IS&T Device Enrollment Program (DEP) for Macs
Apple provides the Device Enrollment Program (DEP) as a way of deploying institute-owned Mac or iOS devices. This process works by technicians providing the serial number of any Mac they would like enrolled into the DEP program to IS&T. IS&T will then upload the serial number to Apple and assign it to the correct Mobile Device Management (MDM) server. Once the computer has been booted, it will automatically receive any policies that have been supplied by the MDM server.
IS&T provides DEP as a service to the MIT community in conjunction with either IS&T's MDM server (Jamf Pro) or your department's own MDM server if you have one. If you are interested in our Jamf Pro offering, please visit our Jamf Pro page for more information. There is no cost associated with either the DEP or Jamf Pro service.
Please note machines must be purchased through an official MIT channel for this to work.
IS&T will also provide training and one-on-one time for both DEP and Jamf Pro if requested.
If you would like to enroll computers or have any questions regarding DEP they should be emailed to email@example.com.
- The IS&T End User Computing (EUC) team enrolls your Mac into DEP program and confirms your machine is enrolled.
- Boot your new or re-imaged Mac (not before above step!)
- Go through the Setup Assistant. If you're using a wired connection on campus, you must use on an already registered Ethernet dongle. If using wifi, you can use the "MIT" network. You can also connect from off-campus networks.
- You will then see a screen that says "Remote Management". If you do not see this screen, contact the EUC team to double check enrollment.
If you missed the Remote Management screen
- On macOS High Sierra or newer, run sudo profiles renew -type enrollment
- Create an account and log in.
- If you are configuring this device for another user, you should remove your saved Wi-Fi credentials from the "Local Items" keychain in Keychain Access, following these steps:
- Open Keychain Access in /Applications/Utilities
- Select "Local Items" from in the sidebar.
- Scroll down and find the item matching your Wi-Fi network name, such as "MIT" or "MIT SECURE".
- Right-click or Control-click the item and select Delete.
- The DEP process will run a script to automatically remove MIT and MIT SECURE from the Login and System keychains for you. If you have joined a different network, then repeat the above steps with the "Login" and "System" keychains as well.
- The below policies will apply if you are using IS&T Jamf Pro.
- Software Installs
- Adobe Reader
- CrowdStrike Falcon
- Google Chrome
- GlobalProtect VPN
- Kerberos Extras
- Microsoft Office
- Rosetta 2 (on Apple Silicon-based Macs)
- Sophos Central
- Apple Software Updates
- Enable Filevault 2 file encryption
- Add dock icons for Office, Firefox, and Crashplan
- Enable firewall
- Create a local admin account
- Change hostname to serial number
- Set password policy to minimum 8 characters
- Force password change on next login
- Configure 802.1x authentication for ethernet
- Software Installs
After logging in, a progress window will appear showing which applications are being installed.
When setup is complete, the computer will shut down, and the user will be prompted to change their password and begin encryption the next time they log in.
You can also set up machines to have additional software/scripts/printers installed through our Jamf offering, or your own MDM policies if you have an MDM server.
Removal of machines from DEP
Machines that will be leaving MIT should be removed from DEP. Send any serial numbers to firstname.lastname@example.org for removal, and specify whether this should be permanent or temporary. Computers being sold or recycled should be removed permanently, while repairs being sent back to Apple should be removed temporarily so they can be re-added when they come back to MIT.
Retired devices should be wiped completely after being removed from DEP. This will ensure that no MIT data is present on the machines, and if it's purchased by the user, it will allow the user to secure their FileVault encryption key with their personal AppleID instead of through MIT's MDM server.