LRSFC CSD Helpdesk

Q: Using Profile Manager with the Device Enrollment Program?

We're looking into signing up for Apple's Device Enrollment Program. The "DEP Guide" is short on details, so what we'd like to find out is, is there anything else (other than signing up with our Apple ID and clicking the DEP button in Server.app) we would need to do if we wanted to set up Profile Manager for use with the DEP?

 

For example, would we have to set up our Profile Manager server in such a way that it can be accessed from the Internet? If so, what ports etc. would need to be available? Is it just these ones OS X Server: Ports used by Profile Manager - Apple Support or are there others that would be needed for DEP?

 

Thanks,

Dan Jackson (Lead ITServices Technician)

Long Road Sixth Form College

Cambridge, UK.

OS X Server

Posted on Jun 25, 2015 7:47 AM

Close

Q: Using Profile Manager with the Device Enrollment Program?

  • All replies
  • Helpful answers

  • by Strontium90,Helpful

    Strontium90 Strontium90 Jun 25, 2015 7:40 PM in response to LRSFC CSD Helpdesk
    Level 5 (4,077 points)
    Servers Enterprise
    Jun 25, 2015 7:40 PM in response to LRSFC CSD Helpdesk

    Basically, you need to sign up.  Once you sign up, make sure you communicate to your Apple Education Sales rep that all new purchases are to be assigned to the DEP.  Keep in mind that if you are using Mavericks or newer (officially, but I've really only had success under Yosemite) on existing machines, (you may be able to go back to 2011 Device Enrollment Program Frequently Asked Questions (FAQ) - Apple Support) you may be able to backdate existing devices into the program (this is really dependent on purchase history and the ability to track and prove ownership of the devices). 

     

    Basically, you complete enrollment to the program, download the token, add it to your MDM server, and then define the server in the Apple portal.  Once defined, you can assign serial numbers to the MDM.

     

    As for ports, the Kbase article says it all.  Profile Manager is really 443.  The larger challenge I've faces is environments with proxies.  This prevent push notification from working.

     

    Congrats and embrace this with open arms.  DEP is a great program for institutions.

     

    Reid

    Apple Consultants Network

    Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

  • by LRSFC CSD Helpdesk,

    LRSFC CSD Helpdesk LRSFC CSD Helpdesk Jun 26, 2015 2:43 AM in response to Strontium90
    Level 1 (0 points)
    Jun 26, 2015 2:43 AM in response to Strontium90

    Thanks for that, that's quite informative.

     

    Following on from what you've said I've got a few more questions. You mention port 443 - so does this mean our Profile Manager server needs to be available over the internet on port 443 as well? If that's the case, presumably it will also need an externally-valid SSL certificate rather than a self signed one - does it need to be a particular type of certificate, or is it just a standard web server style SSL certificate? Also, how do we generate the CSR in order to obtain such a certificate?

     

    With regard to OS version, we're currently on a mix of 10.8 and 10.9 but we are planning to go to 10.10 across the board this summer.

  • by Richard Cartledge,

    Richard Cartledge Richard Cartledge Jun 26, 2015 5:15 AM in response to LRSFC CSD Helpdesk
    Level 2 (449 points)
    Jun 26, 2015 5:15 AM in response to LRSFC CSD Helpdesk

    I gave up signing-up - be prepared to spend days jumping through hoops and messing about.

  • by Strontium90,Helpful

    Strontium90 Strontium90 Jun 26, 2015 5:16 AM in response to LRSFC CSD Helpdesk
    Level 5 (4,077 points)
    Servers Enterprise
    Jun 26, 2015 5:16 AM in response to LRSFC CSD Helpdesk

    Regarding the port, it all depends on where the devices will go and how you want to manage them.  For example, if you have a fleet of iMacs that never leave the lab, opening Profile Manager for external access is unnecessary.  Likewise, if you have carts of iPads that do not leave the building, then external management is not required.  However, if you are a one to one environment, with mobile devices, than leave the environment, then you will need to open the port to allow external access.  If you do not, then you will not be able to manage the devices when they are offsite.  Remember, your MDM contains the configuration payloads.  When assigned to a device Apples push services are notified to tell the device to go get the payload.  The payload does not go direct.  It is a push to pull process. 

