Last year I published a blogpost on how to deploy Apple iOS devices via Apple Configurator to create a lite touch device enrollment: https://www.antonvanpelt.com/lite-touch-installation-ios-through-xenmobile/
In this blogpost I want to show you how you can use the Apple Device Enrollment Program and via the Volume Purchase Program to offer a zero touch enrollment.
I recently showed this in a webinar at Virtual Expo (XenApp Blog). If you are a member you can find the recording here: http://xenapptraining.com/members/virtual-expo/2016-03
Device Enrollment Program (DEP)
By default any Apple Device (iPhone, iPad or Mac) will connect to the DEP cloud service to check if the serialnumber is linked to a Device Enrollment Program. If its not it will show you the setup assistant to configure settings like (Passcode Lock, Touch ID, Location Serivces, etc). If the device serial number is linked to a Device Enrollment Program it will connect to the MDM server that is configured in the DEP portal and follow the setup assistant as is configured within the MDM server.
Only Apple devices that are ordered via the Apple Authorized Reseller or directly via Apple can be linked to the Device Enrollment Program. Make sure to talk to the Apple Authorized Reseller before you order the devices. It is possible to add them later, but the devices need to be ordered via the Authorized Reseller!
More details on the Device Enrollment Program can be found in the Device Enrollment Program Guide: https://www.apple.com/education/docs/DEP_Guide.pdf
Volume Purchase Program (VPP)
By default if you push a public App Store application via XenMobile down to the device the user needs to sign in to the Apple App Store. This requires the user to have a iTunes account before he can use the device. Of course you can use a corporate iTunes account (there is no limitation anymore on the registered devices to this account!!) but this is not what we want.
To overcome this mandatory iTunes sign in prompt we can make use of the Apple Volume Purchase Program. Apple VPP allows you as a company to order a number of application licenses which allows you to push the application down to the device without the need to sign in to the App Store. This is because the application will be pushed to the device itself rather than the user who order the application.
Keep in mind that the device needs to be in Supervised mode to silently push applications.
More details on the Volume Purchase Program can be found in the Volume Purchase Program Guide: https://www.apple.com/business/docs/VPP_Business_Guide.pdf
By making use of the Apple Configurator or the Device Enrollment Program you are able to put devices into a Supervised mode. This means that you take the admin control over the device and enable a lot of admin features to be managed. Features like single app mode, remove activation lock, block access to the store, iTunes and iCloud come available. The following screenshot will show you that a lot of options are available in supervised mode only.
Of course you don’t want to enable supervised mode on personal devices (BYOD). But for Corporate Owned Devices (COD) Corporate Owned Personally Owned (COPE) devices you might consider enabling the supervised mode.
Enroll for the Apple Device Enrollment Program
Before we can start configuring the Device Enrollment Program we first have to enroll for the program itself https://deploy.apple.com/qforms/open/register/index/avs. Before you can enroll for the program make sure that your organization has a valid D-U-N-S number https://fedgov.dnb.com/webform. To make use of this progam you need to register via your corporate email address for the Apple Deployment Programs. You cannot use a existing Apple ID!
Apple DEP also requires two-step verification so you need to register a cellphone number for each admin you assign to the DEP portal page. During the registration you will get the option to provide a Apple Customer Number (if you purchase directly from Apple) and/or a DEP Reseller ID (if you purchase from a participating Apple Authorized Reseller or carrier). In case if you have ordered the devices directly via Apple your devices will directly be available in your DEP portal. When your ordered the device via a Apple Authorized Reseller you will receive a DEP Customer ID when your enrollment is approved. Give this DEP Customer ID to your reseller, who will use it to submit information about your purchases to Apple. The reseller has to submit your purchases to Apple to get them available via DEP.
Prepare XenMobile Server
Before we can add the XenMobile MDM server into the Apple DEP portal we have to prepare the XenMobile server first. Login to your XenMobile server and open the iOS Bulk Enrollment settings. Select the DEP Configuration and select Export Public Key.
Add your MDM server to Apple DEP
After your enrollment is approved you can login to the Apple DEP portal as administrator and add other administrators. Once we are logged into the Apple DEP portal we can add our MDM server. Keep in mind Apple DEP is kind of useless without having a proper MDM solution.
Next we do have to specify a name for our MDM server, and specify if new devices that will be added to the DEP portal will be automatically assigned to the MDM server or not.
Now we have to import the bulkenrollment public key we have create earlier during the XenMobile Server preparation phase.
