Apple Deployment Programs III: Configure DEP in Silverback
Before you Start
Before you start:
- Ensure that you have successfully performed the enrollment into the Apple Business or School Manager: Apple Deployment Programs I: Sign up
- Ensure that you successfully performed the basic configuration and the connection to Silverback: Apple Deployment Programs II: Configure Deployment Programs
Configure Device Enrollment Program
Apple’s Device Enrollment Program allows you to enroll devices into Silverback during the first setup of the device. For the configuration perform the following steps:
- Login to Silverback
- Navigate to Admin
- Navigate to Device Enrollment Program
- Review your options and configure your Device Enrollment Program according to your requirements
- Save your settings.
Home Section
The main page gives an overview of the status and information relating to your Device Enrollment Program account. The organization and server information is displayed after a successful import of your token. The Account Overview section indicates how many devices are currently in your DEP account and how many are currently enrolled in Silverback.
Devices Section
Overview
The Devices section lists the devices in your DEP account and an associated username after enrollment. The table shows a list of all users in your DEP program, regardless of whether they are enrolled in Silverback. The list can also be exported by clicking the Export button. The table contains the following details:
| Column | Description |
|---|---|
| MDM Username | If the serial number matches a currently enrolled user, it will be displayed here. |
| Serial Number | The serial number of the device in your DEP program. |
| Model | The model description of the device. |
| Profile Name | Displays the assigned profile for the device. |
| Profile Status |
Shows the profile status for the device.
|
| Profile Assigned Time | Displays the timestamp for the profile assigned time. |
| Disown | Removes the device from the current and future DEP accounts. |
The disown function will permanently remove a device from your current DEP. It takes an unknown grace period until the device can be added again. Please do this only if you feel confident.
Actions
| Action | Description |
|---|---|
| Assign Profile | Select first a range of devices and assign a specific profile. |
| Bulk Assignment | Use Bulk Assignment to assign profiles via a *.csv file. Please refer to our Knowledge Base article. |
| Export | This will generate an *.csv report. |
General Settings Section
The Settings section allows you to configure your integration with Apple’s DEP program and determine the device behavior for the standard profile.
Settings
| Control | Description |
|---|---|
| Company Token | The token file provided by Apple. |
| Valid Until | Displays the expiration date for the Company Token. |
| Authentication |
Determines the authentication method for the enrollment during the out-of-the-box experience. After a successful authentication, the MDM profile will be downloaded, installed and the devices will be enrolled. The following methods are available:
|
| User Prompt Text | Contains the text presented to the user prior to the enrollment. |
Default Profile
| Control | Description |
|---|---|
| Name | Displays the default profile name. |
| Allow Pairing | Determines if the device can be paired with a computer. In iOS 13, this property was deprecated. |
| Supervised | Determines whether the device will be supervised during enrollment. In iOS 13, all DEP devices will be supervised and this setting will be ignored. |
| Force Enrollment | Determines if the user can skip the enrollment process. Note: The device will be unusable unless enrolled in Silverback. In iOS 13 and later, all DEP enrollments are mandatory. |
| Profile Removable | Determines whether the MDM profile can be removed by the user after enrollment. This setting can be disabled only if Supervised is enabled. |
| Language | Define the Language to provide a language designator that represents a language. Supported on tvOS and macOS 11 and later. |
| Region | Define the Region in a ISO 3166-1 standard, a two letter, capitalized code. Used to provide a region designator that represents a country and supported on tvOS and macOS 11 and later. |
| Support Phone Number | Displayed to the user in the About section on enrollment. |
| Department | Displayed to the user in the About section on enrollment. |
| Activate Apple Location | Location for the devices to activate on enrollment. This should be changed to reflect your server address. |
Account Configuration (macOS)
| Control | Description |
|---|---|
