[Security Question] New DEP Device to be Enrolled

New Contributor II

Anyone could help me on how Jamf PRO server recognize if the new DEP device trying to communicate to it is legit?

From what I've checked, when a new DEP device connects to the internet. This device will check the DEP web service of Apple if it is assigned to a MDM server. Once it confirmed that it is assigned to a MDM server, does the DEP web service will give this new device a token/invitation ID that Jamf PRO will recognize that it is already validated as a DEP enrolled device?

I know that on the DEP workflow, there is a stage where it will ask for AD credential of the user and Jamf PRO will validate that credentials via LDAP. But this particular security layer is too weak for our security bodies' perspective.

I'm building our risk assessment for publishing the Jamf PRO server on transparent proxy. Though, I've been searching the knowledge base and white papers for the particular token details if it is existing. Maybe you guys know it and could help me substantiate my proposal that Jamf PRO is secured enough even it is published on transparent configuration.

Thank you!