Home > Enterprise Mobility Management > Device Enrollment > Enrolling and Supervising iOS Devices using Apple Configurator 2.5 or Later

Enrolling and Supervising iOS Devices using Apple Configurator 2.5 or Later

Meraki Systems Manager provides administrators the ability to mass enroll and supervise devices using Apple Configurator, a macOS application. Apple Configurator 2 allows for mass configuration of iOS 11+ devices while physically connected to a Mac computer. A USB hub can be used to configure dozens of devices at once. Follow these links to download the application, and view more Apple Configurator documentation.

 

With Apple Configurator 2.5 or later, Apple has allowed the use of the Device Enrollment Program (DEP) for automatic enrollment into Meraki Systems Manager, which can be used to speed up the process into a no-touch experience for mass enrollment of devices. Alternatively, if your iOS devices are not in Apple's DEP, you can use the manual enrollment method by configuring your Systems Manager MDM Server in Apple Configurator via enrollment URL, or provisionally move non-DEP devices into an existing DEP account! This article will cover both Apple Configurator 2.5 MDM enrollment options in detail: DEP automatic enrollment method and manual enrollment methods. 

iOS devices that are using Apple's Device Enrollment Program (DEP) can be supervised and enrolled over-the-air anytime they are factory reset. DEP is the best way to permanently force your devices to be owned and managed by your organization, and it is important to assign your DEP settings properly before deployment. 

Device Supervision

During the enrollment process, it is possible to supervise iOS devices. Supervision enables many additional features including restrictions, which you can find listed in the Meraki Dashboard under Systems Manager > MDM > Settings > Restrictions > iOS restrictions (supervised).

If your iOS devices are not currently Supervised, they will be required to be factory reset to become Supervised. Therefore, it is recommended to Supervise devices (if desired) prior to performing any configuration or providing the device to users. Supervision steps are covered in detail in the guide below. 

Prerequisites

  • Apple Configurator 2.5 or greater

  • macOS 10.12.5 or greater

  • iOS device(s) powered up and physically connected to Mac

  • The Mac and iOS device(s) are not locked

  • Internet access with unblocked access to Apple and Meraki Systems Manager

    • Refer to Help > Firewall info for a list of ports and IP addresses

  • For Automatic enrollment: iOS devices must be in Apple’s DEP program. 

Access to the internet is critical to the enrollment process. If an iOS device is not able to contact Meraki Systems Manager when trying to enroll, it will be unable to complete the process and/or receive any additional profiles and apps. 

Apple Configurator 2.5+ Automatic Enrollment

Automatic Enrollment through Apple Configurator only works on iOS devices that are in Apple’s Device Enrollment Program (DEP), and allows you to pre-provision wireless settings on devices to seamlessly enroll during the device's setup assistant. Please be sure to add your Apple DEP account to Meraki Systems Manager before beginning this process, and ensure your devices are visible in Systems Manager > MDM > DEP.

If devices are not currently in Apple's Device Enrollment Program, please follow the steps for the "Apple Configurator 2 - Manual Enrollment" later in this guide. 

  1. Open your Meraki Dashboard and go to Systems Manager > MDM > DEP.   

  2. Checkmark the devices you want to assign DEP settings.

  3. Click on Assign settings.
    Screen Shot 2017-09-27 at 8.50.49 AM.png
     

  4. Configure your preferred DEP settings.
    Screen Shot 2017-09-27 at 8.48.29 AM.png

    Allow pairing: allow devices to connect to computers via USB cable.

    Supervise: allow device to become supervised by your organization.

    Mandatory: force device to always enroll in your Systems Manager network upon inital setup (when first powered on, or factory reset). 

    Removable: If unchecked, the “Meraki Management” enrollment profile will not be visible for end users to remove on the iOS device in Settings > General > Device Management. Unchecking this prevents end users from un-enrolling themselves from Meraki management later. 

    Shared iPad: Only use this feature if you are configuring Apple School Manager for Shared iPads. End users will only be able to sign into the device with a Managed Apple ID on your school.apple.com account. 

  5. Click Assign x device(s) -- x is the number of devices that will receive these DEP settings. Now you will see these devices change to have an orange “Assigned” status next to it. The device is currently waiting to be turned on for the first time, or to be factory reset so it can activate with Apple and receive these DEP settings.

    Screen Shot 2017-09-27 at 8.51.06 AM.png

  6. Now you are ready to use Apple Configurator 2.5. Highlight the devices you want to automatically enroll in Apple Configurator 2 and click on Actions > Prepare…
    Screen Shot 2017-09-27 at 9.01.01 AM.png

  7. Choose Prepare with: Automatic Enrollment. Click Next
    Screen Shot 2017-09-27 at 9.01.14 AM.png
     

  8. Upload a wireless profile, so the iOS device(s) can connect to a SSID in range so iOS devices can automatically configure with Apple and Meraki.

