DEP and VPP "dos and don'ts"

Apple Deployment Programs enrollment requirements and best practices:
Review the Device Enrollment Program requirements and Volume Purchase Program requirements.

Enrollment Checklist - Details below (Please have everything in place before beginning the enrollment process.)
• DEP Reseller ID(s) and/or ADCA
• D-U-N-S
• Verification Contact
• Program Apple IDs Email distribution lists (ApplePrograms@company.com, AppleVPP-jamf@company.com, AppleVPP-otherMDM@ company.com, AppleDEP@ company.com)
• Terms and Conditions

DEP Reseller ID(s) and/or ADCA
In order to enroll in DEP you will need the DEP Reseller IDs from your reseller partner (Insight).
You won’t need both to enroll, but you do want to include all of your Apple procurement paths.

Many resellers and carriers now participate in DEP. It is important that you reach out to your reseller representatives directly. They will give you their DEP Reseller ID. Once you enroll and get your Customer DEP ID, you’ll need to give that to your reseller.

D-U-N-S
To enroll in both DEP and VPP, you will need your company's D-U-N-S number and associated address.
The address must match the Dunn & Bradstreet information exactly. Your purchasing department should be able to provide this info.

Verification Contact
To enroll in DEP you will need a Verification Contact.
This person, usually a senior manager, verifies that you have the authority to sign and bind your organization to the Device Enrollment Program Agreement. The information given for this contact can’t be the same as for the individual submitting the enrollment. This person is contacted by Apple during the enrollment process to verify information about the initial account and the organization.

Program Apple IDs
You will want to use email aliases (distribution lists) for the Programs' Apple IDs. The idea is to not use a personal email address for these program Apple IDs.
Work with you email admins to create email distribution lists (suggestions are below).
They must be able to receive emails from external addresses (@apple.com). Please verify this before beginning the enrollment process.

• Top level Agent account for Deployment programs: ApplePrograms@company.com

• Admin account for VPP. This will be created by Agent account: AppleVPP-jamf@company.com If you have multiple MDMs, you should create a VPP account for each. For instance, if you use JAMF MDM for macOS and another MDM for something else, be sure to have separate VPP accounts for each. AppleVPP-jamf@company.com - AppleVPP-otherMDM@ company.com

• Admin account for DEP. This will be created by Agent account: AppleDEP@company.com

Terms and Conditions for VPP and DEP:
VPP Terms and Conditions
DEP Terms and Conditions
Software License Agreements Terms and Conditions

Apple Deployment Programs Online Resources:
help.apple.com/deployment/business/
help.apple.com/deployment/ios
help.apple.com/deployment/macos/
www.apple.com/ipad/business/it
www.apple.com/business/dep
www.apple.com/business/vpp
www.apple.com/support/business-education
Device Enrollment Program: Frequently Asked Questions
Device Enrollment Program: Understanding Apple Customer Numbers, DEP Reseller IDs and DEP Customer IDs
Request Mac apps through the Volume Purchase Program

Great post thank you

Hope and pray that your network team is friendly because you will need to open your firewall to permit access to the entire 17.x.x.x network and the entire .apple.com (and .*.apple.com) domains. Our network team is not so friendly - they want exact IPs and exact ports. Because there are many servers on Apple's end that are involved with VPP and most of those servers are hosted dynamically through the Akamai network, it's impossible to provide that. We can't use VPP here.

ugh. damn markdown language... there's supposed to be an asterisk before both those domains

1) Make generic accounts. This is especially helpful when renewing the various components at the start of the year- APN/ VPP tokens.

2) Avoid tying the phone component of the two factor to a personal phone. Some folks tie it to an online service, but your mileage may vary on that. Either way document the recovery key.

3) Document those accounts extremely well.

4) Don't use the accounts as regular Apple ID's or use them for anything else.

5) Work with the business department to agree on a common format for charging and approving apps. The VPP invoicing mechanism for education isn't great, so come to an agreement beforehand.

6) Make sure all the necessary ports are open. https://support.apple.com/en-us/HT202944
A ton of problems I see stem from a component that the client perceived as "not important "being blocked.

7) Ensure your network is up to snuff- the VPP/ DEP system depends on communications being received and processed in a timely manner.

8) Form a pilot group. This will help test the network conditions as well as the administrative workflows.

9) Keep up to date with Apple. JAMF Nation is a great resource to start with, but however you choose to do it be sure to stay up to date with announcements from Apple regarding the programs.

@AVmcclint and @@chrizwhit That's exactly the information I wanted...thank you very much!

Make sure ALL hardware is purchased through your Apple Account and from approved Apple vendors (Easiest to stick with Apple if possible). If not, then the devices may not be able to be added to DEP.

We had a school booster group purchase a cart of iPads for a school. The school was then supposed when we told them that we could not manage the devices so no network access or apps. iPad became useless.

@AVmcclint This might help? H/T @franton