Skip to main content

Hey, not sure if this is a particular DEP issue or more so to do with macOS but I'm wondering if you've seen the following.



I'm starting to get a lot of new Macs shipping and while they are added to a particular PreStage, they do not immediately pick up that it's required. The issue goes like so:




  • New employee opens sealed laptop

  • Starts running through Setup Assistant and is prompted to connect to wifi

  • Mac connects and the next screen is the Migration Assistant screen NOT DEP page informing employee that the Mac is to be managed.



If the employee continues, they can successfully setup their Mac without the DEP PreStage being completed or being enrolled in JAMF.



In order for the User to be presented with the DEP Setup Assistant page they must do the following:




  • Start Mac and proceed through Setup Assistant

  • Connect to wifi and click Continue

  • On Migration Assistant page click Back button

  • Connect to wifi again (can be same or different network), then click continue

  • Now they see DEP SA page and are prompted for authentication.

  • Following this, they see all SA steps associated with the assigned PreStage and the Mac is successfully enrolled in JAMF.



I Have tested this on 6 brand new 2016 Macs plus several 2013-2015 macs that have been wiped back to factory with 10.12.2. All exhibit the same issues.



As you can imagine, this isn't great for UI as I need to communicate to make sure to click back then connect to wifi again, or be present for all enrolments.



Any ideas?

seems like a minor/obvious thing to check - BUT is the PreStage Enrolment configured to auto apply for newly added devices or do you need to go to your JSS and manual select to enable the PSE for each device before you try to build?

Can't speak for anyone else, but ours is set to auto assign for new devices.

I leave the 'location services' splash on at statup.. just to be safe and ours run fine now.

We've had this issue too. It was pretty frequent (meaning, bad) with versions of 10.13 prior to 10.13.6 though it still happens sometimes there. Most reliable way we've found to get it working when it happens is to use Recovery to wipe the drive and reinstall the OS. Very annoying.

Same issue here as well. smh.

This is happening in our environment as well, with brand new machines right out of the boxes. We've been DEP enrolled for years, purchasing hardware directly through Apple - our MDM tokens have been recently refreshed, our JSS is set to auto-assign new devices, we've reinstalled OSes from Recovery, Pre-Stage enrollment is stating the device is assigned, and the MDM profiles still don't populate sometimes. Like many folks mentioned above, it could have to do with network latency but we're experiencing this on wired and wireless connections.



When all else fails, setting up the Mac like "normal", creating an administrator account, and running sudo profile -N in Terminal typically gets the profiles installed. In my experience, next steps vary from there but it's a good place to start if you're at wit's end. We've got 1000+ Macs in our environment and this issue is no fun to run into.

We have this issue periodically. I recreate the prestage enrollment profiles from scratch. Works every time so far.

@smithjw



The times I've seen this happen in our environment, once I've connected to wifi and don't see the Remote Management screen, clicking the 'Back' button, connecting to wifi again, and clicking continue, seems to allow the system to see the PreStage enrollment.

I just opened a case with them for this very issue. I tried recreating the prestage, tried switching from Ethernet to Wi-Fi and going back and reconnecting....It's just not taking it. The funny thing is that I have 4 that worked without a glitch and 4 that aren't playing along, no matter what I try. I've checked the serial numbers on the case against what's MDM having as well as what's in the scope list of the prestage.....

@totalyscrewedup Were you given a solution? I think I've tried everything you suggested.

@totalyscrewedup have you heard back at all? We have this same issue with all of our macs, not just a few, and have tried all the above suggestions.

Just adding in a 'me too' to this thread.



We've had a new shipment of iMacs for our student labs, all connected via ethernet. We went through 23 machines without a hitch, then set up the next batch of 10 machines and 4 of the 10 won't get the MDM screen. So instead, after the 'select keyboard' screen we get the 'Data & Privacy' screen.



I just went through setting one of these failed ones up manually and the 'time' certainly wasn't an issue as it had the correct time. I am now attempting an 'Internet Restore' to see if that triggers the screen prompt.



@totalyscrewedup did you get any resolution to this from your logged case with Apple?



EDIT:
UPDATE: So I tried removing a machine from our JAMF's Prestage Enrolment, then I unassigned it in Apple School Manager. I refreshed our Jamf Cloud server to confirm that the machine no longer showed up in the Scope list. I then once again Assigned it to our MDM Server in ASM. I then refreshed our Jamf server until it appeared in the Scope list and reassigned it to our Prestage Enrolment!
Result: It still wouldn't see the MDM management acceptance screen. Straight to Data & Privacy after the select keyboard screen.



So then I tried the 'Internet Restore' option, erased the Drive and reinstalled macOS. After the long wait for it to install I was then able to see the MDM acceptance screen and the machine was enrolled as expected!
I know this is not a great option for a lot of people, but hopefully it may help some others who only have a few machines failing to be DEP enrolled.



