Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Integrating with Apple's Device Enrollment Program (DEP)

Overview

You can integrate the Jamf Software Server (JSS) with the Device Enrollment Program (DEP), a device enrollment tool available from Apple. To configure the program instance in the JSS, you must have a server token file (.p7m) downloaded from Apple. In order to download this file, you need to have an account with Apple's Volume Services Portal.

You can apply for an account at:
http://deploy.apple.com

For complete information about DEP, see the following websites:
www.apple.com/business/dep/
www.apple.com/education/it/dep/

Versions Affected

Casper Suite v9.3 or later

Procedures

To integrate the JSS with DEP, you need to do the following:

  • Download a public key (.pem) from the JSS.
  • Obtain the server token file (.p7m) from Apple's Volume Services Portal by uploading the public key.

Downloading a Public Key

Before you can obtain the server token file from Apple, you need to download a public key from the JSS.

  1. Log in to the JSS with a web browser.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click Device Enrollment Program.
  5. Click Public Key to download the public key.

The public key (.pem) is downloaded immediately.

Obtaining the Server Token File

To download the server token file, you need to upload your public key to Apple's Volume Services Portal.

  1. Log in to the Volume Services Portal at http://deploy.apple.com.
  2. In the sidebar, select Devices.
  3. Follow the onscreen instructions to verify your identity.
  4. In the sidebar, select Manage Servers, and then click Add MDM Server.
  5. Enter a name for your MDM server, and then click Next.
  6. Click Choose File, and then upload the public key you downloaded from the JSS.
  7. Click Next to download the server token file.

The server token file (.p7m) is downloaded immediately.

For instructions on uploading the server token file to the JSS and configuring the DEP instance settings, see the Casper Suite Administrator's Guide.

CCA Badge Integrator Badge

Posted: 3/24/14 at 3:37 PM by neverzen

Curious if anyone has gotten this process to work today.

When I upload the PublicKey.pem file generated by the JSS I get this:

http://cl.ly/image/0F2S1m3O2Q3r

It's named -2 because the first one I tried, failed the same way. It does not seem to take to the .pem at all.

Anyone else getting this result?

CJA Badge CMA Badge

Posted: 3/25/14 at 2:10 PM by freddie.cox

@neverzen Yes \- Just rename the file PublicKey.pem and it will load. It looks like Apple's file uploader doesn't accept any special characters.

CMA Badge

Posted: 4/7/14 at 11:58 AM by amenard

Can multiple VPP accounts be used with the JAMF Software Server (JSS) and the Device Enrollment Program?

Posted: 4/8/14 at 3:15 PM by Bedfords

I have got to a certain point and cannot get any further. When I go to "Migrate Users" nothing happens.

Posted: 4/8/14 at 3:20 PM by Bedfords

Also when I go to deploy.apple.com and try to register a device with the Serial Number I get an immediate error that it cannot find it. Very confusing to get this working.

Posted: 4/8/14 at 3:23 PM by enoor

Soo, with regard to JSS on a OSX machine, the MDM profile can be distributed through Apple's servers automatically, however it doesn't seem to enroll into JSS, and doesn't install the JSS framework. Being new to JSS, what is the best practice after the user has signed in and enrolled their device into the MDM using apple's DEP, what is the easiest way to automatically distribute the JSS framework to a OSX Machine?

CCA Badge CCE Badge

Posted: 4/8/14 at 3:42 PM by mdonovan

Has anyone found out when Apple is rolling out the DEP to other countries?

CCA Badge CMA Badge

Posted: 4/9/14 at 9:14 AM by nethers

Enoor, I'm with you on trying to see what's the best method for going from the Apple DEP to fully enrolled in the JSS for both Mobile and Computers.

Posted: 4/9/14 at 9:46 AM by bschrom

I don't have "Devices" in the sidebar on the Apple site. What am I dong wrong?

CMA Badge

Posted: 5/8/14 at 2:55 PM by amenard

When you are in the Volume Services Portal at http://deploy.apple.com can you use a Single Public Key from the JSS to add multiple MDM servers in the Volume Services (DEP) Portal. Or do you need a seperate Public Key for each MDM Server that you create in the DEP?

Posted: 5/9/14 at 8:41 AM by clifhirtle

@enoor @nethers I was afraid of that. I've gotten mixed reports on whether DEP could even be used by Macs at all so it seems like a lot of misinformation out there around this topic. And just providing the configuration profile for the MDM on OS X is only half the battle, since it does nothing to get a machine inventoried and enrolled into the JSS AFAIK.

