undefined | Better HN

0 pointszalmoxes7y ago0 comments

Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

DEP is not required for the VPN profile configs, that can be applied with just MDM (or even manually). The VPN payloads are documented here https://developer.apple.com/enterprise/documentation/Configu...

0 comments

no_wizard7y ago

Speaking as a former Apple employee I can say with 100 percent certainty that you can add devices post purchase even before DEP existed. There are a number of ways:

If the device was purchased on or after March 1st 2011 you can do the following:

1. Work with your reseller if they participate in DEP to get the devices enrolled retroactively. Sometimes you have to put the nails on the reseller (they can pretty bad about this. Looking at you Verizon) but it absolutely can be done.

2. If your devices are eligible and were a direct purchase from Apple you should contact Apples enterprise support and they can start the process of double checking eligibility and getting those devices enrolled accordingly. This is pretty straightforward.

3. You can enroll eligible devices via Apple Configurator 2 into DEP using the process described here:

https://help.apple.com/configurator/mac/#/cad99bc2a859

Using Apple Configuratior 2 will allow you to bypass any reseller to enroll into DEP so it’s your best move if you are having issues getting people to do it fast enough. Any eligible device can be enrolled this way

Here’s a relevant help link with phone numbers more On eligibility and enrolling etc

https://support.apple.com/en-us/HT204142#manual

I see this misinformation so much so please help share it if you can

jedieaston7y ago

You can add iOS devices to DEP if they were not purchased when you had your business account set up using Apple Configurator.

https://support.jamfnow.com/hc/en-us/articles/360000004483-U...

walterbell7y ago

> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.

zalmoxesOP7y ago

You must buy your devices through the enterprise store, and then it is automatically linked to DEP.

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed?

Because once you know the serial number of a DEP device you can enroll into the MDM. There is virtually no security. See https://duo.com/labs/research/mdm-me-maybe

jiveturkey7y ago

There is reasonable security. From your link:

> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.

So, the rule is at-most-once enrollment.

And further down:

> some organizations elect not to require user authentication as part of MDM enrollment.

IOW, if you are not enabling authentication, you have only yourself to blame.

walterbell7y ago

Thanks for the pointer, some good reasons there to avoid DEP.

walterbell7y ago

Are those the same profiles generated by Apple Configurator 2? I was able to get per-site Safari VPNs added by manually editing XML in the profile, but no success with per-application VPNs.

Commercial MDM providers only whitelist a handful of VPN client apps for per-app VPN profiles. Why are those needed when there is already a native iOS VPN client for IPSEC?

madjam0027y ago

Funnily enough I have been trying to do that today - I don't think you can. You create the per app VPN with a UUID, but the only way to associate an app to a Per-App-VPN definition is through MDM - I think.

walterbell7y ago

The next question would be whether it requires DEP, or could be done with open-source MicroMDM or the $20 macOS Server app.

zalmoxesOP7y ago

they should be the same, yes. You can compare the .mobileconfig file with the spec from the PDF.

That's all commercial vendors do, push these XML files to your device.

agret7y ago

You can retroactively add devices as of iOS 11 they have enabled it through Apple Configurator on any Mac device.

j / k navigate · click thread line to collapse

0 comments

no_wizard7y ago

Speaking as a former Apple employee I can say with 100 percent certainty that you can add devices post purchase even before DEP existed. There are a number of ways:

If the device was purchased on or after March 1st 2011 you can do the following:

3. You can enroll eligible devices via Apple Configurator 2 into DEP using the process described here:

https://help.apple.com/configurator/mac/#/cad99bc2a859

Here’s a relevant help link with phone numbers more On eligibility and enrolling etc

https://support.apple.com/en-us/HT204142#manual

I see this misinformation so much so please help share it if you can

jedieaston7y ago

You can add iOS devices to DEP if they were not purchased when you had your business account set up using Apple Configurator.

https://support.jamfnow.com/hc/en-us/articles/360000004483-U...

walterbell7y ago

> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.

zalmoxesOP7y ago

You must buy your devices through the enterprise store, and then it is automatically linked to DEP.

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed?

Because once you know the serial number of a DEP device you can enroll into the MDM. There is virtually no security. See https://duo.com/labs/research/mdm-me-maybe

jiveturkey7y ago

There is reasonable security. From your link:

> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.

So, the rule is at-most-once enrollment.

And further down:

> some organizations elect not to require user authentication as part of MDM enrollment.

IOW, if you are not enabling authentication, you have only yourself to blame.

walterbell7y ago

Thanks for the pointer, some good reasons there to avoid DEP.

walterbell7y ago

Are those the same profiles generated by Apple Configurator 2? I was able to get per-site Safari VPNs added by manually editing XML in the profile, but no success with per-application VPNs.

Commercial MDM providers only whitelist a handful of VPN client apps for per-app VPN profiles. Why are those needed when there is already a native iOS VPN client for IPSEC?

madjam0027y ago

walterbell7y ago

The next question would be whether it requires DEP, or could be done with open-source MicroMDM or the $20 macOS Server app.

zalmoxesOP7y ago

they should be the same, yes. You can compare the .mobileconfig file with the spec from the PDF.

That's all commercial vendors do, push these XML files to your device.

agret7y ago

You can retroactively add devices as of iOS 11 they have enabled it through Apple Configurator on any Mac device.

j / k navigate · click thread line to collapse