The one interesting thing that came out of this is one of our Network Engineers did a network trace on the machines, both a failing one and one that worked and he could see no difference whatsoever in the network traffic up until the screen after the Keyboard Select screen.
It was only after I click on the 'Continue' button on the MDM acceptance screen, did he see any internet traffic. So this raises the question,
"How does the computer know that it can connect to MDM Server to be configured and managed? i.e. what is it actually telling it to bring up that screen, if there is no 'outside' network traffic up until that point?"
I just said it was magic!

I also will add a "me too" to this thread. We have never had the problems with MDM enrollment as we have had this summer. We're a K-12 public school system and "image" our devices every summer. We still call it imaging as that's what all of our teachers and administration know it by. This year however, we have been plagued with 3-4 out of every 10 MacBooks failing to enroll. Deleted computer record, wired, wireless, etc... no difference. So far, the only resolution has been to do another wipe/erase and most of the time that will get it, but other times, no. When you're having to do several thousand laptops, it's extremely frustrating. Jamf support wants us to try outside our network, so that will be the next step for us. The local community college is helping us out with that, so we'll see. Summer break is going to end soon and my team is getting nervous about being able to finish with this added delay.

Ditto for us too. It only fails on a small number of devices for us but works on all the others. Doesn't seem like a network issue. Just put in a ticket.

It was an issue for us as well. Our machines are purchased from Apples that they are in the DEP. We found that adding the machine to the pre-stage enrolment it was going to be used with a day before we turned on the machine for the first time was our workaround.

Just tested it with a hotspot and had the same results. This particular model was in prestage for over 48 hours. So hopefully support can shed some light on this. Fortunately it's not widespread.

We just noticed it today too. Never had trouble like this with DEP at this job or any previous. Just enrolled it manually for now but would be nice to hear a reason. Machines purchased through Apple and verified it was on our DEP and Prestage.

It might be unrelated but if you have



settings > Global Management > User Initiated enrollement and the following enabled:
Restrict re-enrollment to authorized users only
Only allow re-enrollment of mobile devices and computers if the user has the applicable privilege (“Mobile Devices” or “Computers”) or their username matches the Username field in User and Location information.



any DEP user assigned management setup of a device will enrol unmanaged they can be manually set to managed via the Jamf Pro under each devices record, its not ideal, but Jamf are aware of the bug.

Just want to add that I am also experiencing the same issue as of the time of this response. The Macbook in question has been enrolled in ASM and shown up in the scope settings for PreStage for over 9 days before I turned on the machine for the first time. I have tried to unassign the device in ASM and release the device. I've readded the device and then reassigned it to ASM with no success. It shows up in Prestage scope as expected but still refuses to pick up DEP settings on boot. Tried it with wireless and wired with no success.



I spoke to Jamf support and they had me setup the device fully and then run 



profiles renew -type enrollment


Which obviously works, but defeats the whole point of Zero Touch Deployment. I've asked for my case to be escalated, one of the primary reasons we wanted to go with Jamf was for the Zero Touch deployment features.

Again, we too are in the same boat. I have a fresh shipment of MacBook Pro's and straight out of the box - they fail to get to the Remote Management screen. If I do an internet recovery (or reinstall MacOS from USB) it will connect fine and get the Profile and see the Remote Management screen. We have communication with Apple Education but they are currently "Looking in to the underlying cause".



I have thought that some of the problem is the Auto-Advance part of Setup Assistant. If it connected to the wifi THEN allowed you to leave it connected for a minute. You could then click next at your own leisure, giving it time to check-in with apple time servers and ensure time and everything was correct.



Another part to note is the certificate verification URL's apple uses, aren't directly apple. Check out this Apple Support Article (Released August 7th 2019) for those of you also behind a firewall and make sure all is allowed out. We had issues where profiles weren't coming down at ALL, and once we allowed the certificate verification URL's through we saw much more success.



Still having inconsistent DEP enrolment, but more consistency now when reinstalling MacOS (non ideal solution).

I have this exact same problem, I have tried what @SmithJ mentioned about connecting to a wireless network continue to the migration option and then go back and re-enter the wireless information but this didn't work for me.



I have also reinstalled the OS without erasing the drive but this didn't work either so I have just erased the drive and reinstalling the system again.



Once its connected I will also leave it for a few minutes to see if that makes any difference.

Adding in that a second Macbook is having the same issue now. Just opened the box for the first time today, made sure it was assigned to the correct PreStage Enrollment, but refuses to pick up anything from Jamf.

Does the Mac exists in Prestage and is it ticked? We've had a couple of Mac's which for some reason are DEP but aren't ticked in JSS. After reboot they are usually picked up.

I had a tech report this issue to me a few days ago. I assumed he/she did something wrong. Now I see that may not be the case.



By default we are just opening the box, wiping the hard disk and re-installing the OS.

@tjhall The devices are assigned and ticked off on the correct PreStage. If we wipe them and reinstall the OS it picks up the PreStage info just fine. Only when they come right from the factory do we have issues. Figured they should check against DEP and then against the MDM on first boot (if assigned in ASM or ABM) before kicking off the Setup Assistant, but something happens where it doesn't do that.

Reply


Terms & ConditionsCookie settings