Apple's **Device Enrollment Program (DEP)** is the most important piece of the kosher iPhone stack that most customers never hear about. It's what makes the difference between a phone we ship "pre-configured" and a phone that is **literally supervised from the first tap** — with no user prompt, no accept-profile dialog, no bypass window.
What DEP is
DEP is Apple's enterprise enrollment channel. Launched in 2014, expanded steadily since, it's now part of **Apple Business Manager** (ABM) and **Apple School Manager** (ASM) — the two portals Apple provides to enterprises and schools for bulk iPhone/iPad/Mac management.
When a DEP-enrolled enterprise orders iPhones from Apple or an authorized reseller, every device has its serial number pre-registered in the enterprise's ABM account. The moment one of those iPhones powers on for the first time, it checks in with Apple's DEP servers over the internet. DEP tells the device: "your owner is [Enterprise]'s MDM. Enroll with them now." The device does so, before reaching the normal iOS setup screen.
Why DEP matters for frum families
Here's the alternative: **post-purchase enrollment**. An installer walks you through connecting your iPhone to a Mac, running Apple Configurator, factory-resetting, and installing a supervision profile. It works — but it's fragile, manual, and the user can technically undo parts of the setup.
**DEP enrollment is permanent** in a way post-purchase enrollment is not:
- **Factory reset** doesn't remove DEP binding. On next boot, the device re-enrolls in our MDM automatically. - **iCloud backup restore** doesn't remove DEP binding. The supervision re-applies. - **iOS upgrade** doesn't remove DEP binding. - **User factory reset + setup with a different Apple ID** doesn't remove DEP binding.
For a frum household's "kosher phone," this is the difference between protection that survives everything a teenager can try, and protection that survives until they Google "how to bypass DEP."
(For the curious: DEP can only be removed by us — the MDM operator — or by Apple directly. There is no user-side path to disenrollment.)
How The Kosher iPhone uses DEP
We're an Apple Authorized Reseller for Apple Business Manager. Every iPhone we ship to a customer is ordered through DEP with our account as the supervisor-of-record.
When your phone arrives: 1. You unbox a factory-sealed iPhone. 2. Hold the side button. The Apple logo appears. 3. The phone briefly checks Apple's DEP servers. Apple tells it: "your MDM is The Kosher iPhone." 4. The device silently enrolls. Supervision is now live. 5. You see Apple's "hello" setup screen — but supervision is already applied. 6. You sign in with your Apple ID. Your account is yours (we don't see it). 7. The KolBo apps are already installed (our MDM pushed them during step 4).
Most customers don't notice step 3. It takes about one second. By the time the "hello" animation plays, the phone is already supervised.
DEP vs. manual supervision
Three ways a phone can become supervised:
1. **DEP (factory)**: what we use. Permanent, user-invisible, survives factory reset. Requires the device to be ordered through an ABM-linked reseller. 2. **Apple Configurator (manual)**: an admin plugs the iPhone into a Mac, runs Apple Configurator, factory-resets the device, installs a supervision config. User-visible (the setup sees "this device is supervised"). Removable by user with another factory reset. 3. **User profile install (non-supervised MDM)**: the user accepts a management profile voluntarily. Not truly supervised — only the lower tier of MDM restrictions apply. Completely user-removable.
For enterprise-grade enforceable protection, only option 1 (DEP) meets the bar.
DEP and privacy
DEP is an enrollment mechanism. It does not expose content to Apple or to us. What Apple's DEP servers know:
- Serial numbers of devices registered to us - Which devices have successfully enrolled in our MDM - No content. No messages. No app data.
What our MDM sees, post-enrollment, is covered in [our security page](/security).
Frequently Asked Questions
Can I enroll my existing iPhone in DEP?
No. DEP registration happens at the point of purchase from Apple or an authorized reseller. An already-owned iPhone cannot be retroactively added to DEP. Post-purchase supervision via Apple Configurator is the alternative, but it's user-removable.
What happens if I transfer the phone to another family member?
The device stays DEP-enrolled with our MDM. We transfer the management relationship internally — your family member's profile replaces yours, but the device continues to be supervised.
Can Apple remove my device from DEP?
Apple can only remove devices from DEP at the request of the enrolled enterprise (us) or in rare cases (court order, proven theft with transfer request). A user cannot unilaterally request removal from Apple.