Perhaps the better question is, what is a MDM enrollment configuration profile providing for the machine? Just the root JSS' root cert and secure communication? If you've got SSH access you could technically remote into the device and install, but that's all contingent of the device being online and available.

So far we have not even managed to get any devices eligible for the service, since they must be ordered and shipped direct from Apple, versus through the retail store as we do most of our ordering.

Posted: 5/9/14 at 8:59 AM by enoor

@clifhirtle After some conversations with some very talented Apple people, two things are clear:
1. While DEP works, and should be used with macs (because it gives you the added security of knowing the device cannot be used without being in contact with your servers, and allows you the safety net of forcing the system to require credentials to be submitted even when its new out of the box) it doesn't actually make your workload during deployment any easier, because you still have to go through all the physical steps of installing the JSS framework, etc.

  1. At this point there is no plan to allow you to request control via DEP over devices that weren't purchased through Apple using your business customer number. Those devices will most likely never be eligible for service unless Apple revamps the enrollment process. If you think about it, Apple is granting us full back-end server control over pieces of hardware without in any way assuring that we are in physical control of a device, the only assurance they have that the system isn't being abused is to limit it to accounts they Know purchased the device.

Posted: 5/9/14 at 9:18 AM by clifhirtle

Thanks for confirming @enoor][/url. The part that makes no sense to me is the following:

At this point there is no plan to allow you to request control via DEP over devices that weren't purchased through Apple using your business customer number.

EDIT: misread your comment and thought "weren't" = "were" purchased w/biz customer number. But fact remains, no devices we've purchased through our retail store using our customer number are working with DEP.

Our local retail store is our Apple purchase portal. If we bought a device on our customer number, regardless of channel, how is that not sufficient proof of purchase/ownership? Within the last couple months we're also getting calls from a competing inside Apple sales team trying to pry our purchasing away from our Apple retail store. Related? If Apple wants to phase out their retail stores as biz purchase portals why not just contact your customers and say that?

At a broader level, the way it is currently implemented effectively makes DEP another Configurator: a powerful tool crippled by ignorance on how the real world works outside the ivory tower test lab. Similar as well to the unspoken custom factory integration options we investigated at a prior employer, which ended up requiring 100 Macs configured exactly the same (RAM included) for Apple to even consider offering custom factory imaging like our competitors on the Dell/Lenovo side. Once again: neat promise made useless to 99% of the customer base.

If I'm missing something here someone please do set me straight. I would love to believe DEP in its current form works better than it seems, which is basically not at all.

Posted: 5/9/14 at 9:32 AM by enoor

@clifhirtle][/url
I don't think you're missing anything. My impression was that DEP was specifically designed to provide for no-touch configuration of iOS Devices in a 1:1 environment, and the OSX portion is available only because it uses all of the same back-end architecture. They didn't add any additional features likely because iOS was the focus.
I can't speak to your other thoughts unfortunately. I personally didn't realize companies were making purchases through a retail store rather than a dedicated business rep, since there are clearly people working in that manner, and I'm assuming Apple's retail stores use the same ordering system and customer numbers, I can't imagine why they wouldn't allow those devices to be used with DEP as well.
This all being said, as it is DEP still obviously needs some work, not only on the OSX side but even on the iOS side as well, as it could be smoother. I'd imagine the program will expand with time.

CCA Badge CMA Badge CUG Badge

Posted: 5/9/14 at 9:43 AM by stevewood

@clifhirtle @enoor I was in the CMA and CCA classes last week and Randon went over DEP in the CMA class a little bit and kind of didn't in the CCA. Although we did have discussions after class to about DEP and getting to a true "zero touch" type of deployment: order machine from Apple, ship directly to end user, end user opens up machine and enters first user info, machine contacts JSS and 30 minutes later the machine is back at the login prompt waiting for LDAP credentials. Awesome idea, but not attainable at the moment with the way DEP is deployed for OSX.

Apparently there were some indications in the early spec of DEP that indicated this would be possible. However they were subsequently removed by Apple. In my opinion, and this is just my opinion, Apple is going to update DEP at some point and make this a possibility. Even though currently all we get is a machine enrolled in the JSS with no management framework (something easily fixed with a QuickAdd package), I hold out for a future of "zero touch".

