DriveStrike’s Apple Device Enrollment Program
Apple’s Device Enrollment Program (DEP) enables you to purchase devices from Apple (or authorized resellers) with DriveStrike automatically installed, helping you:
- Ease the IT burden on setting up new or reassigned devices.
- Increase your security, since DriveStrike cannot be removed from devices deployed in this manner.
DEP is part of Apple’s Mobile Device Management (MDM) strategy for managing devices in corporate and education environments.
Contents
Benefits and requirements
To deploy devices using DEP in your organization, you must have an Apple Business or Education account. Then, follow instructions below to connect your accounts, and configure settings to automatically install DriveStrike. Thereafter, any new Apple devices you purchase will be automatically configured with DriveStrike, and will appear in your DriveStrike dashboard.
This process eases the work IT administrators must perform to provision and deploy new devices. Additionally, any devices configured this way are autmatically deployed in Supervised mode. This increases device security in several ways, such as preventing DriveStrike from being uninstalled and enabling fine-grained location tracking features. Finally, even if a device is factory reset, it will still be re-enrolled with DriveStrike when the welcome process runs again.
Understanding DEP
When a new Apple device powers on for the first time, a Welcome process walks the user through setup and configuration. As soon as the device obtains a network connection it reports its serial number to Apple servers, which check if the device was purchased under a DEP agreement, and if so returns the configuration information you specify in your Apple Business Manager Portal. If that configuration information includes an MDM server, the device enrolls with that server within the Welcome process. Thus, by the time users complete the welcome process, the device has already been configured with DriveStrike and is protected by DriveStrike’s MDM server.
Add DriveStrike to your DEP account
Before DriveStrike can be provisioned on devices distributed via DEP, you authorize your DriveStrike and Apple accounts to interact.
- Navigate to DriveStrike’s DEP page and download a DriveStrike DEP public key.
- Logon to your Apple Business Manager Portal.
- Click Settings (in the bottom left corner of the web page) -> Device Management Settings -> Add MDM Server. Use that form to upload the DriveStrike DEP public key you downloaded previously, and click Save.
- Click on Settings -> Device Management Settings. In the Default Device Assignment section in the right-hand panel, click [Edit] and associate the DriveStrike MDM server with each device type, and then click [Done]. Only devices associated with the DriveStrike MDM server will be enrolled in DriveStrike by default.
- In the center panel, click on the DriveStrike MDM server record and click the “Download Token” link.
- Navigate back to DriveStrike’s DEP page and upload the token you downloaded from Apple.
DriveStrike syncs with Apple daily to identify devices provisioned under your DEP account.
Configure default DriveStrike deployment information
On the DriveStrike DEP page, choose a default device owner for new Apple devices. When Apple devices are powered on and go through the Welcome process, they will automatically enroll with the DriveStrike MDM server. At that point, the new devices will appear in DriveStrike’s dashboard.
Ordering new Apple devices
Whenever you purchase new devices from Apple or an authorized reseller, you must provide your DEP customer number to the reseller to ensure the devices will be correctly associated with your DEP account. Failing to provide your DEP information will result in devices that are not properly enrolled with DriveStrike.
sign it up into dep via apple configurator 2
Renewing your DEP server token
Apple requires customers to renew the server token (which encapsulates the trust relationship between MDM servers and Apple’s DEP servers) once per year. The DriveStrike DEP page shows when the server token expires; DriveStrike will notify you via email when that date approaches. At that time, you will need to re-perform steps #1-3 above.