Import your Supervision Identity into a DEP Profile

Created: Modified: Knowledge Base

trust-this-computer

This article describes a best practice for DEP workflows, available in GroundControl 3.2 and above. This process will pre-load GroundControl’s identity to your devices during DEP activation. The identity allows GroundControl to do more with your DEP devices:

  • Avoid the “Trust this Computer?” prompt; instead devices pair automatically with any Launchpad app for your organization, even if your DEP profile prohibits pairing
  • Set Wallpaper
  • Launch Apps
  • Enable App Lock
  • Hide Apps
  • Set Restrictions
  • Restore a backup, including system settings, if you follow special instructions

Specific instructions for various MDM systems are included below.

This pairing override is available even if you set DEP to disable host pairing. The combination effectively secures devices while retaining management capabilities. We consider this combination to be a best practice for DEP deployments.

Step 1: Export the Supervision Identity

In GroundControl’s admin console, click on Admin > Company. Then click on the link to export your supervision identity.

GroundControl will save a cryptographic file in .p12 format. Keep this file for the next step.

Step 2: Import the identity into your MDM

The instructions are different depending on your MDM.

Log into the AirWatch Console and ensure you are viewing the correct organization group. Visit Devices > Devices Settings > Apple > Device Enrollment Program. You should see one or more DEP Profiles.

screen-shot-2016-11-02-at-8-35-49-am

Edit the profile which will receive the supervision identity. (You may edit more than one.)

Scroll down to the option for Device pairing. Make sure device pairing is set to “Disabled.” screen-shot-2016-11-02-at-8-38-28-am

Click the “Add” button, and upload the .p12 supervision identity file you exported in step 1.

screen-shot-2016-11-02-at-8-42-12-am

Save the profile and exit settings.

We recommend you re-sync with Apple to ensure Apple has the updated profile. Go to Devices > Lifecycle > Enrollment Status, then click Add > Sync Devices.

screen-shot-2016-11-02-at-8-44-17-am

MaaS360 requires a .CER extension for the file. Rename the supervision identity you found above, from “.p12” to “.cer”.

In the MaaS360 console, navigate to Devices > Enrollments > Streamlined Enrollment > Profiles > Certificate > Add Certificate.

screen-shot-2017-07-25-at-8-25-34-am

Enter a name for the certificate, and upload the .CER file from the previous step.

Click the blue arrow to return to the list of DEP profiles. Edit the DEP profile that your GroundControl devices will use.

MaaS360 only allows a supervision identity when pairing is disabled. (This is not an Apple requirement, but based on a misunderstanding of this feature.) Uncheck “Allow Pairing”.

Now you may select one or more certificates from the list.

screen-shot-2017-07-25-at-8-30-30-am

In the MobileIron Core admin console, click on Devices & Users > Apple DEP to list your DEP connections (most organizations will have only one). Now list the enrollment profiles by clicking on the number under the column “Enrollment Profiles.”

screen-shot-2016-11-02-at-9-45-17-am

Edit the desired enrollment profile. At the bottom of the dialog is a section on Pairing Certificates.

screen-shot-2016-11-02-at-9-54-14-am

Upload the .p12 supervision identity you downloaded in Step 1. Then save the profile.

We recommend you re-sync with Apple to ensure Apple has the updated profile. Go to Devices & Users > Apple DEP, then click on “Check for Updates.”

In the MobileIron Cloud console, go to Admin > Device Enrollment Program. This lists the DEP connections (most organization have only one). Click Actions > Edit DEP Profile. Scroll down to the “Certificates” section.

screen-shot-2016-11-02-at-11-14-32-am

Add the .p12 supervision identity you downloaded in Step 1. You may give the identity any name you wish.

screen-shot-2016-11-02-at-11-15-51-am

Save the profile.

Step 3: Test pairing

Pairing records are remembered by the host, and survive device erases. So testing can easily be contaminated by old data. Follow these steps to make sure you are testing correctly.

Test A (single Launchpad):

  1. Erase a DEP device and configure it by hand, without using GroundControl. This ensures GroundControl does not grab the pairing record from the erased device.
  2. On your Launchpad choose “Reset Launchpad” from the File menu (Windows) or Launchpad menu (Mac). This will remove any saved pairing records from that Launchpad. Register the Launchpad when prompted.
  3. Now plug in the device to the host. After a few moments, you should see the device show up as “DEP, Limited operations available.” You should NOT see the trust prompt on the device. This means that GroundControl has successfully paired with the device, without additional prompts.

Test B (multiple Launchpads):

  1. Begin by resetting the Launchpads on at least two computers. Then register both Launchpads and have the software running.
  2. On computer 1, deploy a DEP-enabled GroundControl workflow to one device. Make sure the device is past all setup screens for the next step.
  3. Plug in the configured device into the second computer. After a few moments, you should see the device show up as “DEP, Limited operations available.” You should NOT see the trust prompt on the device. This means that GroundControl has successfully paired with the device, without additional prompts

Notes

GroundControl stores its pairing information in a private database. So the operation to permit pairing to GroundControl does NOT allow other apps on the same host — such as iTunes, Configurator, etc. — to manage the device.

The supervision identity is unique to your organization in GroundControl. We export only the “public” component of the supervision; the private key is kept encrypted and is not exportable.

As always, changes to DEP profiles only can affect devices during activation. Therefore already-activated devices will need to be erased and re-activated to receive these settings. This is unfortunate, but it is a limitation of DEP.

These steps are not required for non-DEP (“Manage with GroundControl”) deployments.