Help

Apple IDs and DEP/VPP

pandrum
New Contributor III

Posted on ‎11-30-2017 07:31 AM

Hi!

I've been searching around some information and best practice about the planning and creation of new Apple IDs when setting up DEP/VPP.

So far we only have the agent (or master account or what you want call it) account when first registering. We created a new generic organizational e-mail for this which we called apple-deploy@domain.tld.

Questions down the road:

  • The agent account has a generic e-mail (distribution list) which can be shared to other employees at our organization which is nice. But you had to setup a real name when first creating the account so my name appears when logging in into Apples DEP/VPP portal. Will this cause any issue when/if I leave my org? Is it common practice to share the agent account? And if so, do you guys just add more phone numbers to the Apple ID because of the two-factor?

  • Regarding the two-factor. Whats the preferred method here? Having it tied to a work cellphone seems inconvenient. Do you connect the two-factor to more than one cellphone number? Or like a online-service?

  • When creating the admin accounts, do you use a generic mail for those also? For example: apple-vpp@domain.tld or apple-dep@domain.tld?

  • What happens when an employee leaves the org? I appears that you cant delete a admin account once its created...

Thanks guys!

Labels:
0 Kudos
Reply
1 REPLY 1

joshuasee
Contributor III

Posted on ‎11-30-2017 01:48 PM

Apple School Manager will actually warn you to create a second administrator if you have only one. Initially we had two generic VPP accounts and one DEP account, similar to what you report. With the rise of ASM, I've created personal Managed Apple IDs for myself and others who need access to it, and moved away from using the generic accounts to log into ASM. Generic accounts are still used for VPP purchases. A work cell is used for 2F tokens, though a direct dial office phone would also work. Apple is fairly good at detecting and rejecting VoIP services for two-factor authentication. Departing IT employees are expected to report any services they have access to that aren't covered by our password manager, and I have been able to delete one administrator who left from ASM.

0 Kudos
Reply