When embedding company-owned devices, you must firstly determine whether or not you are dealing with devices registered with the Apple Business Manager. You will learn how to configure registered devices in the following section. In the second section, you will learn how to embed all other company devices.
Configure devices registered with the Apple Business Manager
Apple Business Manager (formerly Device Enrollment Program – DEP) is a web-based portal for IT administrators. It allows devices purchased directly from Apple or an authorized Apple dealer to quickly and easily integrate iOS devices into the firm’s IT. The initial configuration of the devices is considerably simplified. MDM profiles and certificates are rolled out automatically. A separate profile can be created for each user group, if required.
Note! You can also add existing devices to the Apple Business Manager at a later date. How to do this is explained here: How to add iOS devices to the Apple Business Manager.
- Create an account for your company for theApple Business Manager. For this you need a so-called D&B D-U-N-S® Numberhere
- Order devices from Apple or an authorized dealer.
- Make sure that the new devices are assigned to your account by Apple Business Manager.
- In the Management Console open Control Panel→ Global Settings.
- In the DEP tab under DEP Certificate,you have the following options (right column):
- Download: Download the DEP certificate here. This is a Cortado generated certificate.
- Renew: You can generate a new DEP certificate here, if necessary (for example, if the old one expires).
- Import: If required, you can import a previously generated certificate here.
- The DEP certificate downloaded in the last step (arrow in upper picture), has to be uploaded to Apple in the next step.
- For this purpose, open the Apple Business Manager under https://business.apple.com/ and select Settings→ Device Management Settings→ Add New MDM Server (arrows in illus.).
- Under MDM Server Info enter a name of your choice (e.g.: department, location, user groupe) (upper arrow in illus.).
Note! At this point, you need to add a separate MDM server for each DEP profile you want to add, since a separate server token is needed for each profile.
- Under MDM Server Settings→ Choose File (lower arrow in illus.) select the DEP certificate, that you downloaded in the Management Console under Global Settings→ DEP→ Download.
- Then save the settings by clicking Save.
- Download your Token now (arrow in illus.). You must load this token into the DEP profile later in the Management Console.
- Then, under Device (left arrowin illus.) select the devices, you want to assign.
- After this, click on Edit Device Management (right arrow in illus.).
- Under Assign to server (arrow in illus.) select your MDM server (or your DEP profile).
- Confirm by clicking on Continue.
- In the Cortado Management Console select Global Settings→ DEP→ Add (arrow in illus.).
Note for Cortado Server! Illustrations may vary slightly.
Configure the DEP profile as follows:
- Mandatory: Specify here whether the use of the profile should be mandatory for the users. If the checkbox is left empty, the users can choose whether to install the DEP profile or to create a profile of their own.
- Verify profile: If this checkbox is enabled, the device configuration can only be completed if all steps required in the Cortado Management Console have been carried out.
- Supervised: Specify here whether the device should be used in supervised mode and if the user may remove the MDM profile himself.
- Enable pairing: If this checkbox is enabled, the user may connect his device to a Mac or a PC and connect to iTunes.
- Shared iPad: Activate this checkbox if an iPad should be used by multiple users. This allows different user profiles to be set up on one iPad. You can find more information on the Apple page.
- Upload token: Select the Select token button and upload the Token from the Apple Business Manager (arrow in illus.).
- Anchore certificate (Cortado Server only!):
- Root certificate: Retain this pre-set selection if you use certificates generated by Cortado Server (self signed) (see the section Encryption (Certificates))
- None: Select this setting if you are using Cortado Server root certificates that were purchased from a public certification authority (e.g. Symantec or Comodo). Apple installs these purchased certificates onto the devices automatically and they don’t need to be rolled out separately via DEP.
- Upload root certificate: Select this setting if you are using root certificates generated by your company-owned certification authority for Cortado Server. (You can find detailed information about certification in the section Encryption (Certificates).)
- Device setup steps: You can specify what steps the user is allowed to make during setup of the device itself.
- Click on OK to finish configuration.
The newly created DEP profile will now be used for the device configuration (left illus.). Provided that the devices are new and unused or have been reset to factory settings.
During configuration, the user must enter her user name and password (right illus.). Therefore, before the device can be configured, the user must have been imported into the management console.
Note for Cortado MDM! Users must have registered in the User Self Service Portal using the invitation e-mail. Alternatively, you can assign a password for the user during user import.
That means that, during the configuration, the user only needs to carry out the setup steps that you selected under Device setup steps. The MDM profile will be pushed onto the device automatically. No further configuration of the device in the User Self Service Portal is required.
Embedding further devices (Device Enrollment)
Device Enrollment is recommended for company-owned devices that are not managed via DEP. These devices can be in either supervised or unsupervised mode. However, supervised mode (Supervised Device) should be favored here. When a device is supervised, there are considerably more control options available. There are, for example, a far greater range of policies for supervised devices. Unsupervised, company-owned devices can also be embedded using Device Enrollment.
Note! In this mode, a clear separation between private and work areas is not possible. For this reason, this type of embedding should not be used for devices that are the private property of the user.
Proceed as follows:
- Using the Apple Configurators 2, place the device in supervised mode (optional). Carry this out as described in the Apple user guide.
- Then use Fast Enrollments to embed the device. Alternatively, the user can configure her device herself. Cortado MDM users can find out how this works here and Cortado Server users here. For this, she needs to log in to the User Self Service Portal and download the MDM profile (Device Enrollment).