Enrol iOS devices in Supervised mode

Introduction

This article describes how to use the Apple Device Enrolment Program (DEP) to enrol devices in Supervised mode. The high level steps are to create a policy and include it in a DEP profile. New devices will receive the DEP profile from the Sophos Mobile server and complete enrolment.

Prerequisites:

• Apple Business Manager integration:
  • Integration between Apple Business Manager and Sophos Mobile has been set up. For information on this please see: https://docs.sophos.com/central/Mobile/help/en-us/AdminHelp/EnrollDevices/ABM/index.html
  • iOS devices are assigned to the MDM server in Apple Business Manager

Create a policy

• Go to Mobile> Policies> iOS & iPad OS
• Click Create> Device policy

• Click Add and select the configuration setting that you want to apply to devices (e.g. “Restrictions”)
• Save the policy

Optional

• Go to Mobile> Policies> iOS & iPad OS
• Click Create> Mobile Threat Defense policy
• Click Add and select the configurations that should be applied to devices

Create an enrolment Task Bundle

• Go to Mobile> Task Bundle> iOS & iPad OS
• Click Create> Create Task Bundle
• Click Add Task> Assign policy
  • Select Device policy
  • Select the policy created in the earlier section
  • Click Finish

Optional

• Click Add Task> Install app
  • Search for Sophos Intercept X for Mobile
  • Select the app and click Apply
• Click Add Task> Assign policy
  • Select Mobile Threat Defense policy
  • Select the policy created in the earlier section

•  Click Save

Create Apple Business Manager profile

• Go to Setup> Apple setup> Apple DEP profiles
• Click Add

• Enter a relevant name and description
  • Choose a Device Group – devices will be added to this group when they are enrolled
  • In the Task Bundle dropdown, select the Task Bundle created earlier

• The tabs allow an admin to customize the enrolment flow and experience for the end user
  • For example, on the Enrolment tab, select ‘Install SMC app’
  • On the iOS Setup tab, select pages that shouldn’t be displayed when the user enrols the device
  • Click Apply to save the profile
• In the dropdown for ‘Default DEP profile assigned to iPhones and iPads’ select the profile that was just created

Optional

• Through integration with Apple Business Manager, admins can automate the process of assigning apps and licenses to users
• For more information please see this page in the Sophos Mobile Admin guide

Enrol device

• Turn on a new/wiped iOS device
• Select the relevant Language and join a Wi-Fi network

• The user is prompted to enter their Sophos Central credentials
  • If the administrator has set up Sophos Central federated sign-in, the user can sign-in with their domain credentials. For details on setting up federated sign in please see this page
  • Otherwise the user should log in with Self Service Portal credentials

• Several iOS setup pages are displayed to the user
  • The pages displayed will vary based on the settings chosen by the admin when creating the DEP profile (in the ‘iOS Setup’ tab)

• The iOS home page is displayed and enrolment is complete