Apple's Device Enrollment and Why You Should Care
As iOS has grown up, it has evolved from not only being a great OS for playing games and listening to music, but a wonderful productivity tool as well. At first, iPhones and iPads were shunned a bit in the enterprise, but now are gracing the desk of many executives in every type of business. But, despite the broad adoption (and broad appeal) of Apple’s mobile devices and OS, companies have had to deal with a mobile platform that has been designed, from the ground up, to be a personal-first platform. From the sleek lines of the iPad Air and its fantastic built-in camera, to the simplicity and fluidity of the interface, these devices appeal to users on a personal level. Indeed, if it weren’t for the strong demand that individuals have shown for this platform, their growth in the enterprise would probably never have happened at all.
Arguably, it is this strong connection to these devices that has spawned such innovation on the platform–leading to a boon in mobile productivity. Now users, particularly young users who have spent much of their career with a powerful mobile device in-hand, would rather lose their keys or even their wallet than go without their phone. But therein lies the problem for IT. With so much productivity “happening” on mobile devices–and mobile devices being what they are: mobile–how can corporate data be secured? Why bother patching a user’s PC if the same spreadsheet is sitting on their phone, perhaps accidentally abandoned at the corner coffee shop?
When companies start to investigate and roll out MDM solutions in an attempt to secure iOS devices (and, in turn, secure the data), one by one, they all come to the same realization: First, unless IT has physical access to the device, they are reliant on end users to enroll the devices. And second (and possibly more importantly), users can delete the MDM profile that’s been installed on “their” device at any point, without any special permission from IT. Remember, Apple has purposefully designed iOS to be a personal-first platform.
While this might work if a company has a BYOD (Bring Your Own Device) policy in place, most companies are still buying these devices (corporate owned, personally enabled or COPE).
Enter Apple’s Device Enrollment Program (DEP). This is aimed squarely at giving control over security of corporate-owned devices back to IT.
One of the most powerful features of this program, is the ability it gives IT to put a device in what is called “supervised” mode over-the-air. While this has been available for some time, previous to DEP, it meant someone (in this case: IT) had to physically plug an iOS device into a Mac running Apple Configurator, and set it to be supervised. A corporation registered through DEP can have all their iOS device shipped with their MDM profile so that, out-of-the-box, an iOS device will automatically enroll itself in MDM.
What does supervised mode give to a company? In a nutshell, almost complete control over a device. Granted, iOS has allowed MDMs the ability to set restrictions on features and functionality for some time now. What supervised mode adds, is the ability to lock an MDM profile to a device–even after a wipe. For the first time in iOS’s glorious history, though a user can still enjoy all the benefits of a personal-first OS, a company can now relax knowing that, in reality, any particular corporate owned device is now security-first and corporate policy-first.
More information on DEP (including registering your company) can be found here <https://www.apple.com/education/it/dep/>.