     

    Regarding certificates.  I am a fan of valid 3rd party certificates.  This just removes to confusion and extra steps needed to support a self-signed cert.  A 3 year cert from a trusted vender should be less than $60 a year.  You can generate the CSR in three ways.  You can use Server.app, Keychain Access, or the openssl command.  I generally use the openssl command because it gives me direct access to both the CSR and the private key. 

     

    sudo openssl req -new -newkey rsa:2048 -nodes -keyout your.domain.key -out your.domain.csr

     

    Upload the CSR to the certificate authority and they will create your public certificate.  These can be imported into Server.app.

     

    When using Apple's tools these pieces are buried deep in the system.  And you guessed it.  DNS plays an important role here.  The address on the outside (WAN) and address on inside (LAN) must match.  And this ties into the certificate as the cert needs to match the fully qualified host name.

     

    Reid

    Apple Consultants Network

    Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

  • by LRSFC CSD Helpdesk,

    LRSFC CSD Helpdesk LRSFC CSD Helpdesk Jun 26, 2015 5:22 AM in response to Strontium90
    Level 1 (0 points)
    Jun 26, 2015 5:22 AM in response to Strontium90

    Well, it's less about machines that never leave the campus and more about machines that do leave the campus (either accidentally or deliberately) when they are not supposed to. I have been led to believe that having DEP would mean that even if such machines were formatted and reinstalled with OS X, they would automatically re-enroll themselves on our chosen MDM system (in this case Profile Manager, though we are reviewing third party alternatives for the longer term). However to do this I am assuming that said MDM system would need to be available from the internet for this to happen - is that a safe assumption?

     

    EDIT: also regarding the openssl command you mention, what do you do with the private key it generates? Is there somewhere in Server.app to import that as well?

  • by Strontium90,

    Strontium90 Strontium90 Jun 26, 2015 5:21 AM in response to Richard Cartledge
    Level 5 (4,077 points)
    Servers Enterprise
    Jun 26, 2015 5:21 AM in response to Richard Cartledge

    Don't give up.  Yes it can take a week.  But remember that this program is all about chain of ownership.  Apple needs to make sure you and your organization are real and proper.  Devices are attached to a corporate entity and making and breaking that attachment must be proper.  My first customer took over 3 weeks to get approved.  Now we are below a week.  Education seems to be easier (as they are limited to Apple Education sales).  Customers that buy direct are next easiest.  Customers that buy through us (reseller) take the longest but that is because we also need to involve distribution channels. 

     

    In the end, if you are an organization that provides institutionally owned devices to individuals as a one to one deployment model and you have an MDM to automate deployment and management, this is (in my opinion) an absolute no brainer.  Sign up for the program no matter the pain and suffering.  Also works with one to many.

  • by LRSFC CSD Helpdesk,

    LRSFC CSD Helpdesk LRSFC CSD Helpdesk Jun 26, 2015 5:23 AM in response to Strontium90
    Level 1 (0 points)
    Jun 26, 2015 5:23 AM in response to Strontium90

    We're one to many, but we have experienced some device losses over the past few years so anything that helps us crack down on that is something we are very interested in right now.

  • by Strontium90,

    Strontium90 Strontium90 Jun 26, 2015 5:25 AM in response to LRSFC CSD Helpdesk
    Level 5 (4,077 points)
    Servers Enterprise
    Jun 26, 2015 5:25 AM in response to LRSFC CSD Helpdesk

    100% correct.  Once a device is assigned to MDM, the device will seek the MDM even if a drive is replaced.  The user will be forced to enroll in order to get past the setup assistant.  If you are investigating alternatives, look at Bushel (pure MDM + DEP + VPP) or JAMF (everything you can imagine if you have a lot of OS X).

  • by LRSFC CSD Helpdesk,

    LRSFC CSD Helpdesk LRSFC CSD Helpdesk Jun 26, 2015 5:51 AM in response to Strontium90
    Level 1 (0 points)
    Jun 26, 2015 5:51 AM in response to Strontium90

    JAMF Software is already one of the options we are investigating. Thanks for the suggestion about Bushel, however it looks like they don't yet do educational pricing so it might not be the right fit for us at this time.

     

    EDIT: the other ports mentioned on the Profile Manager ports page (OS X Server: Ports used by Profile Manager - Apple Support) do they need to be open outbound only, inbound only, or both?