It just dawned on me after a couple of Airs have gone missing or have been stolen recently that we could use DEP to keep those devices enrolled. The info is certainly out there on how to reinstall the OS and thus remove the jamf binary.
Are there any drawbacks to keeping your computers assigned to a pre-stage enrollment even after being deployed?
So I am having a similar issue with DEP but on the opposite side of things. I run a small IT refurbishing business and we receive a lot of pre-owned Macbook laptops. We fully wipe all the devices again and then restore the OS. However, we have been seeing units that after restoring they begin to prompt to enable the device enrollment process from the previous company.
To test, I used a machine I know is enrolled in the DEP program (it was prompting to start the enrollment process) I reimaged the system and went through the initial setup process again. However, the DEP enrollment does NOT consistently appear. Sometimes it will prompt during the setup process, sometimes it appears at the desktop, sometimes it doesn't appear at all even after several reboots / reimages.
Is there a way to definitive check if a specific machine is enrolled in the DEP program? Perhaps something I can do in terminal to force a machine to start the enrollment process? An online serial number check? If I setup my own DEP account could I check the serial number against it to see if they are eligible to be enrolled? From what I read, it sounds like the devices are enrolled by Apple and not the company that purchases them.
I want to be able to check if a machine is still enrolled BEFORE I purchase the equipment. Obviously, if a machine is still controlled by DEP I do not want to purchase it. I'd want to have the device removed from DEP but from reading the admin guides it seems like only the DEP admin can disavow a device.
Thank you for your assistance!
Sorry to ask again, but am I right in thinking that once the machine is on and running and past the original setup (before DEP was activated) that it will not ask again unless I script it ?
We have some use cases here and looking for more information.
Thanks
J
Would love to know about this too. Is the machine fine after the machine is past the original setup before DEP MDM and PreStage is applied? Or does it periodically call into Appleās servers from time to time?
Have some use cases as well.
Thanks!!
I think the most definitive way to determine the status of a machine, and subsequently unenroll them, is to call Apple. With iPads it takes them a couple weeks if you're able to prove ownership.
As for checking on a machine, I've used sudo /usr/bin/profiles status -type enrollment to check the current status and sudo /usr/bin/profiles renew -type enrollment to trigger DEP checks. If you've got a solid network connection with no firewalls between you and the DEP servers, you should get an accurate report. (At least for us it's always the network that is the wildcard)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.