we will be providing hands on assistance using Apple’s DEP program, we wouldn’t have to.  Apple’s deployment program (DEP) allows you to provide a user with a new unboxed iPad that will self-enroll and setup once the user has it connected to the Internet.

To get started, go to deploy.apple.com

This is the portal that Apple uses for managing DEP, app purchases, and Apple IDs for students under 13.  The setup process will involve you creating a new Apple ID just for use with the Apple Deployment Programs. This Apple ID will require you to set up two-factor  authentication.  Keep in mind, two factor authentication takes up to three days to be authorized.  In addition, Apple can take up to a week to authorize your DEP account. Plan ahead.

Need help with two factor authentication? - http://support.apple.com/en-us/HT204152

From the page shown above, choose Enroll Now this will walk you through setting up an account.  You need to be a person in your organization authorized to do this. The requirements are that you are a C level employee (CEO, CIO, etc... ) There is a list of options to choose from.  If you are not, you will need the assistance of one of these people in your organization to enroll.  I was not able to set up our DEP account, I needed to have our Director of Technology do it.  Apple is pretty strict on this point.  They will call you to verify this, they also look at your organization’s website to make sure you are listed with the proper title.  In our case, they called HR to make sure our Director of Technology was who he said he was.  (I think there were less hoops to jump through in getting a mortgage.)

Once you have been approved by Apple, you can login and start deploying devices.  Please note: each time you login, you will be prompted to authenticate via two-factor authentication.  If you are in an environment with multiple administrators, it seems the limit is five phone numbers.  Once you select the appropriate number, Apple will send you a text with a four-digit PIN.

The first time you enter the portal, you will need to set up your MDM server connection.  We use Meraki as our MDM.  There are many options for your MDM solution. For example,  Apple’s own MDM which runs on an OS X server, and Casper from JAMF are a few.  In Meraki, there is a token that we download and then upload to the DEP portal.  This establishes the connection between the MDM and the DEP portal.  Once you have the connection established to your MDM server, you can start to enroll devices.  You can do this by serial number or order number.  For our latest deployment, we used the order number.  The ability to add devices by order number saves a considerable amount of time.  Once devices are assigned, we can start working in the MDM.

Again the MDM we use is Meraki.  If you are using a different MDM, the screens will look different but the process should be similar.  Once logged into Meraki, in the side navigation I will choose MDM, then I will choose DEP.  

When the DEP screen appears every iOS device that I have entered into Apple’s DEP portal should show up here.  Meraki should do a sync when we open this screen to look for new devices.  You will notice a cloud next to each device.  Each color indicates the following:

• Green cloud: settings pushed
• Yellow cloud: settings assigned, but not pushed.  In most cases this means the device has just not hit the internet to have the settings applied yet.
• Grey cloud: settings not assigned. 
  

Other information you will see are the names of the devices.  Note - we ask the user to name the device (first name last name).  These names eventually propagate into Meraki.  You can use the tags to apply security settings.  You will also see the serial number and the settings that are applied.  We deploy everyone with a default set of staff settings.  In a school you may wish to deploy staff with one set and students with another.

To apply settings check the box to the left of a device (or check the box at the top to select all).  Then choose Assign settings.  The settings box should look like this.

These are the settings we use, and here is a breakdown of what each setting does.

• Allow pairing - this allows the user to pair the device to their computer.

• Supervise - previously the only way to supervise the device was with Apple Configurator.  You can now do it over the air using this method.  Some benefits are the ability to remove an activation lock and the ability to assign increased security settings.  Also if you supervise the device the end user can not remove the MDM management.

• Mandatory - this means that the device has to enroll.  If it is not mandatory and there is a connection issue to the Internet, then the device will set up unmanaged.

• Removable - this setting would allow the end user to remove the MDM management.

• Skip - these are items that can be skipped during the set up process to make setup quicker for the end user.  We don’t skip any.  If you did, you could always go back and make changes under Settings. You can skip the following settings: Location Services, Restore from Backup, Apple ID, Terms and Conditions, Siri, and Diagnostics.

Once you assign the settings to the devices you simply need to turn on a new device and connect it to the internet.  It will pull down the settings as specified.  If you device is already set up you can go into settings and do an Erase All Content and Settings.  This will allow you to set it up as a new iPad.


These are the steps needed to setup DEP for iPad management.  In a later post I will discuss security setting settings and assigning apps via Managed Distribution.

- Jason Marshall Technology Consultant, Grant Wood AEA

---

For more posts like this, please subscribe to our blog! You can also connect with us on social media if you Like us on Facebook, Follow us on Twitter or add us to your circles on Google+.