I have managed to successfully set up Apple DEP in SCCM (which is connected to Intune) as per these instructions from Microsoft:
https://technet.microsoft.com/en-gb/library/mt131910.aspx

It's working great, and I can see all the devices we have purchased from Apple under All Corporate Owned Devices > iOS > Device Information.

However, I have a couple of issues related to Enrollment Profiles:

1. Is there a commentary available anywhere on the Web as to what each of the settings on this screen do? The TechNet article doesn't explain what they do:
   
2. I want the Enrolment Profile to kick in when a user factory-resets a corporate owned iPad or iPhone. For example, if a member of staff leaves and hands over their iPad to another employee. But there's a problem - if the previous user had set up iCloud/Find My iPhone on their device, you see this message after a factory reset:
   
   You then have to call up the ex-employee and have them delete the iPad or iPhone from their iCloud account to be able to continue...
   Is there an option in the Enrollment Profile to prevent a user adding it to Find My iPhone so we don't get into this situation?

Thanks in advance.

• Edited by Argonaught 83 Wednesday, July 08, 2015 4:18 PM

I think I've found some of the answers to my own questions.

1. This appears to be a confusing blend of settings. If you set Siri to Disable, the user won't be asked if they want to turn Siri on or not when the set up a the new device. This is good. Any reduction in annoying setup prompts is helpful for our business. But the negative side is that Siri (which is quite useful) is disabled, and has to be turned on manually if you want to use it. Terms and Conditions, on the other hand, merely disables the prompt for the user to accept them when setting up a new device. It doesn't affect the functionality of the phone in any way.
   
2. Apparently, this is caused by a new feature called 'Find my iPhone Activation Lock'. You can't disable it through any Configuration Item in SCCM/Intune - the only way to prevent it is to put the devices in Supervised mode. I'll work through trying that out now.

There's another issue though. Even after succesfully signing in with corporate credentials to a new device that's linked in the DEP, even though the Management Profile arrives, enrolment isn't completed since the Intune Company Portal app is missing. I guess you need to push that app to make this process complete.

OK, figured out my third point. When you complete the initial setup, the Management Profile (and associated ActiveSync email profile) are delivered to the iPad. This will then trigger an Intune Conditional Access warning email, pushing the user toward downloading the Intune Company Portal app to complete the process.

Still can't figure out how to set up the Find my iPhone Activation Lock settings in SCCM. Perhaps they don't exist.

In the enrollment profile, if you specify Supervised, this will disable Activation Lock if Find My iPhone is turned on.  Supervised Mode is an apple specific thing that can be accomplished with the Enrollment Profile as previously stated, or with connecting to a Mac and using the Apple Configurator.

• Marked as answer by Argonaught 83 22 hours 45 minutes ago

In the enrollment profile, if you specify Supervised, this will disable Activation Lock if Find My iPhone is turned on.  Supervised Mode is an apple specific thing that can be accomplished with the Enrollment Profile as previously stated, or with connecting to a Mac and using the Apple Configurator.

• Marked as answer by Argonaught 83 Friday, September 11, 2015 9:01 AM

Thankyou William. That answers the question.

Why on earth isn't this in Microsoft's documentation though...

You are certainly welcome. And yeah, there are many things lacking in the documentation around DEP with SCCM but hopefully as more people adopt it, the documentation will improve.