Comprised of JAMF Software employees who work with customers on their Volume Purchase Program (VPP) and Device Enrollment Program (DEP) deployments day in and day out, this JAMF Nation User Conference (JNUC) session set out to answer as many of the audience's pressing deployment program puzzles as it could before the JNUC came to a close. Among the JAMF Software employees on the panel were Bryan Hengels, Staci Dreysse, Kyle Bareis, and John Miller—moderated by Tad Johnson—and they brought their A-game when it came to helping IT admins with their deployment pickles.
There were some great questions from the panel. Here is what was asked:
How is the quickadd.pkg file handled with DEP?
The MDM profile is first downloaded to the device, then configuration profiles are applied and finally the quick add package (JAMF binary) is installed.
Can you talk about the recent Updates to DEP and what you are excited for?
The sticky note on a fresh Mac that Dean Hager talked about during the keynote is the world we are aiming for. The changes we have made recently with user-based deployments in 9.8 will help complete the picture of deploying a Mac without someone in IT needing to touch it first.
Is there a way to separate groups of computers in DEP?
You can segment the Macs on the DEP portal and the new devices then get assigned to a certain token. This is the best way to create separate groups for your DEP devices.
How do you recommend moving from user to device-based VPP?
The first thing you need is iOS 9 and 10.11. Next is to use smart groups for your scoping.
You can also do both deployment at the same time, so you can phase one in and out. You can take licenses back from a user and then get it to a device. User-based assignments is still going to exist.
What happens to DEP tokens when moving to a new JSS?
You can just simply create a new token for DEP — it won't affect devices already enrolled. VPP, on the other hand, needs to be more careful.
What happens if an App is stuck in the waiting state?
Delete and reinstall the app on the device.
When will DEP support not creating a local admin?
In a future release you will be able to disallow the creation of an Admin account.
When will OS X device-based VPP be supported?
Also coming soon in a future release.
Can you comment on the Global nature of DEP?
Countries are expanding significantly. First DEP was only available from Apple, now is available through the reseller channel. Apple has built a system to prove that you own the device with DEP and they are expanding it.
Is there a way to make DEP mandatory with Internet bypass?
No, Internet needs to be present. There will soon be a DEP wait step to make sure everything is downloaded first before exiting the setup assistant.
Apple Configurator 2 creates a supervision identity, will this be supported in the JSS?
Yes! Coming soon
Instructions for staff for creating an Apple ID w/o credit card?
Great documentation for the from Apple: https://support.apple.com/en-us/HT204034
Will device-based VPP eliminate the iTunes login?
It depends. Simply deploying a device-based app does not disable the iTunes store login. A separate profile could disable it however.
Self Service Mobile without Apple ID?
Set the deployment to neither in your global setting, then buy self service via VPP. Finally Configure the app to ensure it works (https://jamfnation.jamfsoftware.com/article.html?id=370). This process will soon be automated in a future release.
Can you add old devices to DEP?
Yes, you can add devices purchased from Apple back to March 2011. Contact Apple for help with this.
Can we use DEP with a lease?
It is possible. Make sure you check with Apple and the company you choose to lease from.
Will binding to AD during the setup assistant and bypass local account be supported?
DEP tokens in same JSS?
Yes, you can have multiple tokens in the JSS.
Does VPP support device-based deployments of Books?
If you have any questions regarding DEP or VPP, please contact us.