Managing Apple systems company-wide - why it makes sense to use DEP and VPP
“We want you to manage Apple systems on our corporate network.”
It was not so long ago when such a statement would reliably put IT administrators in a foul mood. Fortunately, that situation has changed in recent years, and devices bearing the Apple logo can be readily integrated into corporate IT management using unified endpoint management (UEM) systems such as our own baramundi Management Suite (bMS).
- Apple systems integrate well with corporate IT, especially with DEP and VPP for easy integration and configuration of these devices.
- Registration requires an Apple ID for the company and the involvement of an authorised Apple reseller.
- Devices that have already been purchased can be subsequently integrated via DEP if the supplier is part of the chain of trust.
- The integration makes for easy management of macOS and iOS devices in the company.
At minimum, this integration simplifies the lives of IT administrators with basic Apple device management. The bMS with our Mobile Device Management (MDM) modules can do that but it can do a lot more when a customer participates in Apple's Device Enrollment Program (DEP) and Volume Purchase Program (VPP).
The VPP is the easiest way for organizations to purchase apps in large quantities. The DEP supports the rapid configuration and deployment of new devices as well as their long-term
management. That’s why we strongly recommend that our customers enroll in both programs at Apple.
Here’s a summary of the advantages of both programs:
Automatic recognition and inventory of pre-registered iOS and macOS devices by the bMS system at first start-up
- Personalized configuration of mobile devices for each user via MDM
- Administration in "supervised mode" to remove unneeded factory-installed apps or modify default settings without user intervention.
- Unattended installation or removal of apps
- Blocking or setting restrictions on specific app or services according to company policies. You can prohibit or fine-tune access to iCloud or iTunes, the App Store, the Game Center and/or multiplayer gaming, app access to the camera or microphone, and so forth
- Simplified purchase, deployment and management of large quantities of apps
- Support for Apple mobile device "User Enrollment" to let a user include their personal BYOD iPhone or iPad within the company’s MDM system so they can use company apps and data securely. They can also remove their device from IT management at any time and company data is removed automatically from the device without touching user’s data, apps or settings
- Strict separation of user personal AppleID account info and purchases and company account info and licenses.
- Devices managed by the MDM system cannot be deleted and are protected against loss and theft
DEP and VPP registration generates an Apple ID for the company, so be sure to do this with a general company email address not associated with a specific user, e.g.,
firstname.lastname@example.org. Apple provides two-factor authentication to prevent unauthorized account access and potential misuse. Both services can be managed in the Apple Business
The authorized Apple dealer used for device and app purchases must also be integrated into device registration. This is absolutely necessary because the DEP depends on this
"chain of trust" to ensure security.
Creating an Apple ID takes just a minute but account verification can take time. It typically happens within a few hours or days but in rare cases can take a few weeks. Some Apple dealers also charge fees, either per-device, a one-time flat rate, or a combination of the two.
Don’t let those factors discourage you because of both programs add significant long-term value. The value is partly in the form of greater security for corporate network devices and IT purchases – a non-trivial consideration these days. The value is even greater when you’re enabling simpler, faster and more effective management of all Apple systems and mobile devices in your network. That’s why we stick to our recommendation use both Apple programs!
Incorporating the Apple programs into the bMS is very easy. Just two tokens, one for the VPP and another for the DEP, need to be integrated into the bMS. It looks like this:
Previously purchased devices can also be connected to the bMS via DEP retroactively for almost ten years – back to March 2011 - provided that the dealer(s) or supplier(s) used for those
purchases supports the program and is part of the chain of trust.
Once these administrative tasks have been completed, nothing stands in the way of simple, integrated administration of the macOS and iOS devices on your network.