Enrol iOS devices in Supervised mode

Introduction

This article describes how to use the Apple Device Enrolment Program (DEP) to enrol devices in Supervised mode. The high level steps are to create a policy and include it in a DEP profile. New devices will receive the DEP profile from the Sophos Mobile server and complete enrolment.

 

Prerequisites:

 

Create a policy

  • Go to Mobile> Policies> iOS & iPad OS
  • Click Create> Device policy

  

  • Click Add and select the configuration setting that you want to apply to devices (e.g. “Restrictions”)
  • Save the policy

 

Optional

  • Go to Mobile> Policies> iOS & iPad OS
  • Click Create> Mobile Threat Defense policy
  • Click Add and select the configurations that should be applied to devices

 

 

Create an enrolment Task Bundle

  • Go to Mobile> Task Bundle> iOS & iPad OS
  • Click Create> Create Task Bundle
  • Click Add Task> Assign policy
    • Select Device policy
    • Select the policy created in the earlier section
    • Click Finish

 

Optional

  • Click Add Task> Install app
    • Search for Sophos Intercept X for Mobile
    • Select the app and click Apply
  • Click Add Task> Assign policy
    • Select Mobile Threat Defense policy
    • Select the policy created in the earlier section

  •  Click Save

 

Create Apple Business Manager profile

  • Go to Setup> Apple setup> Apple DEP profiles
  • Click Add

 

  • Enter a relevant name and description
    • Choose a Device Group – devices will be added to this group when they are enrolled
    • In the Task Bundle dropdown, select the Task Bundle created earlier

 

 

  • The tabs allow an admin to customize the enrolment flow and experience for the end user
    • For example, on the Enrolment tab, select ‘Install SMC app’
    • On the iOS Setup tab, select pages that shouldn’t be displayed when the user enrols the device
    • Click Apply to save the profile
  • In the dropdown for ‘Default DEP profile assigned to iPhones and iPads’ select the profile that was just created

 

 

Optional

  • Through integration with Apple Business Manager, admins can automate the process of assigning apps and licenses to users
  • For more information please see this page in the Sophos Mobile Admin guide

 

Enrol device

  • Turn on a new/wiped iOS device
  • Select the relevant Language and join a Wi-Fi network

 

  • The user is prompted to enter their Sophos Central credentials
    • If the administrator has set up Sophos Central federated sign-in, the user can sign-in with their domain credentials. For details on setting up federated sign in please see this page
    • Otherwise the user should log in with Self Service Portal credentials

 

 

  • Several iOS setup pages are displayed to the user
    • The pages displayed will vary based on the settings chosen by the admin when creating the DEP profile (in the ‘iOS Setup’ tab)
  • The iOS home page is displayed and enrolment is complete

 



Updated formatting
[edited by: tom_w at 11:07 AM (GMT -7) on 18 Aug 2022]