Existing SM user but new to DEP and Apple Configurator....need advice

Jacko
Here to help

Existing SM user but new to DEP and Apple Configurator....need advice

Hi all,

I'm new to theses boards but have been using Meraki SM for 4 years now, albeit without utilising all its features.

However i have recently enrolled our company into DEP and now want to supervise all our ios devices.

I know this will mean a wipe and re-enrolment of all existing devices and its my understanding that if a user restores from icloud to a time prior to the supervised enrolment then it will remove the supervision from their device.

To that end i'd really appreciate any any advice on the following points. Sorry there may be a lot but tech support keep pointing me to online documentation, which is a bit poor considering i've just thrown £5.5k at them for licensing. And when starting from scratch advice is better than simply reading everything (i don't have the time anyway). So, here goes.........

 

  1. Best practice for supervising over 150 existing ios devices already enrolled. I understand that most need to be added to DEP via Apple Configurator first (using v.2.6.2)
  2. We are on a windows domain servers, does anybody here link their devices via ADUC / LDAP? pros and cons?
  3. I use VPP to assign apps to authorised users, but could we get away with NOT using AppleID's
  4. I test enrolled one brand new ipadpro, and after assigning an AppleID to it, i cannot access icloud from the settings, its greyed out. Couldn't find it anywhere in the profile settings when i created it.

I'll leave it there for now as i don't know long it takes to get replies on here.

 

Many thanks for any advice offered.

22 REPLIES 22
PeterJames
Head in the Cloud

@Jacko

 

1. If you purchased the devices via a reseller you can skip this process entirely. Just contact them to add the devices to your Organisational ID. Located on deploy.apple.com (Top right drop down on one of the pages). This will mean when you factory reset them they will automatically go across e.g. no Apple Configurator process required. Just remember in the 'DEP' section (System Manager -> DEP) to set the core DEP profile settings.

2. Not used this myself - See Point 3.
3. Using Apple VPP removes the need for Apple ID's on the devices. When adding your VPP app use 'Device Assignment' and set the authentication to (General -> 'Disabled: do not require user authentication at enrolment').

4. If you go to Systems manager -> Settings, do you have any 'Restrictions' set in your profile? Specifically 'iOS and macOS restrictions' -> 'iCloud iOS'. In most of our clients setup we have disabled 95% of all options, including removing Safari (to counter the latest 'Spectre' bug).

Point 1 will be your greatest benefit at this point. Point 3 would be the easiest starting boiler plate, from here I would then add your specific requirements.

Any questions just ask.


Thank you,
Peter James

Thanks for the reply Peter,

 

1. Yeah we only recently got our DEP account setup so any recent purchases will appear in DEP, but i need to retrospectively add all the other 140 devices into DEP. And it seems i can only do that via AC (but at least Apple allow it to be done now).

So i'm assuming that is the only reason i need AC?

3. I know what you mean about device assignment. The trade-off here is that sometimes users break their devices so we give them a new one. With user assignment the apps will follow them to their new device without any more configuring i guess.

Are there any other pitfalls for re-enrolling with supervision existing devices but NOT using AppleID's? What about facetime and other apps that are dependant on an AppleID i wonder?

5. i really couldn't find an icloud restriction, but i'll have another looksy 🙂

 

Thanks again.

PeterJames
Head in the Cloud

@Jacko

 

1. "retrospectively add all the other 140 devices" - No. The reseller can do this for you. Each Apple reseller signs up to provide this service. It may take them 72 but would save you a leg of work.
The downside to the AC enrolment process is the devices can be removed from the DEP manually on the device for 30 days.

3. The boiler plate I suggested was really just to get you started, start simple and then add on the complexities.  If you need to use Apple ID's there is nothing stopping you. Apple VPP removes the need for Apple ID's, which should be used on Apps that do not require Apple ID's. But there is an option when adding the App in system manager for 'VPP user assignment'. It might be you would need a mix of both.

 

3. b) I would back up any data. But again if you need the end user to install Apps that require Apple ID's see above.

 

Let me us know how you get on.


Thank you,
Peter James

Sadly, i've have multiple resellers for Apple since 2011, most coming from the official website though www.apple.com/uk. But no one has ever mentioned that they'd add them into DEP for me. Apple online sales are a faceless entity so to speak. i think it's up to me to find the order numbers and add them into DEP, certainly been told that.

The other way i could grab the serial numbers from Meraki, add them to a csv and upload to DEP, but i have a feeling that i'll have to go the AC route.

 

Regarding VPP i don't think i can get away without having AppleIDs, due to apps like facetime etc, which is a shame but hey ho. I'd just like to science the shizzle out of the automation as much as i can. 🙂

 

PeterJames
Head in the Cloud

@Jacko This was an exercise for us too with one client. We found resellers have different timescales after the scale they are willing to enrol for us. But I do believe with Apple Configurator you can 'Prepare' multiple devices at once with a quality hub, but I have not tested this myself.

You will have to go the AC route, but do take note this will create a new Apple DEP server that you will need to move devices from. Most likely you already have a DEP Server linked to Meraki.

 

A couple of key features you might like:
 - Lost Mode (DEP only)

 - Since iOS 11.2 you can push App updates silently, even if the app is open. Prior to this the App will show a prompt and then go offline on the Client List. (Meraki have confirmed this is by design.)


But do let us know how you get on.


Thank you,
Peter James

Hi again,

i have a test iphone that has already been setup with an AppleID. It's registered in DEP. It's also showing in Meraki's DEP as 'empty'.

I then assigned it a profile so it and did a full sync, so it then showed as 'assigned'.

What do i now need to do to the iphone for ity to receive these new DEP settings, reset it?

