[walterbell]

> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.

[zalmoxes]

You must buy your devices through the enterprise store, and then it is automatically linked to DEP.

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed?

Because once you know the serial number of a DEP device you can enroll into the MDM. There is virtually no security. See https://duo.com/labs/research/mdm-me-maybe

[jiveturkey]

There is reasonable security. From your link:

> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.

So, the rule is at-most-once enrollment.

And further down:

> some organizations elect not to require user authentication as part of MDM enrollment.

IOW, if you are not enabling authentication, you have only yourself to blame.

[walterbell]

Thanks for the pointer, some good reasons there to avoid DEP.