We have had an interesting scenario come up that falls somewhere in between Apple and JAMF as far as how to set things up. I think we can do this, but I wanted to get a sanity check from JAMF Nation since nobody can tell me 100% for sure whether this idea will work without screwing something up.
My organization wishes to buy about twenty iPads for use by student teachers in a K-12 environment. Between OSU and the K-12 organization, we have decided that it will make more sense for the K-12 organization to manage the iPads since they need to be set up identically to how the other iPads in the K-12 institution are set up. So the iPads will then be physically transferred to that K-12 institution and they will take on management of the devices.
The K-12 institution is using Apple DEP for all of their iOS devices and we would like to stay consistent with that model, both so that we can take advantage of the benefits of DEP, and so that we do not cause the other organization to have to set up an entirely separate way of doing things for devices that would have to be manually enrolled if they were not DEP enabled.
The easiest way to get the iPads to the K-12 organization is for OSU to purchase the iPads and then transfer them to the K-12 organization. If OSU signs over an amount of money for the K-12 organization to purchase the iPads, all of the sudden we end up in all kinds of red tape and legal paperwork that we are ultimately hoping to avoid, so what we are hoping to do is purchase the iPads through Apple DEP and then somehow get them auro-enrolled in the K-12’s Casper server via DEP.
We spoke to our Apple rep last week and confirmed that there is not a way for OSU to purchase the iPads and then transfer them into the K-12 organization’s DEP instance. In short, once we purchase the iPads they are permanently tied to our DEP instance.
Now, we think we have a workaround in the works, if the K-12 organization would agree to it, but I wanted to check and make sure that this would not negatively affect anything that is already in place.
I think we should be able to add the K-12 organization’s Casper server into OSU’s DEP instance so that we can register the iPads directly into their Casper server, without us needing to access their server directly or give them any sort of access to our DEP instance. It seems to me that this is how things would work:
• The K-12 JAMF admin downloads the public key (.pem) file from their JSS.
• The K-12 JAMF admin transfers the public key file to us (OSU).
• We log into our instance of the Apple Volume Services Portal, add an entry for their Casper server, and upload that public key file for that server.
• We download the resulting server token file (.p7m) and then transfer it back to the K-12 JAMF admin.
• The K-12 JAMF admin creates a DEP instance for us on their JSS and then uploads the server token file that we have provided into their JSS.
At that point, OSU should be able to assign any asset in our DEP instance to the K-12 Casper server, effectively transferring management of the devices to them without either party ever having direct access to the other party’s server, unless I’m missing something.
So the big question is, can a Casper server be assigned to two or more completely separate and unrelated DEP instances, or in other words, is there any danger that by adding their Casper server to our DEP instance that it would break their ability to use their Casper server within their own instance?
Not from what I've seen. We did a lot of investigation with DEP, the only real limitation is where you purchase the devices from. If you add an Apple account, you can only enrol serial numbers purchased under that account number. Same for resellers. That explains why you couldn't transfer devices from one DEP account to another (assuming they are separate Apple account numbers).
We've added multiple DEP instances to one JSS and it worked fine. You can also add multiple MDM servers to your DEP account. The only change you might need to make is to stop devices automatically being assigned to a particular MDM server. You can manually add them by serial number instead as they are purchased, as long as they are purchased under the right Apple or reseller account number.
Not sure if I am following correctly, but....you want OSU to purchase and have those devices go to K-12 DEP I think. Have you tried adding your ACN (Apple Customer Number) for OSU into the K-12 DEP portal? This should then allow eligible orders/devices tied to the OSU ACN to be available for assignment in the K-12 DEP. The only thing I am unsure of is if the OSU ACN is already associated with an OSU DEP, if you will encounter problems adding the OSU ACN to the K-12 DEP.
My org purchases devices in various countries, and I have the ACNs for each country added into our single DEP portal so all devices procured globally go to our one DEP instance.
I do not use Casper for mobile devices, so not sure if a single Casper instances supports multiple tokens/DEP configs. I do have multiple MDM servers (prod & test) set up in our DEP portal and assign to both just fine.
@davidacland - Yeah we've added multiple MDM instances into our DEP site. Well, one MDM server, but each site on the JSS has its own MDM instance in DEP (and its own unique token from DEP) so that we can assign devices to the correct site as they come in. The first thing we did was turn off automatic enrollment to any particular site/MDM. :)
So we know it's possible to add multiple MDMs into the DEP instance. I'm just concerned that if we add a reference to an MDM server that already exists in a completely different DEP instance that something could go wrong. My gut tells me that it shouldn't be a problem, but the last thing I want is to have the other organization allow us to add their MDM into our DEP instance and then find out that it broke something on their end, either in DEP or on their JSS.
@steve - It's not so much that we care about getting the iPads into their DEP instance. We've pretty much given up on that. We know they're going to end up in our DEP instance; it's just a matter of finding a way to assign the iPads to their MDM server from our DEP instance. I would be really concerned that adding our ACN to their DEP portal would create all sorts of havoc, although it's a really interesting idea. I'll have to run that one past our DEP admin.