Skip to main content
Question

Network Error During Automated Enrollment

  • March 10, 2026
  • 5 replies
  • 60 views
Jerez1lla
Forum|alt.badge.img+1

I am a jamf admin working on getting our enrollment modernized. Within the last year we got our connection setup with ABM and Jamf so that our devices will have automated enrollment during setup. The issue we are running into is that our company requires all devices on internal network to be trusted (typically using a certificate)


Since the enrollment is happening during the setup experience, I cant see how there would be a way to get the device the certificate before reaching out to our enrollment server. If we are on internal we get an immediate block. We have to connect it to an external network to enroll. 

 

I put in a request with our security team and after some back and forth I asked if our specific enrollment URL could be allowed access on the network without being trusted. Understandably they are not too keen on this idea. I can’t find anything from jamf on getting around this, has anyone had a similar experience in their enterprise on anything like this?

5 replies

MusicCityMac
Forum|alt.badge.img+15
  • MusicCityMac
  • Jamf Heroes
  • March 10, 2026

Do you have access to the Mac Evaluation Utility (MEU) to see if your network has any roadblocks to deploying Apple devices? If you haven't run this yet, I highly recommend you do so and take the information from the report back to your security teams to help work out what is needed.

You can access the MEU at the AppleSeed for IT site, which requires a Managed Apple Account. Once logged in, you can find it under Resources in the top-right corner of the screen.

 

I hope this helps you start to troubleshoot your issue. Best of luck!

The Only Easy Day Was Yesterday
    Chubs
    Forum|alt.badge.img+24
    • Chubs
    • Jamf Heroes
    • March 10, 2026

    Ok so your security team should appreciate this…

    ADE via ABM/ASM is already hardware attested.  However, if you have certificate based TLS (mTLS of sorts), then the workaround here is to have an “open” wifi that’s internet only, connect and provision, drop down the certs required and have a group fill when the certs are showing on the device - then deploy the network configuration to have the device connect to the network.  Done and done.

    I find your lack of faith disturbing
      Jerez1lla
      Forum|alt.badge.img+1
      • Jerez1lla
      • Author
      • New Contributor
      • March 10, 2026

      Do you have access to the Mac Evaluation Utility (MEU) to see if your network has any roadblocks to deploying Apple devices? If you haven't run this yet, I highly recommend you do so and take the information from the report back to your security teams to help work out what is needed.

      You can access the MEU at the AppleSeed for IT site, which requires a Managed Apple Account. Once logged in, you can find it under Resources in the top-right corner of the screen.

       

      I hope this helps you start to troubleshoot your issue. Best of luck!

      I’ll try that! Thank you :)

        Jerez1lla
        Forum|alt.badge.img+1
        • Jerez1lla
        • Author
        • New Contributor
        • March 10, 2026

        Ok so your security team should appreciate this…

        ADE via ABM/ASM is already hardware attested.  However, if you have certificate based TLS (mTLS of sorts), then the workaround here is to have an “open” wifi that’s internet only, connect and provision, drop down the certs required and have a group fill when the certs are showing on the device - then deploy the network configuration to have the device connect to the network.  Done and done.

        Doing this we end up in the same situation were in right now where I have to flop networks back and forth during the enrollment and setup. I am looking to see how we can get the traffic allowed on our internal network so I can just plug it up and do everything.

          A
          Forum|alt.badge.img+2
          • angelohuang
          • New Contributor
          • March 27, 2026

          A pattern I’ve seen work in “internal network requires client cert” environments is to treat Setup Assistant / ADE as a bootstrap phase:

          • provide an onboarding SSID/VLAN that only allows the minimum Apple + Jamf endpoints needed for ADE/enrollment
          • use that phase to deliver the trust/certs (SCEP/PKI) + your real Wi‑Fi profile
          • then move the device onto the locked-down internal network once the certs are present

          Trying to enforce mTLS before the device can even reach Apple’s activation/enrollment services usually forces the network hopping you’re describing.

          Checklist / overview of the moving pieces: Swif enrollment methods for all OSs

          Terms & ConditionsCookie settingsAccessibility statement