Apple's new Device Enrollment Program (DEP) is a significant new enterprise initiative that removes one of the biggest, if not the biggest, roadblocks to iOS device deployments within businesses or schools: The need to touch each device to ensure that it is fully managed and locked down.
The Device Enrollment Program was announced yesterday along with a slew of new IT-focused documentation and tweaks to managing Apple IDs for K-12 students and Apple's app volume purchase/licensing program. It offers the ability to configure iOS devices as supervised without using Apple Configurator, allowing for over-the-air management with these evice management capabilities. As such, this can be considered one of the most groundbreaking iOS management additions since Apple introduced MDM support nearly four years ago.
Reading through Apple's descriptions and documentation on the Device Enrollment Program, it's very easy to see the program as a very good solution for organizations that want to use the COPE (corporate owned, personally enabled) model for mobile devices. That model, an alternative to BYOD, focuses on a giving users a device that, while managed, can also be customized and used as their personal device.
iOS device management up to now
To understand why this is such a significant move, you need to consider a few facts about iOS device management up until this point.
Apple introduced basic management capabilities into iOS in 2008 alongside the launch of the App Store and the iPhone 3G. Some basic security policies like passcode requirement were made available through Exchange ActiveSync, while others were implemented using configuration profiles that needed to be manually installed on each device.
Two years later, in iOS 4, Apple launched its MDM framework that supported over-the-air management through MDM tools. Apple's selection of configuration options and device feature restrictions was a solid move forward and it enabled many organizations to begin adopting, supporting, or allowing the iPhone and iPad to be used to access corporate networks, resources, and information. The selected set of management capabilities was far from complete, however, and didn't go near the security capabilities that many IT departments were used to having over BlackBerry devices.
In early 2012, Apple introduced Apple Configurator, a utility that allowed for more stringent configuration, app management, and restrictions than MDM solutions did at the time. This was largely because of a supervised mode that Apple Configurator enabled. The downside to this model was that it didn't offer over-the-air capabilities -- ach iPhone, iPad, or iPod touch needed to be connected by USB to a Mac running Apple Configurator.
But Apple Configurator was a nice choice for user privacy. If an organization wanted to use Apple Configurator's new supervision feature, an IT staff member would need physical access to a user's device and the process would wipe the device. The user would be very much aware that the device had been supervised. This also reflected the fact that supervision was designed more for corporate-owned rather than BYOD devices. It is particularly well suited to devices that are shared among many users, like kiosk-style retail applications, use by hospitality or wait staff, or classrooms where devices are shared between multiple students.
In iOS 6, Apple introduced two different tiers of new management capabilities. The first tier included general configuration and restriction enhancements that any MDM vendor could plug into and manage. The second included more restrictive settings that could only be enabled if a device was setup as a supervised device using Apple Configurator. Even though MDM vendors could integrate the requirement and the Apple Configurator workflow into their enrollment and deployment processes, the need to physically touch each device remained. When iOS 7 was released last fall, it also added a range of new management options that required supervision as well as a range of options that didn't.
What does supervision enable?
Apple has added several powerful management options over the past couple of years that can only be enabled on supervised devices. Here's a list of those features.
- Enable and manage Single App Mode (typical for kiosk devices).
- Configure Accessibility settings.
- Allow or disable access to iMessage.
- Allow or disable access to Game Center.
- Allow or or prevent users from deleting apps.
- Allow or disable access to iBooks Store.
- Prevent access to ebooks flagged erotica in the iBooks Store.
- Enable or disable Siri's Profanity Filter.
- Allow or or prevent manual install of configuration profiles (including unauthorized or malicious profiles).
- Configure a global proxy server for all installed web browsers.
- Allow or prevent host pairing (iTunes).
- Allow or or prevent pairing with computers for content sync.
- Restrict AirPlay connections with a whitelist of acceptable device and enter a passcode for those devices. This allows users access to those devices without needing to know the passcode.
- Allow or disable access to AirDrop.
- Allow or prevent users from modifying account information.
- Allow or prevent users from changing cellular data settings.
- Allow or disable access to Find My Friends (if installed).
- Enable or disable access to Activation Lock.
- Allow silent or background install or update of apps without user interaction.
As you can see that's a pretty hefty list of restrictions that can be useful in many different circumstances, but they are particularly helpful for K-12 schools to ensure student safety. They also make it possible for schools to abide by filtering and content access laws and regulations, even when the devices are used at home or off campus.
Other features of the Device Enrollment Program
Although easy configuration of supervision features is one of the biggest advantages to the Device Enrollment Program, the program has other valuable features as well. Devices that are assigned to an organization's MDM service through DEP enrollment can also be configured using mandatory configurations of the remaining MDM capabilities supported by iOS 7, MDM settings can be locked to prevent users from changing or disabling them, and several parts of the standard iOS Setup Assistant can be skipped.
The parts of the setup process that can be skipping include the following:
- Passcode setup
- Enabling of location services
- The option to restore a device from an iCloud or iTunes backup
- The prompt to sign in with an Apple ID
- The standard Terms of Service prompt
- Enabling Siri
- Opting whether to send diagnostic information to Apple
Which types of devices are suited to program enrollment?
Apple has made it pretty clear that the Device Enrollment Program is designed to support corporate-owned or school-owned devices used by a single person. The program is not intended or available for BYOD devices -- in part because a user-owned device wouldn't be purchased direct from Apple by an organization, making it ineligible for the program -- and it is not intended for devices that will be shared among users.
Apple says in its iOS Enterprise Deployment Overview (PDF link) that organizations where iOS devices are shared should continue to use Apple Configurator: "Non-personalized devices are usually supervised with Apple Configurator and enrolled with an MDM solution. This allows the content on the device to be refreshed or restored if modified by a user."
To be enrolled, devices must be purchased direct from Apple and the program is currently limited to U.S. organizations. In addition to devices purchased after an organization enrolls in the program, any devices an organization purchased direct from Apple within the past three years are also eligible.