skip to content

IT Help and Support

University Information Services

Managing Apple devices in the University using Apple enterprise programmes.

Apple deployment programmes

handdrawn imacApple provide the following to support managing macOS, iOS and tvOS devices in the enterprise:

  • Mobile Device Management (MDM)
  • Device Enrolment Programme (DEP)
  • Volume Purchase Programme (VPP)
  • Apple School Manager (ASM)

It is current best practice to use these technologies and it is likely their use will become mandatory at some point in the future.

Mobile Device Management (MDM)

MDM is a protocol comprising of commands that can be used to manage Apple devices. The commands cover installing configuration profiles, App Store apps and device management such as locking, rebooting, remote wipes and software updates.

The MDM protocol is published here. There are many implementations of MDM such as:

The School, Department or College will be responsible for running their own MDM server of choice. UIS uses Jamf Pro for centrally managed Macs and can offer advice on its use as well as limited advice on other MDM products.

Device Enrolment Programme (DEP)

DEP is a technology that automatically enrols Apple devices into an MDM environment. When integrating an MDM server with DEP, a certificate is generated by the MDM server and then signed by Apple. This is imported into Apple School Manager to create a trusted link between the MDM server and the DEP pool.

When an Apple device is purchased from one of the Apple Higher Education Framework Resellers it should be automatically added to the DEP pool for the University of Cambridge and related Institutions. Devices can be then requested to be assigned to an MDM server by an institution.

Eligible devices must be purchased through one of the following channels:

  • Apple Higher Education Portal (prior to Apple HE Tender)
  • Apple HE Tender Supplier (Academia, XMA, Insight, Stone)

Devices not purchased through one of the above channels cannot be used with Device Enrolment.

During device activation with Apple (this happens when the device joins the network after the first boot of a new device or a wipe and reinstall) the device is directed to enrol with the assigned MDM server. Configuration is then applied with no user interaction required.

UIS has signed up to the DEP on behalf of the University of Cambridge and related Institutions.

Volume Purchase Programme (VPP)

VPP originally gave bulk discounts on Apple applications such as the iLife and iWork suites, Logic Pro and Final Cut Pro. Now it is primarily used to purchase App Store apps that can be deployed over the air to devices without use of an Apple ID. Applications can also be removed and redeployed to another device.

UIS has signed up to the VPP on behalf of the University of Cambridge and related Institutions.

Apple School Manager (ASM)

Apple School Manager is an Apple-provided web portal that allows MDM servers to be linked to the DEP pool and users created with responsibilities to manage aspects of DEP and MDM as well as associate devices to MDM servers.

Preparing to manage Apple devices

Steps and responsibilities

Step Institution action UIS Apple Support action
1 Institution selects and provisions MDM server  
2 A DEP certificate signing request is generated by the MDM server and emailed to  
3   CSR is uploaded to ASM and certificate is generated by Apple. This is returned to the institution.
4   VPP account is created for the Institution and an initial password provided.
5 VPP account is added to the MDM server.  
6 Serial or IMEI numbers of devices to be managed are provided.  
7   Devices are assigned to the MDM server.

Note: Steps 6 and 7 will be repeated whenever an Institution wishes to add more devices to their managed fleet. Devices can also be unassigned from an MDM server.

The benefits of Apple's enterprise deployment programmes

Aside from the fact that the direction of travel with Apple will likely make use of these programmes mandatory if Apple devices are to be managed in the future, there are the following benefits:

  • Devices are provisioned and configured through a secure and trusted channel.
  • App Store apps, management and configuration profiles can be delivered to any device connected to the internet.
  • The end user can use their own Apple ID to install apps that belong to them.
  • Some IT system admin tasks that are now restricted in newer macOS releases are available when a device is provisioned via DEP and MDM – for example, kernel extension whitelisting allowing seamless installs of McAfee AV products, DropBox etc.
  • Devices are activation-locked, allowing remote wipe, lost mode etc. and preventing the device from being wiped and sold.

Contact us

For more information please contact .




UIS Service Desk

UIS Service Status

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Lecture capture (Panopto) public video sharing options to be disabled

5 August 2021

We are disabling the public video sharing options in Panopto, the University’s online platform for lecture capture and educational videos, to protect the University from unintended additional costs. No videos will be lost as a result of this change, but you will need to download any videos that you wish to continue to...

Turnitin maintenance: Saturday 14 August 16:00–18:00

4 August 2021

Turnitin will be undergoing essential maintenance on Saturday 14 August during 16:00–18:00 BST. Please be aware that submissions or grading for Turnitin Assignments in Moodle will not be possible during this time. We therefore advise that submission deadlines are set outside this maintenance window. Follow @TurnitinStatus...

Easier way for Departments and NSIs to get ‘bolt-on’ Office 365 licences for staff

4 August 2021

It will be quicker, easier, and cheaper to for Departments to get bolt-on product licences to add to individual users’ Office 365 licences from 1 October 2021. The new process will apply to individual licences for products such as Visio, Project and PowerBI that are not included under the Microsoft EES Agreement. UIS will...