Apple finally allows admins to lock down iPad MDM settings, and wirelessly supervise devices. You may never have to unbox an iPad again.

Today, Apple announced a new iOS and Mac management service called the Device Management Program (DEP).

Similar to the iPad Volume Purchase Program, DEP is a browser based system that allows schools to manage iPads without the need for Apple Configurator. Administrators can now wirelessly supervise devices, lock down MDM settings, and better manage the use setup experience.

Let’s walk through the changes.

Device Enrollment Program


Until now the most effective way to manage iPads has been to connect them via USB cable to a Mac running Apple Configurator to apply settings and apps. But today Apple released the Device Enrollment Program (DEP), which is best described as Apple Configurator in the cloud.

With the Device Enrollment Program schools can:

  • Supervise iPads over the air, without connecting them to Apple Configurator.
  • Automatically enroll iPads in your chosen MDM.
  • Provide a simpler consumer set up screen for teachers and students.
  • Lock down and prevent students removing MDM configuration profiles.

These are all features which were originally announced to be part of iOS 7 but haven’t been made available until today.

Zero-touch iPad Configuration

With “zero-touch” configuration iPads can be supervised over the air without an administrator even needing to unbox the device. This replaces the previous system which would require the iPad to be connected via USB to a Mac running Apple Configurator. The iPads are then managed by MDM in the normal way.

One of the big complaints with iPad management is the inability for administrators to password protect MDM configuration profiles to prevent them being removed by students. This oversight likely lead to the Los Angeles iPad “hacking” scandal where a large iPad roll out was halted due to eSafety concerns. Apple’s Device Enrollment Program finally provides a way to properly protect MDM settings from being removed.

There are, however, three major issues with DEP:

  • DEP only works on school owned devices purchased directly from Apple.
  • Only devices purchased within three years of the school enrolling in the program can be managed.
  • This program is currently only for the US.

In the US Apple has a direct sales model and has accurate information about who owns which device. Apple is likely using this information to relate devices to organisations. Outside of the US, where most school iPad sales are via re-sellers, it’s difficult to know how Apple intends to replicate this model, without moving to a direct sales model internationally.

While direct sales may be common place in US schools, for international customers the idea that iPads may only be purchased directly from the manufacturer is concerning. With DEP there is a real concern that Apple is locking down iPad education market pricing.

It’s great to see Apple paying more attention to enterprise iPad management. These changes, if effective, make iPad a truly scalable device in schools and address concerns that administrators have been raising for a number of years. We’ll have more details on this in the coming days.

To find out more you can read Apple’s deployment guide and further details in the Device Enrollment Program Guide, and we’ll have a full guide once we have access to the DEP system.


About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.


  1. They are very vague in their information.

    Can you use this system to deploy devices without Supervising them?

    Does Unsupervising them still require that they be wiped? (Poor, poor practice for schools that offer the devices to students after a period of time.)

    Are you still required to Supervise them if you want to turn off FaceTime, Messages and use a global proxy server?

    Does this apply to brand new boxed devices only, or can we assign them to devices that have been in use and Supervised by Configurator since September?

    What happens when a device gets broken and Apple replaces it with a refurb? Will that SN get kicked into the system so we can assign the replacement to the same student?

    Will the Configurator be dropped from support and updates or will it continue in case a student breaks their device and the parent mistakenly buys one over the counter at Apple?

    Will Supervised-in-the-cloud iCloud backups restore properly to replacement devices? It’s been disastrous for us since the fall.

    • Profile photo of Karl Rivers

      Hi ipadedtech,

      All good points.

      It’s my understanding — however I don’t have access to the system yet so take this with a pinch of salt — that this will apply to all future purchases plus any purchases made within the last three years directly from Apple.

      The rest of the questions are as yet unanswered. Once I get access to the system I’ll hopefully be able to give you answers, but being UK based you’ll probably have access before me!


      • Thanks Karl. We are having a world of difficulty trying to sign up for this. Our VPP log in credentials are declared invalid on the Deployment site so we set up a different Apple ID which required a several business day wait to set up two pass security. Once the two days passed, we are still not able to log on. Trying a third ID, we received a “your data is being migrated” message that hung for a few days and now that is reporting invalid credentials as well.

        May be a rough ride for a while!

Tell us what you think!