With the release of iOS 11 and Configurator 2.5 devices can now be enrolled in your organizations DEP. From what I can tell there is not a guide on how to do this as of yet. Can someone point mean a direction?
Page 1 / 3
Go to the 17 minute mark of this video for step by step instructions:
https://developer.apple.com/videos/play/wwdc2017/304/
I have been waiting for this for a while now. Somehow, we ended up with a non-DEP device in one of our Configurator 2 carts. We're not exactly sure how it happened. Either way, this meant that we couldn't use automated enrollment on that one device.
I just installed Configurator 2.5, did a manual enrollment of the device while adding it to DEP, as shown in the video above.
Once added to DEP, I was able to reassign the device on school.apple.com to my JSS server, add it to the appropriate prestage enrollment, and from then I was able to do a standard automated enrollment on the device, just as if it had always been in DEP.
Very nice work, Apple!
Thank you for the video it is very helpful.
The part where I am getting stuck is the Server. We always enrolled ours in the past using a BluePrint with a Certificate. When I try to do the server using https://OurCompanyName.jamfcloud.com/configuratorenroll it errors out. Any idea what the JamfCloud server should be?
You shouldn't need to include a blueprint with the an enrollment profile. The enrollment comes from apple through DEP or Apple School Manager in our case. As long as you follow the steps in the video it works.
Correct you do have to specify a server as shown in the video.
Which when you have JamfCloud it apparently leaves Jamf baffled what the server url should be...
Not even sure if JamfCloud has a server address.
I have been back and forth with two of their Specialists today, very helpful but we appear stuck....
So if using Configurator 2.5, it now asks you if you want to "leave remote management". It says that if you click that, it will remove it from DEP. The button will show up for the first 30 days and after that, it will automatically remove from DEP.
Does that mean that if you use configurator to enroll in DEP, it will be removed in 30 days?
CoreyThomas the new configurator enrollment has a 30 day grace period by which a device enrolled can still be unenrolled with in 30 days by the user. This is to prevent those situations in BYOD and it gets enrolled buy maybe you don't agree with it being locked down as it is your device. After 30 days it is locked to the DEP and the user cannot remove it but the Admin of the DEP can.
EduTech,
After taking another look at the your screenshot, I think you are getting the error because you aren't including the port for Jamf. In our case we used:
https://ouraddress:8443/configuratorenroll
rather than
https://ouraddress/configuratorenroll
That may help.
This unfortunately doesn't help the issue I'm having. When trying to add a device to DEP I get the error:
Provisional Enrollment failed error Network communication error. [MCCloudConfigErrorDomain – 0x80EF (33007)]
When I log into deploy.apple.com I have a new "Devices added by Apple Configurator 2" and it does NOT have a Key or Token. Not sure of the process to get that created...
Are you including a working WiFi profile? The one we were using for iOS 8-10 no longer worked and I had to create a new one. I would start there for that error. Just create a new Wifi profile and push it to a device. If that works then try again with the steps in the video.
Hey Everyone I am going to write a setup Guide I'll post a link Shortly when it is completed.
@jmahlman - I've seen that (or a similar) error with one device when testing Provisional DEP Enrollment during the beta process. With that issue, Configurator displayed the error, didn't continue enrollment, and didn't add the device to the "Devices added by Apple Configurator" server in Apple's deployment portal, similar to what you observed.
In that instance it did, however, add the device to the DEP account, but some additional work was needed to enroll it. (Other devices completed the process with no issues though.)
Here's what worked then, and may be worth trying:
- Within the deployment portal, navigate to the "Assign Devices" area, enter the device serial number, and attempt to assign to an existing server.
- If it worked, then your device made it into your organization's account.
- Assign it to a PreStage in your Jamf server, and erase it again. It will then go through a DEP enrollment workflow.
Hopefully what I shared above helps for you too!
-Mark
@byrnese I am adding a wifi profile, I may have to double check that it has access to apple.
@mark.buffington I've tried assigning the device in the portal and it doesn't work.
Hi all,
Just wanted to share my experience as I was playing with adding existing iPads to DEP. Hope this might help those willing to go this route, or improve my steps further.
Updated/Restored iPads to iOS 11 -- a prerequisite action for adding to DEP.
In Apple Configurator 2.5
-> Click Prepare Button
-> Ticked the Option "Add to Device Enrolment Program"
-> unticked the automate enrolment (I like to setup from the iPad for a true OTA config).
