If you're a small business owner with dreams of unifying your team around company-owned Macs, iPads, iPhones or Apple TVs, the first issue you will have to confront is your excited employees. Then it's time to concentrate on the logistics of collecting and distributing the goods.
It's not as simple as having everyone just drop by your office to pick up their new toys. You will need to institute a system to deploy your electronic devices, complete with the necessary company tools and resources for your business, while accommodating various degrees of dual work and personal use.
What is it?
Apple's DEP automates the enrollment and configuration of macOS, iOS and tvOS devices to integrate with your company's mobile device management (MDM), enterprise mobile management (EMM) or mobile application management (MAM) software. Such utilities as VMware AirWatch, Hexnode, Cisco Meraki and Citrix XenMobile facilitate zero-touch provisioning. This lets IT administrators remotely configure, manage and troubleshoot workforce devices, and distribute apps, data, settings, software patches and various corporate services.
How to get started
Apple DEP applies specifically to company-owned devices provided to employees. The enrollment sequence goes roughly like this:
1. Register for the Apple Deployment Program (ADP).
2. Purchase devices and enter an ID number.
3. Link the devices from the DEP website to your chosen MDM server.
4. Apple automatically recognizes the devices as part of the DEP program, so it picks up the MDM configurations your company IT has set.
5. Distribute devices complete with MDM setup for immediate use.
With DEP, you can purchase devices specifically for employees via Apple, an authorized reseller or a third-party carrier. Until iOS 11, DEP only supported devices purchased from authorized channels, not devices purchased from third parties. But that has changed, to the benefit of small businesses, schools and nonprofits that can now use DEP with any purchased, donated or older device. Once users are assigned a device, either personal or shared, DEP ensures that MDM configurations, controls and restrictions are automatically operative upon setup.
With personally enabled company devices distributed to individual employees, users can personalize their devices by adding their own apps and data alongside your MDM corporate accounts or apps. Conversely, shared devices are generally restricted from users adding personal apps or data.
You can also manually hook iOS or Apple TV devices into your MDM account via the free Apple Configurator 2.5 program, which integrates with DEP and works with a Mac USB connection.
Apple Deployment Programs offer both program agent and administrator accounts. The program agent is a required master account that sets up all other accounts. For very small businesses, the program agent account can manage everything, but Apple recommends that you set up at least one administrator account.
DEP program eligibility covers devices purchased after March 1, 2011, that run iOS 7 or later, Macs running macOS 10.9 or later, and fourth-generation Apple TVs running tvOS 10.2 or later.
How does it help small businesses?
Apple's DEP saves time and effort for both users and IT departments by easing the deployment of company Macs, iOS devices and Apple TVs without IT having to handle each device individually. The program lets users hit the ground running with a simplified device setup: As soon as employees open the box, the device is ready to go after a few screens. MDM controls automatically activate when users sign in, or users can complete the device setup in MDM on their own without IT.
With DEP and MDM, your company's devices are set to supervised mode to augment wireless management and security options, as well as to enable additional restrictions if needed now or in the — future for example, filtering web content or disabling iMessage, AirDrop, Game Center or Apple Music. The level of control can vary according to your preferences: You can use supervision without heavily regulating or invasively restricting users' access to their devices' cool features.
DEP ensures employee compliance with company protocols because it prevents users from opting out of MDM software or removing management settings from company-owned devices. It protects devices from being wiped, resold, or used by unauthorized individuals or thieves. MDM in supervised devices can bypass Apple's activation lock, the primary feature of Find My iPhone that prevents reactivation of a lost or stolen handset, so management can erase a device for redeployment to a new user. In lost mode, which does not require Find My iPhone, supervised devices that are lost or stolen can be remotely locked and possibly found via remote query.
What you need to know
If you allow employees to use their own personal iPhones and iPads for company business – commonly known as BYOD (bring your own device) – those too can be managed with MDM so that IT can enforce corporate policies, but that operation is distinct from DEP, as DEP applies only to company-owned equipment.
With BYOD, you can still offer company Wi-Fi, mail and calendar services for employees via MDM opt-in while maintaining individual privacy for employees' personal email, calendars, contacts, SMS or iMessages, browser history, FaceTime or phone call logs, reminders and notes, and device location. Employees are fully briefed on what the MDM server can access and the features it configures. If users leave the company, they can unenroll, keeping their own data intact.
With MDM, companies can exert granular control over most but not all aspects of device use. For example, some companies may bristle at their inability to prevent users from activities such as copying and pasting content from apps and documents.
Overall, taking a light approach to supervision is the most agreeable way to handle corporate deployment in almost all situations. Allowing users to personalize either company-owned or personal BYOD units under MDM with additional apps and content often enhances job performance and satisfaction.
The Apple DEP is a free service that works with many MDM vendors and offers a convenient and flexible program for mass remote enrollment of company-owned employee devices. It saves time and effort for IT departments in standardizing corporate policies, ensures that all employees have the resources to get their jobs done, and keeps employees happy with the freedom to use and enjoy their tech to best advantage.