This will upload the public XenMobile key to the Apple DEP portal and will generate the server token that we need to import within XenMobile server.
Next we have to import the Server Token generated via the Apple DEP portal into XenMobile.
This will finalize the handshake between Apple and your XenMobile environment. We now can configure several options like will the device get Supervised or not (See Supervised mode paragraph). and we can configure also the Setup Assistant Options, like we seen earlier in the Lite-Touch deployment via Apple Configurator blogpost.
Now we have finalized the XenMobile Apple DEP integration and we are ready to deploy our devices. Keep in mind the devices first need to be added to your Device Enrollment Portal by the authorized reseller and they need to be moved automatically to the default MDM server we created earlier in the DEP portal.
With that we do have configured a OTA (Over-The-Air) enrollment meganism. This will save you a lot of time preparing devices with or without Apple configurator. As you can see a user can’t quit the configuration, as this was possible via the Apple Configurator method!
We also want to push applications to the device silenty without the need to sign in to the App Store. Therefor we need to configure the integration between XenMobile and the Apple Volume Purchase program.
Enroll for the Apple Volume Purchase Program
Before we can start configuring the Volume Enrollment Program we first have to enroll for the program itself https://deploy.apple.com/qforms/open/register/index/avs. Before you can enroll for the program make sure that your organization has a valid D-U-N-S number https://fedgov.dnb.com/webform. To make use of this progam you need to register via your corporate email address for the Apple Deployment Programs. You cannot use a existing Apple ID!
Download the server token
After the enrollment proces completes we are able to sign in into the VPP portal were we can download the token that we need to import into XenMobile.
Prepare XenMobile Server
After we’ve downloaded the token from within the VPP portal we can configure XenMobile Server to finalize the Apple VPP configuration.
Login to your XenMobile server and open the iOS Settings. Now we can add the VPP Account and add our token code that is download from the VPP portal. Also fill in the account details to let XenMobile Server loginto the VPP portal.
Purchase your applications
Now we can order our application from within the VPP portal page. Keep in mind even free applications needs to be ordered via the VPP portal. For example we order 500 Facebook apps.
Make sure to also order WorxHome as a VPP application.
After that we ordered the applications XenMobile will fetch the applications within a couple of minutes into the configuration. So you will see those applications (with some delay) automatically within XenMobile Server.
As you can see we now have 2 Worx Home applications, one version is provided via Apple VPP (show with extention PQR) and another version provided via the Apple DEP program. Since we don’t want to sign in into the iTunes store we have to remove the Worx Home application and proceed with the Worx Home application that comes we’ve orderd via VPP.
Configure deployment of VPP based apps
As of now those applications are only available and nothing will be distributed, until we configure the apps to be pushed to the device. So we have two options here we can push applications to the device or to the user. For Worx Home we have to choose for a device based distribution since we don’t have the user details already. To deploy Worx Home to the device we have to edit the application and specify that this application needs to claim a VPP license. This needs to be done for all VPP based application that you want to deploy.
Because we do want to push Worx Home to the device instead of to the user itself we have to choose another delivery group. We will pick the “Device Enrollment Program Package” delivery group for delivery of Worx Home. This delivery group is used togheter with the DEP enrollment of the device.
Next we have to configure the delivery group to push Worx Home as a required application.
Now after we make Worx Home a mandatory application the application will be pushed directly after the DEP configuration completes without the need to sign in to the App Store.
Now we can choose to deploy all the VPP apps via the same manner but then Worx Home will be a kind of useless and you can’t see which user has which application installed. Until we sign in to Worx Home the device is registerd to the device enrollment user rather than the user were the device belongs to. So in my case we choose to deploy other application on a user basis. Therefor the user needs to sign in to Worx Home to get the applications pushed automatically or download them from the Worx Store if they want to.
So we have to configure the other VPP based apps to deploy via a user based delivery group, this delivery group is based on a Active Directory group.
As soon as the user is signed in into Worx Home the required apps will be pushed automatically. The optional apps can be requested on behalf of the user via the Worx Store.
This completes the Apple Volume Purchase Program configuration for Citrix XenMobile.
Via this blogpost I shown that it is possible to do a zero-touch deployment of Apple devices. The Device Enrollment Program (DEP) will take care of the initial installation and configuration. The Volume Purchase Program (VPP) will allow you to push / offer application to a device or user without the need to sign in to the App Store.