This content is part of the Essential Guide: The complete Apple iOS guide for IT administrators

Apple Device Enrollment Program expands, but IT wants more

Apple opens up its Device Enrollment Program by supporting devices that weren't bought from Apple or channel partners. Still, IT isn't content with the EMM capabilities available for those devices.

IT professionals still want more from Apple in terms of device management capabilities, despite the newly broadened Device Enrollment Program.

The Apple Device Enrollment Program (DEP) allows IT departments to onboard iOS, macOS and tvOS devices into an enterprise mobility management (EMM) system without having to individually prepare or physically handle devices before users get them. Previously, DEP only supported devices that companies purchased directly from Apple and its channel partners. But last week, it added support for any Apple device. While this change is helpful, IT professionals would like to see more from Apple in terms of management control over devices once they're enrolled in EMM.

"We have found them to be far too restrictive and difficult to support to even consider using them going forward," said Jon Booth, IT director at Bear Valley Community Healthcare District in Big Bear Lake, Calif.

IT's EMM wish list

IT shops use DEP to enroll Apple devices into EMM software, but the extent to which that software can manage the devices is based on the built-in management and security features that the OS allows.  This means it's up to Apple as to what controls EMM providers can offer for iPhones, iPads and Macs.

Some of the shortfalls of iOS in terms of built-in EMM controls include the inability to block users from taking screenshots or copying and pasting information from business apps and documents. Another common mobile app management feature that iOS doesn't offer is the ability for IT to place a passcode or Touch ID authentication wall on business apps. 

But the most commonly sought-after EMM capability among IT professionals is a way to block users from downloading and installing iOS updates.

Bear Valley Community Healthcare District, for instance, used to allow employees to work with iPads and Macs, but it has since banned them. There were instances where custom business apps didn't run on the latest version of iOS, so it was a problem when users downloaded a new iOS update that the business apps didn't support.

The organization also restricts Macs now, because many custom business applications are built specifically for Windows. Bear Valley does allow iPhones, but only for access to corporate email, which avoids the issue of custom apps not working on the latest version of iOS. 

"We have run into many apps that either don't support [iOS or macOS], or they do not work well on an Apple device," Booth said. "And once we have worked out the bugs, here comes an iOS update that produces all new challenges or breaks what we fixed to get the apps working."

Google's Android operating system, on the other hand, allows EMM software to block an incoming update.

Another shortcoming is the Apple Device Enrollment Program itself only applies to corporate-owned devices, which limits its use cases. 

The evolution of Apple DEP

There is definitely traction for EMM, but it's still tough for EMM to get in with SMBs.
Eric Kleindirector of mobile software at VDC Research Group Inc.

IT pros traditionally found it difficult to enroll a large number of devices through DEP, but that changed with updates in iOS 9 in 2015. Prior to that, admins had to onboard devices one by one or a handful at a time, and they had to have the device physically with them and connected to a Mac. Since then, users can complete the setup process on their own without the help of IT, allowing for a faster process with a lot less work for admins. DEP automates the process to configure the device to the appropriate EMM policies, and these policies will automatically apply based on answers a user gives to a few questions when first signing on.

Opening up Apple Device Enrollment Program support for more devices will help grow the EMM market in general, said Eric Klein, director of mobile software at VDC Research Group Inc. in Natick, Mass.

"This is going to be great for the small and midmarket side of the industry, along with education," Klein said. "There is definitely traction for EMM, but it's still tough for EMM to get in with SMBs."

The expansion of DEP availability will also have an effect on schools, nonprofits and other organizations that are more likely to have refurbished devices, such as older Macs or iOS devices.

"This is a positive change," said Ira Grossman, CTO of end-user computing at MCPc Inc., an IT consultancy in Cleveland. "It removes quite a few obstacles from procurement to management, especially for legacy devices."

Next Steps

Why EMM vendors cover all endpoints

New Apple iOS 11 prompts iPads for business

How EMM tools have changed the game

Dig Deeper on Apple iOS in the enterprise