AirWatch integration with Apple DEP and VPP allows users to enroll their own devices and be productive in minutes.

The below video (3:45 min - uncut) demonstrates the enrollment of on iOS device via Apple DEP which is managed by AirWatch. Additionally applications are being pushed silently to the device by using Apple VPP through AirWatch. With this integration users do not require to enter any Apple ID, as apps can be directly pushed to devices instead of users.

AirWatch with Apple DEP and VPP Video

Integration of Apple DEP and VPP behind the scenes

Apple DEP Integration to AirWatch

DEP integration is fully documented in a step by step document by AirWatch which I do not want to quote in this place, but instead I'd like to give on overview of the different enrollment methods which AirWatch offers via DEP.

Basic end-user enrollment

The actual user of the device can enroll the device himself by authenticating with his user name and password. The user name and password can be either an Active Directory account or a "basic" AirWatch account which has been manually created in the AirWatch Console.

Staged enrollment by IT

If IT wants to enroll a batch of devices to ensure that they are enrolled, before giving them out to users, Apple DEP can be configured with an AirWatch staging account. In this case the DEP enrollment screen will not display any question for user name and password, but directly enroll to AirWatch.

To bind the device to an actual user, the user only needs to open the AirWatch MDM Agent (once) and type his AirWatch credentials (based on Active Directory or basic AirWatch account). The device then changes the ownership from the staging account to the actual user and user specific profiles apply. A common use-case for user specific profiles is the mail account setup via Exchange Active Sync. Only after the "actual" user of the devices is assigned, the profile will deploy and configure EAS settings.

For devices which are shared by different people, AirWatch also supports "Shared device mode". Devices can be enrolled with a "multi-user staging account". Then the AirWatch MDM Agent will prompt for user name and password, but will also contain a "logout" button. Once a user does not need a shared device anymore, he can logout. After logout, the device can be automatically switched into single-app mode which makes the AirWatch MDM Agent with the logon prompt the only available app. This forces anybody who wants to use this device, to logon with a valid account, after which single-app mode is automatically removed.

Shared device mode allows IT to understand in real-time who is currently using a device and also allows for user specific profiles (for example: e-mail settings which are deployed and removed, as users logon and logoff from the device).

Apple VPP Integration to AirWatch

Once AirWatch has been integrated with the according VPP SToken, administrators can purchase paid iOS and OS X apps from the Apple VPP portal. Additionally administrators can also "purchase" free apps from the same portal to have a single source of apps which are distributed to devices.

If an iOS device has been setup as a supervised device (via DEP profile or Apple Configurator), VPP apps can be automatically installed through AirWatch, without asking any questions from the user. For iOS 9+ devices, no AppleID is needed to install VPP distributed apps.

Administrators can flag apps as optional, so they only show up in the AirWatch app catalog, but do not get automatically distributed. Users can then install those apps on demand. Also for self-requested apps no AppleID will be needed. Anyway, users can still add their personal Apple ID to devices and install apps from the public app store, unless restricted AirWatch restriction profiles.



To get help with any implementation questions, please CONTACT US.


About the author
Peter Giesa is AirWatch Certified Technical Post-Sales On-Prem Expert and works as Solution Architect & Senior Consultant for Aerion Solutions.

About Aerion Solutions
Aerion Solutions is AirWatch Elite Partner, BOX Premier Partner, OKTA Reseller Partner, VMware Enterprise Solution Provider and Zendesk Premier Partner in Finland with certified consultants and provides consulting and training services for AirWatch, BOX, OKTA, VMware and Zendesk implementations. Aerion Solutions’ consultants are familiar with G-Suite, O365, Azure and more traditional AD and LDAP environments.