| Prompt User to Create a Primary Account | If disabled, Setup Assistant skips the user interface for setting up primary accounts and disables auto login. This scenario enables by default the Create an Admin Account option as minimum one Administrator must be available on the device. |
| Primary Account Type | Determines if the primary account type will be an Administrator or Standard (User) account. |
| Define the Short Name | Enabling this option will allow to define the Short Name (Account Name) for the primary account with the Primary Account Short Name field below. |
| Primary Account Short Name | Setup Assistant uses this value to prefill the Short Name (Account Name) for the primary account. This will be used as the name for the users home folder and is available in macOS 10.15 and later. |
| Define the Full Name | Enabling this option will allow to define the Full Name for the primary account with the Primary Account Full Name field below. |
| Primary Account Full Name | Setup Assistant uses this value to prefill the Full Name field. This value is available in macOS 10.15 and later. |
| Lock Modification Of The Fields | If enabled, and you provided values for Primary Account Short or Full Name, Setup Assistant disables editing for the corresponding field. The user's Password or One Time Password will be captured during the Authentication process and Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. This option is available in macOS 10.15 and later. |
| Create An Admin Account | Allows you to preconfigure an Administrator Account. This option will be automatically activated if Prompt User to Create a Primary Account is disabled or Primary Account Type is set to User. |
| Admin Account Short Name | Determines the required Administrator's Account Short Name (Account Name) |
| Admin Account Full Name | Determines the required Administrator's Account Full Name. |
| Password | Determines the required Administrator's Password. For security reasons, the password is only displayed when entered and will be masked after saving the profile. We recommend the use of a password safe for saving the password securely. |
| Admin Account Password Confirmation | Confirms the provided Administrator's password. With Silverback 22.0 Update 1, it is required to add the Password again into both fields when editing the profile. This field will be removed for convenience reasons in upcoming Silverback versions. |
| Hidden | By enabling, you can hide that account in the Users & Groups pane of System Preferences/Settings so that users of a Mac don’t interfere with the managed administrator account. |
Skip Setup Items
| Control | Description | Minimum Requirement |
|---|---|---|
| Location | Skips the Location Services setup. |
|
| Restore | Disables restoring from backup. |
|
| Apple ID | Skips the Apple ID setup. |
|
| Terms and Conditions | Skips the Terms and Conditions agreement. |
|
| App Store | Skips the App Store pane. |
|
| Siri | Skips the Siri setup. |
|
| Diagnostics | Skips the Send Diagnostics prompt. |
|
| Passcode | Skips the Passcode setup. |
|
| Touch ID | Skips the Touch ID setup. |
|
| Apple Pay | Skips the Apple Pay setup. |
|
| Zoom | Skips the Zoom setup. |
|
| Move from Android | Skips the migration from Android prompt if the Restore pane is not skipped. |
|
| DisplayTone Setup |
Skips the DisplayTone setup. This setting is deprecated. |
|
| Privacy Pane | Skips the privacy pane. |
|
| Add Cellular Plan Pane | Skips the add cellular plan SIM Setup pane. |
|
| Home Button Screen |
Skips the Home Button Sensitivity screen. This setting is deprecated. |
|
| iMessage and FaceTime Screen | Skips the iMessage and FaceTime screen. |
|
| On-boarding Screen |
Skips on-boarding informational screens for user education (Cover Sheet, Multitasking & Control Center, for example). This setting is deprecated. |
|
| Screen Time | Skips the screen for Screen Time. |
|
| Software Update Screen | Skips the mandatory Software Update screen. |
|
| Watch Migration Screen | Skips the screen for Watch Migration. |
|
| Choose Your Look Screen | Skips the Choose Your Look appearance screen. |
|
| Keyboad Pane | Skips the Keyboard Pane. |
|
| Express Language Setup | Skips the Express Language Setup. |
|
| Preferred Language Order | Skips the Preferred Language Order. |
|
| Get Started Pane | Skips the Get Started Pane. |
|
| Device to Device Migration | Skips the Device to Device Migration pane. |
|
| Restore Completed | Skips the Restore Completed pane. |
|
| Software Update Completed | Skips the Software Update Completed pane. |
|
| iMessage Activation Using Phone Number | Skips the iMessage pane. |
|
| Terms of Address | Skips the Terms of Address pane. |
|
| Action Button | Skips the Action Button configuration pane. |
|
