Background
Setting up Apple DEP is relatively straight forward (start here). Once setup, connecting your DEP account to your Citrix XenMobile instance is again, pretty straight forward. The Citrix guide (here) is easy to follow and there are some great “step by step” guides elsewhere on the web – Antonvan Pelt’s is one of my favourite guides…
Problem
After following the guide(s) everything appeared to be working correctly. Two or three handsets managed to enrol successfully and everything was looking good. However, after a while, devices started to fail to enrol with the message “invalid profile“.
Looking through the xCode logs the only error was as follows:
Jan 20 09:38:39 iPhone Setup(ManagedConfiguration)[224] <Notice>: Failed to parse profile data. Error: NSError: Desc : Invalid Profile US Desc: Invalid Profile Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError
Not much to go on here! After working with Citrix support an error was found in the support bundle created within XenMobile. When DEP devices are added to XenMobile they are initially created under the “Device Enrolment Program User” identity. Once a “real” user signs in to the device it switches owner and is assigned to the real person.
In our setup we had the “devices per user” setting capped at five. As such, any user wishing to enrol a sixth device would receive an error. Looking at the support bundle, it stated that the “Device Enrolment Program User” had exceeded the number of devices allowed (5) and was unable to add any more devices.
Solution
Logging in as a full administrator (need to access the enrolment setup tab) you can change the number of devices permitted. The Citrix guide is here. By setting the enrolment limit to “unlimited” the “Device Enrolment Program User” was able to bring in all the devices allocated under our DEP account (more than five!).
The downside to this quick fix was any “real” user would also be able to have an unlimited number of devices. Citrix advised that for DEP enrolment you could create a new enrolment group/profile and assign it to just the DEP accounts. This would restrict normal users whilst allowing DEP to function correctly.
Thoughts
This “bug” took a while to hunt down… The use of a “user” account (Device Enrolment Program User) to manage the DEP import activity is, in my personal opinion, a weakness of the Citrix implementation. User based policies, such as number of devices etc, should only apply to “real” people. System accounts should sit outside of these controls. The key point here, a reasonable setting applied to an end user breaks the DEP function.
Hopefully the above will save someone else going around in circles… let me know in the comments!