Use your own custom web interfaces to authenticate users.
Beginning with iOS 13 and macOS 10.15, enterprises can use their own custom web interface to authenticate with the Device Enrollment Program (DEP). The
configuration key in the DEP Profile defines the value of the custom URL to present to the user in a web view. Use this key to define your own UI for authentication, with your preferred authentication method. After the user is authenticated, the MDM enrollment profile is downloaded.
On the initial page load of the
The URL must have an
httpsscheme and is a
Use the certificates in the
Anchorproperty of the Profile to pin the host to the certificates.
A custom header
x-apple-aspen-deviceinfois appended to the request. It contains a base64 encoding of a CMS (Cryptographic Message Syntax) envelope that contains a plist with device attributes. This is the same information, in the same format, as provided in the initial
POSTrequest with token-based DEP enrollments.
On subsequent page loads:
If navigation requires trust evaluation using certs not normally trusted by the system, they must be included in
The user interacts with the web view until the server provides a
.mobileconfigfile to the client. The
.mobileconfigfile must have a MIME type of
application/x-apple-aspen-config. Then web view closes and the OS attempts to install the profile, which must be an MDM enrollment profile.
Although the web view allows the user to navigate to arbitrary pages at arbitrary sites, the enrollment profile must originate from a host where the last two components of the domain name match the last two components of the
For iOS, this flow is supported during initial setup of an erased device. For macOS, this flow is supported both within Setup Assistant and also via the Profiles pref pane, if DEP enrollment was skipped during Setup Assistant.