Sophos Mobile: How to manually add iOS devices to Apple Device Enrollment program(DEP)

Special thanks to Torben for creating this Content!


Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview 

This article describes the steps where you can manually register an iPhone or iPad for Apple DEP.  

Note: The device is reset to its factory settings.  

Requirements

  • Apple Business Manager account 
  • iPhone, iPad or iPod touch with iOS 11 or later 

Make sure that, “Find my iPhone“ is disabled otherwise you have to enter the former used Apple ID again, set up the device without any Apple ID and factory reset it again 

  • Mac with macOS 10.14 or later and Apple Configurator 2.5 or later installed 
  • Apple Configurator is available in Apple‘s macOS App Store 
  • A lightning USB cable to connect your iOS device to the Mac 

Steps to be performed 

  1. Connect the device to a USB port of a Mac with Apple Configurator 2.5 or later installed.
     
  2. In Apple Configurator, go to File > New Profile
    The device requires the following profile to connect to the Apple DEP registration server. Create a profile under the General option. 



  3. Select  Wi-Fi to create a network profile and fill in the WiFi details for your Wi-Fi connection. 

     

  4. Save the created profile under Wifi
     
  5. Now on the device which is connected to Mac, double click on the device and select prepare as shown in the below figure.



  6. Select Manual Configuration from the drop-down and click on Add to device enrollment program”.
    Note: Do not enable “Activate and complete enrollment” as shown in the above picture. As we have a new or existing device that requires unique user authentication to enroll in MDM. The device is left at the setup assistant, and the user completes the enrollment.

  7. Click on Next to proceed further, Now it will be directed for creating the server entry as shown below:
  8. Enter the Sophos Central URL or the On-premise Server URL for the enrollment. 
    You may enter any value in the Enrollment URL. Apple Configurator doesn’t use the value when registering DEP devices
  9. You may get the message ”Unable to verify server enrollment URL”, you can safely ignore this message and click Next
  10. Add the anchor Certificates from the list for the MDM server and click next
     
  11. You will be asked to choose the organization which will be used to supervise the devices. Select New organization.
  12. Use the Apple ID and password of your Apple DEP account.
  13. Select your phone number if it is asked for a second-factor text message and click on continue.
     
  14. Enter the number and it will seek permission to access your contacts. Click Ok 
  15. For creating an organization entry, Select Generate a new supervision identity.
     
  16. You can click Next when asked to verify the configuration in iOS setup by selecting "Don't show any of these steps" under setup assistant. 

  17. You will be asked to choose your Wifi Profile, click on choose and select the Wifi profile and then Click on prepare.  
  18. Enter your Mac admin credentials and click Update settings.
     
  19. Now your iOS device will be prepared.  
  20. If it is already set up, it has to be erased. Click on “Erase” to process.
    Please note all data will be lost when we click on Erase. 
    It will take some time to reflect. You can check on the devices for actions. Wait until the preparation procedure is finished. Do not turn off the device at this stage.

  21. Click on Try Again if the device is not ready yet. 
  22. It will be showing Step 3 of 3: Activation iOS on the device, which is the last step.


    The device is now ready once it finishes the process
  23. Log into your Apple Business Manager account(DEP).
  24. When the device is registered, you can select it in the Apple DEP portal by its serial number. Below picture for reference. 



  25. Click on Settings on the bottom at the left pane, MDM servers will be listed. 

     
  26. All imported devices are found here. You can now assign them to Sophos Mobile. 
  27. Before you can hand over the device to a user, enroll it with Sophos Mobile as described in Deploy DEP devices.

    The device can be used like any other DEP device, but the user of an imported device has a 30-day provisional period to remove the device for DEP again.  

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your idea!



Updated the disclaimer
[edited by: Gladys at 5:02 AM (GMT -7) on 6 Apr 2023]