Deploy SCEP profile to mobile decives without User Affinity
Deploying SCEP-profiles to mobile devices without user affinity is not possible. And here is why that feature is needed. My customer has a conference room solution that involves an iPad to display booking details and schema outside of every conference room.
This tablet needs access to the internal 802.1x protected Wifi as well as an VPP-app to display the booking details and so on.
The idea here is to enrol the devices in Apple DEP and assign a DEP profile that does not involve User Affinity. Then some sort of mechanism is setup that add enrolled devices based on pre-registered serial numbers to certain collections right after they appear in Configuration Manager.
On these collections, we deploy the VPP app with per-device license as well as Wifi and SCEP profiles. In addition, the VPP-app is configured to run in Kiosk-mode.
If that is achieved we can in most cases with very little help from users reset these device from Servicedesk since there is no need to supply an enrolment account during the first-run-wizard.
For example, after a wipe have been initiated and the device is up again the user gets instructions to choose language, pick an open wifi-network to get access to Internet. After that the enrolment is automated within like 20 min. The device receives the SCEP-profile and the Wifi-profile to get access to the internal network. Now the VPP-app is installed automatically without AppleID and autoconfigured to contact the web service for the conference room details.
If we don’t achieve this we must use Enrolment Manager accounts to configure the devices automatically. That will involve an onsite technician every time the device needs to be reset or set up. And since this solution involves more the 1000 IPads the support-cost will be high compared to a situation where most resets can be done without involving the onsite technicians.
Also having Enrolment Manger accounts known to many technicians is somewhat a security risk since these accounts can be used to enrol any device and get access the internal network quite easy if the credentials are compromised.
Have you got any update on this? Any workarounds you figured to overcome the limitation?