As for machines not purchased from Apple direct, according to Randon (a JAMF employee), you can get machines purchased at the retail stores into DEP. It takes the business sales rep at the retail store to do some extra paperwork for those machines to get enrolled, but it is possible. I would speak with your business rep at the retail store to validate that statement.

My dream for 20 years has been zero touch, especially after watching Pixar demo it at WWDC 2006 (or was it 2007). Unfortunately I haven't been in a position to invest as much time into the framework as Pixar was (writing a bunch of scripts and back end infrastructure), but I hold out hope that we are on the precipice of this finally becoming reality.

CCT Badge CCA Badge

Posted: 7/14/14 at 8:45 PM by LSC

Was working on this for a couple of days....multiple support calls and emails with apple... turns out.. this service is not available in Australia.

CJA Badge CMA Badge

Posted: 7/14/14 at 8:50 PM by freddie.cox

@LSC "Whomp, waamp, whomp, waaaaa" http://www.sadtrombone.com/

CMA Badge

Posted: 9/2/14 at 12:44 PM by djcooke

I can't believe you give us step by step instructions, and then stop and tell us to go follow the admin guide \- mind numbing

Posted: 10/20/14 at 5:35 PM by sierensh

djcooke, I'm right there with you:-(

Posted: 10/20/14 at 6:07 PM by tfriedm

After working with DEP over the last couple of months, I've learned a few things. First, make sure that you consistently purchase devices through your assigned account. Just because the Apple Retail store Business group and the Apple Enterprise team have sold you devices in the past, does not mean that all Apple purchased devices will enroll with DEP. I've learned to only buy from our company's corporate Apple account team. Your Apple Customer Number that is tied to DEP is what matters. Value-added resellers are still out of the picture. I did notice that you can now include more then one Apple Customer Number, but verify with your account team before adding it. "The Apple customer number is the account number (or numbers) assigned to your organization by Apple and is used to purchase Apple hardware or software. It is required to verify your organization’s eligibility for the certain programs. If you don't know the number(s), contact your purchasing agent or finance department."

Next, make sure that all repairs go through the same process. If you usually bring your device to a store to be repaired/replaced but bought it through your corporate account, don't assume that you can add it into DEP. Make sure you enter the repair number exactly as it appears on your invoice/receipt and verify DEP re-enrollment with your associated account.

If your employee gets an iPad as a gift or through a conference, most likely it will not be DEP eligible.

I agree with enoor and stevewood that the idea of zero touch will happen in the future. At this point, the benefit of DEP enables administrators to apply additional managed profiles on the devices without having to use Configurator.

Good luck and thanks for all the information in these posts.

CCT Badge CMA Badge

Posted: 2/16/15 at 1:31 PM by jillhughes

After working with an Apple rep about some iPads that were being replaced for previous mdm iPads and them not being able to join DEP he sent this message, "I spoke with a support engineer and I found out why we’re running into the problem. Stock orders for new products sold through GSX are not eligible for DEP. Because of the way sales information is tracked (and in turn how DEP works) these devices will not work."
So make sure that when you have a repair and it is not warranty replacement that you do order thru you apple account. Found this out the hard way!

CCA Badge CMA Badge

Posted: 2/16/15 at 1:34 PM by etippett

@jillhughes: I'm hoping that does not include units replaced under warranty through GSX? Thanks for the tip, and that stinks you had to find out that way!

CJA Badge CMA Badge

Posted: 2/16/15 at 1:43 PM by freddie.cox

@etippett I haven't tried using stock orders but when we perform a warranty replacement of a DEP eligible/enrolled iPad, once the repair is marked complete in GSX we are generally able to claim that device on Apple's deployment site the following morning.

Unfortunately there does seem to be a delay in being able to claim the iPad.

CCA Badge CMA Badge

Posted: 2/16/15 at 1:45 PM by etippett

Good to know @freddie.cox! Thanks!

CCT Badge CCA Badge CCE Badge

Posted: 3/14/17 at 8:24 AM by JayDuff

It might be nice to have some new documentation for how to get the token after transitioning to School Manager. I know I am having a hard time figuring out where to get a new token, and mine expires in 28 days.

For the record, one must go into MDM Servers, on the left side, then click the name of your MDM. In the lower part of the screen, click Generate New Tokens... Now you can click Generate And Download Server Token.