Best practices for Apple device enrollment and user authentication

Apple’s Device Enrollment Program (DEP) is a cloud-based service that provides one of the best out-of-the-box experiences for enterprise users today. Combined with a unified endpoint management (UEM) solution such as MobileIron, DEP makes it easy for IT to quickly configure and roll out thousands of iOS, macOS, and tvOS devices across your organization.

As with any device that can access business apps and data, you want to follow best practices to ensure your devices are safe from various threats. Configuring devices through DEP and UEM is an excellent approach, but there are additional steps you can take to protect your organization from many of the ways attackers can infiltrate your organization.

The newest vulnerabilities: Now what?

A recent report suggested that attackers may be able to work around the DEP protocol and enroll a rogue device into an organization’s UEM1 server. The report claimed this is theoretically possible because DEP “effectively only uses the system serial number to authenticate devices prior to enrollment.” According to the report, an attacker would therefore require only a valid, DEP-registered serial number to enroll a device into the UEM server.

What’s important to note is that the “vulnerability” cited in the report can only be exploited by allowing users to enroll devices without requiring authentication. However, any device enrolled in DEP without authentication is automatically designated as “anonymous” by default. Anonymous devices by default do not receive any corporate policies or configurations, and this setup is typically used for testing purposes only. For example, IT may want to test DEP workflows in a specific UEM server prior to going live. In live corporate rollouts, DEP, combined with user authentication through UEM, provides a highly secure framework that would not be vulnerable to the exploit cited in the report.

Three ways to improve the security of your DEP deployment

In addition to mandating user authentication, here are three more ways to boost the security of your UEM and DEP infrastructure.

One: Have a default UEM server for your institution’s DEP account.

Once devices are populated in the DEP portal, they are automatically assigned to the default UEM server. This gives admins visibility across their entire fleet of devices from a single UEM console.

Two: Ensure authentication is set to password or PIN within your DEP settings in the UEM console.

User authentication is then turned on by default when configuring DEP. For organizations that don't use passwords, MobileIron enables users to authenticate using a personal identification number (PIN). A PIN has two advantages: First, because it’s a random number, it’s hard to guess. Second, the lifetime of a PIN can be very short and easily controlled by IT (unlike passwords).

Three: Make UEM enrollment mandatory.

This ensures that all devices enrolled in DEP are fully secured and managed by UEM policies and configurations. If you do not make UEM enrollment mandatory, the device will skip enrollment and be set up like any other personal device. MobileIron ensures such devices cannot access corporate apps, data, or cloud services such as Office 365, Salesforce, and G Suite.

Note: Apple has also introduced Apple Business Manager (ABM), which is an Apple-hosted cloud portal that allows businesses to manage DEP, the Volume Purchase Program (VPP), Apple IDs, and content from a central management point. It also provides granular access control with admin delegation. All of these features are available through a new and  easy-to-navigate portal that can also be secured with user authentication through UEM. Learn more about ABM here.

MobileIron + Apple = A better night’s sleep

All of us in the enterprise security space know that attackers are hard at work, around the clock, looking for even the smallest vulnerability in our threat defenses. That’s why a layered security approach is more critical than ever. MobileIron and Apple are continuously innovating new ways to keep your mobile and cloud infrastructure safe. In fact, Apple recently introduced new security features through its T2 chips. They’ve also made System Integrity Protection (SIP) available to enhance device security, and MobileIron can instantly notify admins if a user tries to disable SIP. It’s all part of our goal to help customers sleep better at night!


1 Mobile device management (MDM) has now evolved into unified endpoint management (UEM).