    For a true automatic / no touch enrollment, Step 8 is very important! 

    To create a wifi profile in Apple Configurator 2, go to File > New Profile, and add your wifi settings. Save this profile so you can upload it during Step 7. 

    It is necessary to add a wifi profile during this step so each iOS device can communicate to Apple to activate and complete the automatic DEP settings assignment for automatic Meraki Systems Manager enrollment. 
  9. If your Meraki Systems Manager enrollment requires User Authentication (SM > Configure > General), input your username/password here. If not, leave these fields blank and click Prepare.

  10. Apple Configurator will now download the latest iOS version from Apple and install it on the connected devices. Be patient while the latest iOS version downloads and installs.

  11. These devices now contain the wifi profile as well as the Meraki Management enrollment profile. These devices will skip the steps chosen in Step 4. Once these devices are at their homescreen, they can have apps and profiles installed through Meraki Systems Manager. All your devices can now be managed in Systems Manager > Configure > Clients.
    db.png

At this point, the automatic enrollment process is complete - your devices are now managed and ready to be distributed to end users!

Apple Configurator 2.5+ Manual Enrollment

Manual Enrollment is the way to enroll iOS devices not currently in Apple’s Device Enrollment Program (DEP). First we will cover how to setup your organization and server in Apple Configurator. Then, Apple Configurator go through the Manual Enrollment process to factory erase the device(s) and supervision and enroll into your Meraki Systems Manager dashboard. 

New In Apple Configurator 2.5 and iOS 11: You can now move non-DEP devices into an existing DEP account! This is an optional step during the Manual Enrollment process to move non-DEP devices into your current DEP account.

If you do not have a DEP account, you can still enroll & supervise devices through the manual enrollment process. 

Create Organization and Supervision Identity

  1. Go to Apple Configurator 2 in the menu bar and choose Preferences...
  2. Click on the Organizations tab.
     Screen Shot 2017-09-27 at 9.42.32 AM.png
     
  3. Sign in with an Apple ID.
    Screen Shot 2017-09-27 at 9.42.39 AM.png
    If you want to move a non-DEP device into your DEP account, be sure to sign in with your deploy.apple.com Apple ID during this step, so the supervision identity can be pulled from Apple automatically. If not, Skip this step and manually fill in your Name, Phone, Email, and Address on the next page.
     
  4. Generate a new supervision identity.

    The supervision identity will be pulled automatically from your Apple ID if the Apple ID you signed in with on Step 3 is a deploy.apple.com DEP account. 
    Screen Shot 2017-09-27 at 9.57.31 AM.png

Add MDM Server URL 

  1. Go to Apple Configurator 2 in the menu bar and choose Preferences...

  2. Click on the Servers tab.   

  3. Click the “+” to add a new server.  

  4. Define your MDM Server:

    • Name: Any name you choose.

    • Hostname or URL: Enrollment URL copied from your Meraki Dashboard found in Systems Manager > MDM > Add Devices > iOS > Apple Configurator > Enrollment URL (AC2+)

       

  5. You have now successfully configured your Systems Manager MDM Server. Close this window and now you can begin the Manual Enrollment process. 
    Screen Shot 2017-09-27 at 11.26.08 AM.png
     

Manual Enrollment - Add device(s) to Device Enrollment Program (DEP)

Now that you have added the organization's supervision identity and MDM server URL, you are ready to being the manual enrollment process. New to iOS 11 and Apple Configurator 2.5+ is the ability to move non-DEP devices into an existing DEP account. These steps will show you this process.

If you do not have a DEP account, skip this section and move to the Manual Enrollment - Enrollment & supervision without Apple Device Enrollment Program (DEP) section further below. 

 

  1. Plug your iOS devices to the Mac running Apple Configurator 2.5+. Highlight the device you would like to enroll and go to the menu bar and choose Actions > Prepare...
    Screen Shot 2017-09-27 at 10.37.28 AM.png
     

  2. Choose Prepare with: Manual Configuration

    If you signed into a DEP account in "Create Organization and Supervision Identity" - Step 3 (above), you can check the new Add to Device Enrollment Program option. This is a new feature for iOS 11 and Apple Configurator 2.5+ that allows you to move non-DEP devices into your existing DEP account. If you do not have a deploy.apple.com DEP account with Apple, leave the Add to Device Enrollment Program checkbox unchecked. 

    Furthermore, if you have a school.apple.com account as your DEP account, you can enable Shared iPad mode. Screen Shot 2017-09-27 at 1.25.14 PM.png

    Supervision will allow many additional restrictions to be added to devices in Meraki later.

    The Allow devices to pair with other computers option will not allow these iOS devices to connect to other computers via USB cable. If you do not allow pairing here, they will be undetectable to other computers via iTunes, Apple Configurator, or any USB data detection. 

    Click Next
     

  3. Choose your Meraki MDM Server (set up in the Add MDM Server URL steps above).
    Screen Shot 2017-09-27 at 10.37.55 AM.png
    Click Next.
     

  4. Choose the organization that you want to have supervision of these devices. 
    Click Next
     
  5. Choose what steps you would like the initial iOS Setup Assistant to skip. Screen Shot 2017-09-27 at 12.21.30 PM.png
    Click Next.
     
  6. Upload a wireless profile, so the iOS device(s) can connect to a SSID in range so iOS devices can automatically configure with Apple and Meraki.
    Screen Shot 2017-09-27 at 12.21.14 PM.png
    Click Next
     
  7. If your Meraki Systems Manager enrollment requires User Authentication (SM > Configure > General), input your username/password here. If not, leave these fields blank.

    Click Prepare.

    Screen Shot 2017-09-28 at 8.32.46 AM.png

    You may be asked to re-authenticate the DEP account's Apple ID during this step, so the device(s) can be successfully moved into this DEP account with Apple. 

    Apple Configurator will now download the latest iOS version from Apple and install it on the connected device(s). iOS 11+ is required for this process to complete. Be patient while the latest iOS version downloads and installs. All devices will now be prepared and all data saved on the device will be lost during this process. 
     
  8. After this process completes, login to the Device Enrollment Program (or Apple School Manager) and you will find the iOS device(s) assigned to a new “Devices Added by Apple Configurator 2” MDM server. At this point the iOS device(s) can be moved out of the default “Devices Added by Apple Configurator 2” MDM server and moved into your Meraki MDM server on DEP so the device(s) sync into your existing Systems Manager > DEP page. A 30 day provisional period begins when the device is subsequently activated. During the 30 day provisional period the lock screen and setup assistant on the device(s) indicate that it is provisionally enrolled. End users can remove the device(s) from DEP during this provisional period (which also factory erases the device). However, after the 30 days provisional period expires, end users can no longer remove the device(s) from DEP. 

    Screen Shot 2017-09-28 at 10.16.49 AM copy.png
  9. After the 30 day provisional period, the iOS device(s) are now fully enrolled in your Device Enrollment Program (or Apple School Manager) account! 
      Screen Shot 2017-09-27 at 8.50.32 AM.png
    Devices are now able to go through the Automatic Enrollment steps in the guide or over the air DEP enrollment!

Manual Enrollment - Enrollment & supervision without Apple Device Enrollment Program (DEP)

Now that you have added the Organization's supervision identity and MDM server URL, you are ready to being the manual enrollment process. If you want to simply supervise and enroll devices with Apple Configurator, you can easily do this without access to a Apple Device Enrollment Program account. 
 

  1. Plug your iOS devices to the Mac running Apple Configurator 2.5+. Highlight the device you would like to enroll and go to the menu bar and choose Actions > Prepare...
    Screen Shot 2017-09-27 at 10.37.28 AM.png
     

  2. Choose Prepare with: Manual Configuration
    Screen Shot 2017-09-27 at 10.37.42 AM.png

    Supervision will allow many additional restrictions to be added to devices in Meraki later. 

    The Allow devices to pair with other computers option will not allow these iOS devices to connect to other computers via USB cable. If you do not allow pairing here, they will be undetectable to other computers via iTunes, Apple Configurator, or any USB data detection. 

    Click Next
     

  3. Choose your Meraki MDM Server (set up in the Add MDM Server URL steps above).
    Screen Shot 2017-09-27 at 10.37.55 AM.png
    Click Next.
     

  4. Choose the Organization that you want to have Supervision of these devices. 
    Click Next
     
  5. Choose what steps you would like the initial iOS Setup Assistant to skip. Screen Shot 2017-09-27 at 10.38.33 AM.png
    Click Prepare.
     
  6. Apple Configurator will now download the latest iOS version from Apple and install it on the connected devices. Be patient while the latest iOS version downloads and installs. All devices will now be prepared with these settings, which requires a device factory reset. All data saved on the device will be lost. 
     
  7. Now, your devices will be at their iOS initial setup assistant "Hello" screen. You will need to configure each iOS device from here one by one, just so it can connect to wifi and receive the enrollment profile. Slide to set up. 
     
  8. Choose a wifi network in range for device to connect to. 
     
  9. The iOS device will now show a Remote Management page during the iOS Setup Assistant. Apply configuration here and you will be enrolled in Systems Manager.
     AC2-5.png
  10. After you Apply configuration and get to the Homescreen of the device, it is now enrolled. Look for this client in Systems Manager > Monitor > Clients, and begin mobile device management!
    db.png
     
     
     
You must to post a comment.
Last modified
10:16, 3 Oct 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 6237

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community