-> Created a DEP Wifi profile that uses the MacBook Pro Internet Sharing SSID
-> Configured the remaining steps relating to supervision and iOS steps (i selected: don't show any).
-> When it asked for the Apple ID to add to DEP, I chose the account that has the 'Device Manager' or 'Administrator' role in Apple School Manager (ASM).In ASM, go to MDM Server -> Devices added by Apple Configurator 2
-> Keep an eye on the number of devices added on the "Devices added by Apple Configurator", if it changed from 0, the above action has added the devices into DEP server.
-> Click on the blue 'download' link next to the device type and quantity added which downloads a csv file.
-> Open the CSV file, copy the Serial Numbers (first column, row 2 onwards) and use a text editor to format the serial numbers in comma versions, e.g. SN1, SN2In ASM, go to Device Assignment
-> Put the formatted serial numbers from the text editor in previous step and put them in the Serial Number textbox.
-> Below, chose the option 'Assign to server' dropdown, and then on the right my institution Jamf Pro MDM serverIn Jamf Pro, go to Mobile Devices and then PreStage Enrolment
-> Click on the existing PreStage enrolment or create a new PreStage enrolment
-> Go to scope & click refresh button
-> Click edit and assign the iPads that has the modified date: "added less than a minute ago"In Apple Configurator 2.5
-> Performed another restore onto the iPads and then setup the freshly restored iPad without the Apple Configurator just as you would setup a DEP iPad.
-> This step was to remove any supervision profiles that was performed during the prepare stages, the idea is to see "Activating iPad" message -- and if you performed step 3 to 5 correctly, you should see "Looking for configuration/Downloading Configuration" and then "Remote Management" screen showing up -- this means DEP is working and applied.
My PreStage enrolment has user authentication to an Active Directory, so when an AD account is used, e.g. a student account, it gets assigned to the iPad record in Jamf along with Department, Job Position, Building info etc, which triggers all the Apps and configuration profiles that has been scoped to the Department/Smart Group.
This has worked pretty well for me. My 2 cents of experience.
(Apologies for the long post)
EDIT: If only there was an option to add MacBook/iMacs to the DEP servers.
Thanks,
Nuno Carvalheiro
Pymble Ladies College - Technical Support Officer
"Created a DEP Wifi profile that uses the MacBook Pro Internet Sharing SSID"
Creating an shared SSID is a damn good idea for networks that require MAC enrollment.
Just an update, I got this to work following @ncarvalheiro87 's advice. I originally wasn't having success because of our network blocking communication.
Thanks!!
Good Afternoon All
I hope someone can help me as I am struggling abit with apple configurator 2.5 after I prepare the Device it gives and error after it trys to activate the IOS on the Ipad. please see picture below.
Much appreciated
Our web filter was the culprit in our setting when enrolling/preparing devices. When they rolled out iOS 11, they must have changed the site that devices use and it isn't open for us. Waiting on my network admin to find out which sites need to be opened in order to get it to work properly. Using an iphone and cell network as a work around right now to get my devices enrolled.
We found we had to open ocsp-ds.ws.symantec.com.edgekey.net and exclude it from any https inspection. iOS10 worked fine without it open but iOS11 didn't.
Regards
Graeme
I just saw this - very exiting. I have so many non-DEP devices from before we started our Apple Custom Store account. Giving this a test run currently.
late to the party, but my blog post has screenshots of the process:
https://www.lai.nl/en/add-ios-devices-dep-account/
I had the same error @mohammedsirkhot had, where the device is already in (some) DEP account.
So I was able to successfully enroll a device through Configurator, but it doesn't seem to actually add the device to DEP. It does enroll and supervise, but it's nowhere to be found in DEP. Is that normal?
Hi there
Thanks for all the help in this thread. Unfortunately we're still getting the
MCCloudConfigErrorDomain – 0x80EF (33007)error. Our network is not blocking any of the ports, and we can't enrol or disown the device from the DEP portal. My only thought is that the device is enrolled in some other DEP account, not ours.
Is anyone able to provide further assistance? Thank you @maurits for the guide, unfortunately we still can't add the device.
Thank you!
@lachlanharris Try deleting Configurator and re-installing it. Make sure you add back any organizations, servers, and supervision identities when setting up your new configurator instance.
thanks a lot @maurits I will try your screenshots and let you know
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.