Converting non-DEP iOS 11+ devices to DEP

The workflow for converting non-DEP associated devices and adding those devices to a DEP account for provisioning.

Prerequisites

The conversion workflow requires the following components:
  • macOS computer
  • Apple Configurator 2.5+
  • physical access to the non-DEP device

Obtaining a DEP enrollment URL to communicate with Apple services through the Apple Configurator

  1. From the MaaS360® Portal Home page, select Devices > Enrollments > Other Enrollment Options.
  2. Select Apple Configurator, and then click the MDM Server URL tab.
  3. Select Non-DEP to DEP Enrollment URL.
    Non-DEP to DEP conversion
    Non-DEP to DEP conversion
  4. Choose the Without Authentication enrollment method. This method allows administrators to convert non-DEP devices to DEP using the Apple Configurator. Authentication credentials are not required for this enrollment method. The device is then provisioned through the normal DEP workflows described in Enrolling non-DEP iOS 11+ devices without using authentication.
    Non-DEP to DEP conversion

Setting up the non-DEP device for conversion to DEP

  1. Open Apple Configurator 2.5+, and then physically tether the target iOS device to a Mac.
    Non-DEP to DEP conversion
  2. Connect the iOS device to the internet so the device can communicate with Apple services.
  3. Right click on the device, and then click Prepare.
    Non-DEP to DEP conversion
  4. Select the Manual Configuration method, and then enable Add Device Enrollment Program, but do not enable Activate and complete enrollment. Enable Allow devices to pair with other computers that allows pairing the device with a supervised profile.
    Non-DEP to DEP conversion
  5. For first time setup, you must define an MDM server. Leave the server as New Server, and then click Next.
    Non-DEP to DEP conversion
  6. In the Define an MDM Server window, provide a server name (your choice) and the enrollment URL displayed for the Without Authentication enrollment method from the MaaS360 Portal Apple Configurator window, and then click Next.
    Non-DEP to DEP conversion
  7. Select the TLS Hybrid ECC SHA384 2020 CA1 certificate, and then click Next.
    Non-DEP to DEP conversion
  8. In the Assign to Organization window, create an organization (if the organization is not recognized by Apple Configurator 2), and then click Next.
    Non-DEP to DEP conversion
    To create an organization, follow these steps:
    1. Select New Organization from the list.
    2. In the Sign in to the Device Enrollment Program window, enter the credentials for the DEP portal administrator.
      Non-DEP to DEP conversion
    3. In the Create an Organization window, select Generate a new supervision identity, and then click Next. A supervised identity is created. The supervised identity allows devices with restricted pairings to pair with specific computers that contain the supervised identity in the keychain.
      Non-DEP to DEP conversion
  9. In the Configure iOS Setup Assistant window, choose setup options as needed, and then click Next. The setup options that are selected are displayed on the device for the user to configure.
    Non-DEP to DEP conversion
    To complete the setup process, an internet connection is required for communication between MaaS360 and Apple services. If you do not use a wifi configuration profile, you can activate the device up until you configure the wifi profile manually. Note: The process for side loading a wifi profile is created in the Apple Configurator, which is suggested for use with bulk device enrollments. You can also configure wifi manually on the device, which is suggested for device enrollments over captive networks.
    Non-DEP to DEP conversion
    The Apple Configurator completes the provisioning of the device, and enrolls the device if authentication is chosen.
    Non-DEP to DEP conversion
    A new DEP token is created in the DEP portal called Devices Added By Apple Configurator 2. You can automatically assign new tokens or existing tokens to Apple Configurator 2 devices by using the standard DEP assignment workflows.
    Non-DEP to DEP conversion
    Note:
    • Devices that are added to DEP through Apple Configurator 2 require iOS 11+.
    • You can manually remove a new device up to 30 days after the device is added to the DEP. After this initial period, devices are then completely associated with DEP.
    • You can only add devices that are completely removed from the DEP portal through this workflow. If a device that uses an iOS version earlier than iOS 11 is disowned, you must upgrade the device to iOS 11 to add the device back to the DEP portal.
    • Devices that are added to DEP through Apple Configurator 2 retain all the features and functions of standard DEP devices.