I clicked the phone link to take me to the device page where i hit the "erase device' button and it said "Erase device command enqueued."....but 15 mins later nothing has happened. What am I missing?

 

 

PeterJames
Head in the Cloud

@Jacko Yes, after you assign the core DEP Profile settings (On the DEP) it will need to be reset.

 

Any changes to the core DEP profile settings, the device will always need to be factory reset for them to be applied.


---

The settings found under 'System Manager -> Settings', if these are changed the devices does not need to be reset as they will be pushed down to the device.

Thanks, but its not reset itself yet.

Thought it was a quick thing, but nearly 30 mins later its still not erased itself.

 

i'd have to reset it up just so i can erase it again 😞

 

PeterJames
Head in the Cloud

@Jacko You need to manually reset it the first time. After that it should be instant, unless there is a delay in sending the command from Meraki side.

You could try cancelling the command resending it. Sometimes this works for me.

tried all that.

Even connected it up to AC and did a 'restore'.

 

I have some weirdness in DEP portal whereby it shows a total of 17 devices across 2 servers; meraki and Apple config, yet when i drill down to the AC server it says there are no devices in it, and only 14 in Meraki......so i've lost 3 devices somewhere. The test iphone in question is one of them.

 

Knew i should i used SOTI 😞

PeterJames
Head in the Cloud

@Jacko Haha I ended up the same situation, on deploy.apple.com manually add the serial to the connected server.

And move the other two serials down to it too.

Unfortunately you will then need to manually factory reset.

blimey what a ball-ache.

Ok, i've manually re-added one serial number into Meraki on DEP, assigned it relevant core settings, gone to the device page and chose the reset device and this one is actually working.

 

Pretty sure i'll die of old age before i get a handle on all this.

 

Thanks for your help and patience so far Peter.

PeterJames
Head in the Cloud

@Jacko Having to move it to the right server on deploy.apple.com is one of the downsides to the AC approach.

 

The alternative is that you link in the AC DEP Server to Meraki and only use that one, it does work 🙂

No problem. Honestly, once it clicks you will never be able to go back to Non-MDM! I now cringe at that thought...

AAAHHGGG!!!! so no that hasn't worked. It did reset as requested but its not pulled down the settings, as its asking me to set up all the usual stuff.
Do i need to assign a tag in DEP dashboard so that it pulls down the correct policy for wifi and skipping of various setup items?

 

EDIT: can't be that as i checked the 'setting' and its set to push to ALL DEVICES.

PeterJames
Head in the Cloud

@Jacko Yes, in the System Manager unless you have the profile you are using set to 'All Devices' you will need to tag up.

But in regard to the Core DEP Profile settings / missing setup steps. In System Manager -> DEP, tick the devices and click 'Assign Settings'.


You will see the below screen and add your choices. We allow pairing, tick supervise, make it mandatory and untick 'Removable'. And skip everything BUT location services.
DEP Skippy.PNG

Yes Peter, i've have done pretty much the same as you. I created a couple of differen profiles to test different setup steps to skip.

And even though is shows as 'pushed' it still isn't showing as expected. 

ooooh......getting somewhere now! 🙂

I'd still rather slap the balls of a hungry lion that go through this again though.

PeterJames
Head in the Cloud

@Jacko Haha.

 

In that case, welcome to a new world 🙂

heh, ok, so.......

i read that you need to include the Meraki SM app in any kind of deployment, which i did, but not sure of the point as it still requires manual enrolment(?).

 

PeterJames
Head in the Cloud

@Jacko Yes, this allows the device to report back every 15 minutes and gets further information back such as the device LAN IP.

When you dealing with hundreds of sites and customers moving around sites, and swapping devices the the LAN IP is useful.

-> This App you would be certainly best deploying via Apple VPP.

why VPP? Its a frre app, so surely just deploy via 'apps'?

My point is that it still requires manual setup, so it kind of defeats part of the object of automation no?

 

up until i foolishly embarked on this DEP supervised quest, i'd basically setup a device with appleID, download and install meraki sm app, offer it up to my pc monitor to snap the QR code for the enrolment ID then it would do the rest.

From there i go into the device page on dashboard and alter its tag so the relevant apps from 'apps' and 'VPP' get pushed out.

So i'm confused as to how streamlimed the whole process can be if this bit is kind of unavoidable.

 

PeterJames
Head in the Cloud

@Jacko Admittedly it does make me laugh that Meraki do not default give SM App licenses via Apple VPP by default.

 

Apps in Meraki either come from the iStore or an Enterprise (.ipa) App. The downside to an enterprise App is that it expires yearly, so Meraki are forced to use the iStore. And the only way to get around requiring an Apple ID per device is via Apple VPP.

 

So yes its manual, but only manual on the initial setup.

---

Enrol device in to DEP via AC -> Move to correct Server -> Assign DEP Profile -> Turn device -> Skip setup questions > Device received  all the Apps/settings and now has full restrictions and control by YOU.

Previously:
Turn on Device -> Sign in to Apple ID -> Download SM App -> Install each individual App -> Set all required settings -> Device has no restrictions applied unless you manually set them up.

The added benefit with DEP vs the SM App are iOS updates control and you can push silent App updates to the devices without requiring the end-user to accept them. (Pre-iOS 11.2 you need to change the focus out of the App on the front and then Apply. From 11.2 you just push the update).

 

The additional benefit over the SM App is the 'Lost Mode', if you ever need to locate a device trigger this. It will then enable the location service on the device, overriding any previous settings. Then disable it once its found, and the location service will disable again (if it was this way previously).


I could give a whole lecture on why DEP enrolled devices are better, but the main benefit really does come in around 100+ devices.

I wonder how you managed App / iOS updates previously, or did you?! 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels