DEP, Managed VPP and Enforcement

lehmanp00
Contributor III

We have 1573 ipads in our school district. Over the last 4 years we have been using the totally unsupported, "Shared-Apple ID across many ipads" deployment method.

After briefing most of my schools on the DEP, Managed VPP and Under-13 Apple ID programs; they all told me the same thing:
"Unless someone tells me we have to move to these new programs, I'm not going to spend the time. What we are doing works for us."
Or "I don't see any benefits to these programs considering the time we would have to put in to move us into them."

I'm fine with it. But I'm wondering if others have come to similar conclusions or if I'm missing a good, persuasive point in favor of the 3 new programs?

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

These are administrative programs not end-user programs. They're available to make your job easier so you can provided your end-users a better experience.

If you're using Apple Configurator right now then you want DEP for its over the air supervision. That means no more USB squids and tying iOS devices to a laptop for management.

If you purchase apps expecting to have to "gift" the licenses to the students or if you avoid purchasing apps because you don't want to lose the licenses then you want VPP. These are now an investment by your institution rather than a loss.

Even if you don't take advantage of everything right now, I suggest you at least get the enrollment process done and your JSS tied to the programs. You don't have to enable anything after that. However, the process to enroll takes a while to complete. You can't come to work in the morning and have everything done by noon. It will take days or possibly a week or two (depending on Apple's verification process) to get ready.

View solution in original post

18 REPLIES 18

bvrooman
Valued Contributor

One of our clients had a similar concern; it does seem like a giant pain to move to the new program(s). When I showed them my iPad and how easy it was to remove the restrictions as well as the ability to lock/wipe the iPad remotely, they were convinced that DEP's non-removeable MDM enrollment was the way to go.

obi-k
Valued Contributor II

• Same as bvrooman... restrictions are tight in DEP. In your environment now, kids can just flick off the MDM profile.

• Managed VPP, you'll be able to re-issue codes--they are not disposable, thus saving tons of $$$ in the future.

• It's a lot of work, my suggestion is a small pilot and see how that works.

talkingmoose
Moderator
Moderator

These are administrative programs not end-user programs. They're available to make your job easier so you can provided your end-users a better experience.

If you're using Apple Configurator right now then you want DEP for its over the air supervision. That means no more USB squids and tying iOS devices to a laptop for management.

If you purchase apps expecting to have to "gift" the licenses to the students or if you avoid purchasing apps because you don't want to lose the licenses then you want VPP. These are now an investment by your institution rather than a loss.

Even if you don't take advantage of everything right now, I suggest you at least get the enrollment process done and your JSS tied to the programs. You don't have to enable anything after that. However, the process to enroll takes a while to complete. You can't come to work in the morning and have everything done by noon. It will take days or possibly a week or two (depending on Apple's verification process) to get ready.

lehmanp00
Contributor III

These all have been very good responses. I agree with getting the DEP enrollment done, even if we don't use it for a while. The more I get a chance to talk to the Admins and explain the positives, the increasing chance they will want it implemented.

agirardi
New Contributor II

Is anyone else having difficulty setting up DEP? I know that it is only available in the U.S. for limited customers, but we are hitting road blocks with our Apple reps saying that it is not available for our institution due to our purchasing route, and may not be available in the foreseeable future.

I was really excited when this was announced, but now see a lot of limitations. I know this is only version 1.0, and hopefully improvements will be made down the road.

blackholemac
Valued Contributor III

I'm gonna chime in on this one...so the shared Apple ID has proven a major headache for us as all the methods I've tried have had drawbacks.

We are moving this summer to DEP, VPP 2.0 and Apple ID for students together. Obviously the Apple ID for Students program is great because it lets kids under 13 legally have one. VPP 2.0 basically works by populating an Apple ID's purchase history through MDM and that makes it so end-users have control over their apps. Makes it soooo much better than me having to update servers or Configurator stations. The DEP has been good to us...Supervision profile can't be removed and MDM can't be removed by end user. We are rolling it out for the fall for sure.

tfriedm
New Contributor III

Before you spend too much time, make sure that you're devices are eligible for DEP enrollment. Run a scan in JAMF and make sure that all your iOS devices were purchase within the last three years of the date that you want to enroll. If they're older or purchased from a third-party reseller then DEP is not an option at this time. All Devices must be purchased directly through Apple and then enrolled in DEP.

We're going through this issue from an Enterprise standpoint. As stated above, the management features in DEP and VPP are a big improvement and will definitely benefit administrators & security but only if the devices can be enrolled.

Isigow
New Contributor

Couple of things you may wish to keep in mind.
Currently, according to our Apple Rep, DEP only works for original orders. Should you need to replace any item via Apple Care+ or a 3rd party warranty these would not be usable within the DEP system. Also, especially for those school divisions out there, donated items would also not be tied to your customer number, and thus would not be viable for the program at this time.

We have 2500+ iPads in the school division I work in, and have had them for a few years now which as you may guess has caused many to be replaced via AppleCare. We are just now working on a viable way to be able to tell which devices will self enroll and which will not due to DEP not accepting them. Maybe Apple will solve this issue soon. The rest of it works quite well though, so enjoy.

cdenesha
Valued Contributor II

@Isigow

We are just now working on a viable way to be able to tell which devices will self enroll and which will not due to DEP not accepting them. Maybe Apple will solve this issue soon.

You should be able to get a list of serial numbers that you purchased from Apple, and then compare it to an export from your MDM...

chris

obi-k
Valued Contributor II

My thoughts too cdenesha. Should be able to import your serial numbers into your MDM/DEP. A hassle, but you are not dead in the water.

Sean_Ginn
New Contributor II

It sounds like most people are deploying their iPads in a One to One environment, but what is everyone doing when the iPads are not going to be handed out to the kids for the rest of the year, but as classroom sets. It is my understanding that you had the ability to assign a user through MDM and with the token you would have the ability to have one Apple ID for multiple devices. I know that is not the supported way, but Apple wants One to One and that is just not an option right now.

cdenesha
Valued Contributor II
Should you need to replace any item via Apple Care+ or a 3rd party warranty these would not be usable within the DEP system.

I'm FINALLY testing DEP.. My AppleCare replacements are usable at this time (8/2014). If importing by Order number you need to prepend R- to the order number.

chris

tfriedm
New Contributor III

Thanks Chris for the information about AppleCare Replacements, I had not heard about the R-. I'll save the information for future reference.

I also found that if you setup your DEP program through an Enterprise account then you can only buy devices through that channel. We work with both the local Apple Store Business unit and our national rep on orders. I was told yesterday that I should not buy devices through the Apple Store Business Unit or local Apple store. They cannot guarantee that the device will be DEP enabled. Not sure if this is the same for educational accounts, but you may want to check with your reps.

jarednichols
Honored Contributor

Just to clarify/summarize a few things:

  1. The only DEP-eligible devices right now are devices purchased directly from Apple with a Sold-To account, in the United States. Purchases from an Apple Store, resellers and carriers are not currently DEP-eligible.
  2. Replacement service units should now show in the DEP portal pre-pended with an R on the order number.
  3. There is a 3 year look-back for adding devices to DEP, assuming they were direct Sold-To purchases. Talk to your SE on getting them added if you're stuck.

Yes, we're working on getting the channel working with DEP as the vast majority of device purchases are not direct. No there is no ETA for this, but understand that it's a lot of back-end systems talking to each other to make this work.

donmontalvo
Esteemed Contributor III

@jarednichols Wow, I just stumbled onto this post, it actually answered some of our client's concerns, thanks!

Bookmarked

--
https://donmontalvo.com

KevinAGI
New Contributor

@jarednichols Well it's may 2015 and apple still has not fixed the iPad's not purchased with a Sold-To account. None of my devices can be enrolled because of a complete SNAFU by Apple. I now have devices that are useless because I can't trust the students to not be malicious, and teachers who can't count.

If google and Amazon have figured this out how has Apple not. Apple practically invented the educational push with technology.

talkingmoose
Moderator
Moderator

@KevinAGI, DEP is only one small component of iOS device management. Not having it is not the end of the world. You still have Apple Configurator as an option for supervision. Even without supervision, your devices aren't useless.

DEP does support devices purchased through some larger third-party resellers. That's a relationship the reseller needs to establish with Apple. But it's probably not worth the effort to smaller resellers since it requires development on their part to communicate with Apple and nets them no additional income.

If you want the advantage of OTA and supervision without having DEP then have a look at GroundControl. It's pretty slick and the company offers a 50% educational discount.

KevinAGI
New Contributor

My biggest gripe is that we did purchase these through apple, and because someone did not do their job correctly our purchases are not able to be DEP enrolled. No one at apple will own up to it and fix the problem.

Now Apple Configurator is another issue. This is how we started out at the beginning of the year, but because of yet another apple "genius" the Configurator files were wiped out. Now I have devices that won't let me manage them, and I have to start all over again. It's just frustrating that I can get on a chat with Google at any time of the day, and they can get chrome books that have been RMA'd straightened out and I can manually enterprise enroll them, and Apple has beeb=n completely unwilling to help. They actually told me to take the iPads back to the store and return them and then buy them back and have the correct customer number used. Oh and it would be up to the managers discretion to even do this.