The Holy Grail
Zero-touch configuration for IT, the holy grail of device management! This is the promise of a DEP enabled device. Just buy it and turn it on, it’ll pull down your designated management profile once the device has an established Internet connection and all of the associated settings and applications assigned will be deployed to the device.
Easy, right? For the most part, yes it is. All you need to do is make sure your DEP enabled devices, purchased from Apple or from an authorized DEP reseller, are associated with an Apple MDM server. In turn, that Apple MDM server needs to be configured with your MDM management service. To configure LANDESK as your preferred MDM server, see my previous blog post.
Today’s discussion will simply focus on getting those Apple devices enrolled with Apple’s MDM server. While the process only takes a few minutes, it is a required step for that zero-touch configuration; so don’t skip it.
Adding an Apple Device to an Apple MDM Server
- Browse to https://deploy.apple.com from your browser of choice
- Provide your Apple ID associated with your DEP account – enroll with Apple here if you have not yet performed this step
- Provide your two-factor authentication verification code; this is required by Apple for DEP management
- From the menu bar on the left, select Manage Devices
- Select your desired radio button to add devices by Serial Number, Order Number or via a CSV Upload
- Select the action Assign to Server under Step 2 and find your appropriate server from the drop down list and hit OK
And that’s it. Now when you unbox your shiny new Apple device, whether it be an iOS or macOS device, once it has an Internet connection (the touch part in the zero-touch process 🙂 ), it’ll pull down the assigned profile from your MDM server. Then, anytime the device is reset, the process will re-enage, ensuring that device always has your MDM profile assigned.
Here are the slides used in today’s webinar; including the embedded videos.
LANDESK announced their 2016.3 Management Suite release this week and with it comes a number of enhancements to mobility management, including a number of enhancements to the iOS/macOS platforms for MDM management. Included in the 2016.3 release is the ability to integrate with Apple’s Device Enrollment Program (DEP) and Apple’s Volume Purchase Program (VPP); including supporting multiple VPP tokens.
Luckily, LANDESK has the documentation already available for this configuration. For ease, I’m going to aggregate all of the needed information to get up and running with LANDESK MDM in one spot.
Architecture Requirement #1 – Cloud Service Appliance
The LANDESK Mobility Device Management does require a LANDESK Cloud Service Appliance. This can be either a physical appliance you host in your DMZ or a virtual appliance. If you do not have a CSA, contact your sales representative. They’re inexpensive and give you the ability to manage devices off your network.
- Configure the LANDESK Cloud Service Appliance as discussed in the how-to articles on the LANDESK community page
- Ensure your on build 179 or greater – to do this login to your CSA by browsing to https://csa.fqdn/gsb and hit the System Tab on the left hand side. Then select the Updates tab from the main page and hit Scan For Updates and apply the latest
- Purchase and apply a valid 3rd party SSL certificate for your CSA; see https://community.landesk.com/docs/DOC-32498
Architecture Requirement #2 – LANDESK Management Suite
- Install LANDESK Management Suite 2016.3 – https://community.landesk.com/docs/DOC-42261
- Import Apple’s APNS certificate to the Core Server – https://community.landesk.com/docs/DOC-39856
Optional Architecture Configurations
- Configure the Core server for DEP (optional) – https://community.landesk.com/docs/DOC-42090
- Configure the Core server for VPP (optional) – https://appleintheenterprise.com/2016/10/18/import-apples-vpp-token-into-landesk-management-suite/
- Configure a DNS TXT entry for easier enrollment (optional) – https://community.landesk.com/docs/DOC-39871