| Registration (macOS) | Skips the Registration Pane. |
|
| FileVault Setup (macOS) | Skips the File Vault setup. |
|
| iCloud Analytics Screen (macOS) | Skips the iCloud Analytics screen. |
|
| iCloud Documents and Desktop Screen (macOS) | Skips the iCloud Documents and Desktop screen. |
|
| Accessibility (macOS) | Skips the Accessibility screen. |
|
| Unlock with Apple Watch (macOS) | Skips the Unlock Your Mac with Apple Watch screen. |
|
| Lockdown Mode (macOS) | Skips the Lockdown Mode pane if an Apple ID is set up. |
|
| Wallpaper (macOS) | Skips the Wallpaper setup. |
|
| Tap To Set Up Option (Apple TV) | Skips the Tap To Set Up Option. |
|
| Aerial Screensavers (Apple TV) | Skips the pane about using aerial screensavers. |
|
| TV Home Sync Screen (Apple TV) | Skips the TV Home Sync screen. |
|
| TV Provider Sign In Screen (Apple TV) | Skips the TV Provider Sign In screen. |
|
| TV Room (Apple TV) | Skips the “Where is this Apple TV?” screen. |
|
Certificates
| Control | Description |
|---|---|
| Anchor Certificates | Additional root certificates to be trusted by the device. If provided, the device uses these certificates as trusted anchor certificates when evaluating the trust of the connection to the MDM server URL. Otherwise, the device uses the built-in root certificates. |
| Supervising Certificates | If the restriction Allow Host Pairing is disabled, you can add your Supervision Identity certificates to allow devices to connect to certain machines that have the certificates in place. Please refer to this article for additional information. Added supervising certificates are applied to all additional profiles by default. |
| Save | Saves settings. |
Additional Notes for Account Configuration
During the enrollment, Silverback will pre-configure accounts and the user process through the account setup portion of the macOS Setup Assistant and the behaviour depends on the options selected. In general, the logic for the configuration is aligned with the requirements and options shown below:
| Configuration | Description |
|---|---|
| No option to create an account | The user doesn’t create any account using Setup Assistant. You must also create a managed administrator account. The user logs in using a network account or another account created outside of Setup Assistant. |
| Create an administrator account | The user creates an administrator account on the Mac. |
| Create a standard account | The user creates a standard account on the Mac. You must also create a managed administrator account. |
| Provide full name or username for the default account | Fills the local account’s full name or username in Setup Assistant when the initial account is being created. The user can override these values if they wish. |
| Lock the defaults account's full name or username | The local account is created using the full name or username provided by Silverback. The user can’t override the values. |
| Hide the administrator account | By enabling, you can hide that account in the Users & Groups pane of System Preferences/Settings so that users of a Mac don’t interfere with the managed administrator account. |
In case you distribute a Passcode Profile to your macOS devices, the predefined password for the administrator account in the profile is considered as an initial password and must be updated after logging in.
Additional Profiles
With additional profiles you are able to assign specific profiles to specific devices. This will help as an example to configure the out-of-the-box experience for all iPhones in a different way as for iPads. Click new Profile to create a new profile and assign the profile in the Devices section.
| Column | Description |
|---|---|
| ID | Displays a unique identifier for the device based on the database entry. |
| Profile Name | Displays the given name for the Profile. |
| Registered in App | This information shows if the profile has been successfully registered on Apple side. |
| Edit | Edit your created profile. |
| Remove | Remove your created profile. |
Logs
Clicking the Logs button will export a *.csv file of actions that have been performed specifically on the Device Enrollment Program. This covers changes made by administrators and also events that are related to the Silverback connection to Apple.
The file will contain the following information:
- Log ID
- Date
- User Name
- Action
- Action Destination
- Http Code
- Http Text
Next Steps
- Get in touch with your hardware vendor for device purchasing and other services or
- Learn how to add devices with Apple Deployment Programs IV: Manually add devices to DEP
- Learn how to perform a bulk assigned of profiles: Device Enrollment Program: Profile Bulk Assignment
- Read further Apple Documentation: