Create DEP profile

You need to set up the Apple Device Enrollment Program (DEP) before you can create DEP profiles. See Set up a virtual MDM server.

A DEP profile is assigned to a DEP device and provides information to the Apple server when the device is activated. This information includes:

If required, you can create several DEP profiles to use different setup and enrollment settings for your DEP devices.

To create a DEP profile:

  1. On the menu sidebar, under SETTINGS, click Setup > System setup, and then click the Apple DEP profiles tab.
  2. Click Add.
  3. In the Edit DEP profile dialog, enter a name and optionally a description for the DEP profile.
  4. Optional: In the Device group list, select a device group that will be assigned to devices when they are enrolled with Sophos Mobile Control.

    For information on device groups, see Device groups.

    Note: To simplify device management, we recommend that you use a separate device group for DEP devices.
  5. Optional: In the Task bundle list, select a task bundle that will be transferred onto the devices when they are enrolled with Sophos Mobile Control.
    The list includes all iOS task bundles that contain no enrollment task.

    For information on task bundles, see Task bundles.

  6. On the Enrollment tab, you can configure the following settings:
    Option Description
    Supervise device Supervision mode is enabled.
    User can remove MDM profile The user is able to remove the Sophos Mobile Control enrollment profile through the iOS user interface.

    This option can only be deselected for supervised devices.

    Install SMC app Install the Sophos Mobile Control app onto the device.

    If you enable this option, you must also disable the Skip Apple ID option on the iOS setup tab to make sure that Sophos Mobile Control can install the app from the App Store.

    Note: Alternatively, if you are enrolled in the Apple Volume Purchase Program (VPP), the Sophos Mobile Control app can be installed as a VPP app, even if the device is not associated with an Apple ID. Devices must be in status managed and must use iOS 9 or higher. See Automatically assign VPP apps.
    User can skip MDM profile assignment The user is able to skip the setup step that applies the Sophos Mobile Control enrollment profile.
    Assign user to device During the enrollment process with Sophos Mobile Control, users are asked for their Self Service Portal credentials and then assigned to the device.

    Use this option to auto-assign a user to the device.

  7. On the iOS setup tab, you can disable configuration steps of the iOS setup assistant that starts when the device is switched on for the first time.
    Note: These settings only affect the iOS setup. If you disable a configuration step, the user is still able to enable the relevant option later. To completely disable a feature, use a Restrictions configuration. See Restrictions configuration (iOS device profile).
    Option Description
    Skip Apps & Data The page Apps & Data is not displayed. The user cannot restore data from an iCloud or iTunes backup, or transfer data from an Android device.

    Disable "Move Data from Android"

    On the Apps & Data page, the option Move Data from Android is not available. The user cannot transfer data from an Android device.

    This can only be enabled when Skip Apps & Data is also enabled.

    Skip Diagnostics The page Diagnostics is not displayed. Sending diagnostic and usage data to Apple is disabled.
    Skip Location Services The page Location Services is not displayed. The user cannot enable location services.
    Skip Siri The page Siri is not displayed. The user cannot set up Siri.
    Skip Display Zoom The page Display Zoom is not displayed. The user cannot change the display view.
    Skip Apple ID The page Apple ID is not displayed. The user cannot log in with their Apple ID to access Apple services.
    Skip Apple Pay The page Apple Pay is not displayed. The user cannot add credit or debit card information for paying in stores or within apps using Apple Pay.
    Skip Touch ID The page Touch ID to is not displayed. The user cannot set up a fingerprint in place of a passcode.
    Skip Passcode The page Create a Passcode is not displayed. The user cannot set up a passcode to unlock the device.
    Skip Terms and Conditions The page Terms and Conditions is not displayed.
  8. On the Support information tab, you can configure the following settings:
    Option Description
    Department The department or location name associated with the profile.

    This name is included in the information that the user can access by clicking About Configuration during device setup.

    Phone number The support phone number for your company.

    This field is pre-populated with the phone number from the technical support contact details. See Configure technical support contact details.

    Note: The phone number is stored internally in the DEP profile but is not available to the device user.
    Email The support email address for your company.

    This field is pre-populated with the email address from the technical support contact details. See Configure technical support contact details.

    Note: The email address is stored internally in the DEP profile but is not available to the device user.
  9. On the USB pairing tab, you configure host computers to which the device is allowed to connect with, using USB ports.
    This can be used to sync the device with iTunes or to manage it with Apple Configurator.
    • To allow USB connection with all hosts, select Allow USB pairing with all hosts.
    • To forbid USB connection or to restrict it to certain hosts, deselect Allow USB pairing with all hosts and then upload a certificate file for each host to which the device is allowed to connect with.
  10. When you have configured all tabs of the Edit DEP profile dialog, click Apply to save the DEP profile.
  11. To assign the profile to all new DEP devices to which no profile has been manually assigned to, select it in the Default DEP profile assigned to new devices list.
    When you select None, you have to manually assign a DEP profile to new DEP devices as described in Deploy DEP devices. Otherwise, DEP devices will not be enrolled with Sophos Mobile Control when they are activated.
  12. Click Save to save your changes.