MacBooks not Auto-Enrolling - Require being wiped

Kingfisher678
New Contributor II

Many of the MacBooks we purchased are showing as enrolled in Apple Business Manager and assigned to Jamf Pro but not showing up in Jamf unless we manually enroll or wipe them. Curious if there is something that we can do to ensure that we do not have to spot check these before sending them out to the user or if this is just a temporary situation as the inventory is relatively new. 

1 ACCEPTED SOLUTION

Apple Business Manager is sending the devices to the Jamf Server and are auto assigned but do not seem to show up in Jamf until the process kicks off.

That is correct, they wont.  This behavior is by design.  The enrolment process installs a certificate and MDM.config file on the machine so they can be managed, until that happens no machine account will appear on Jamf Pro.  Every device must go through either the setup assistant process (ADE) or be manually enrolled via the web URL (UIE).  The whole point of the certificate is to create a trust relationship between the workstation and the server.  Never let the ADE certificate expire on the server otherwise the trust relationship will be lost on ALL of your workstations and every device will have to be manually re-enrolled back into Jamf Pro again, either via a wipe and rebuild or via the web URL.  Either way it will be a painful lesson to learn.  You could do the inventory preload but none of the machines will have an established trust relationship with the server if they haven't been through the enrolment process and don't have a certificate & MDM.config file installed.

Sorry I maybe didn't word my reply previously correctly.  I was talking about Auto Device Assignment on ABM.  You can go into settings and configure device assignment by model type, if you have more than one MDM server i.e. we have Jamf and Intune.  Jamf is assigned for Mac Desktop devices and Intune is assigned for iPad devices.  You can also go through your ABM device/serial list and assign device serials to an MDM server if required.  In a prestage enrolment there is a tick button (under general) to assign new devices to this prestage enrolment.  Any existing serials that were not assigned to a prestage enrolment will have to manually assigned one by one.  That can be a pain if you have a lot of them to do. 

No machine record will appear in Jamf until the device goes through the prestage enrolment which wont happen until it goes through the setup assistant process or web URL enrolment process.

I hope this is making more sense this time.

View solution in original post

7 REPLIES 7

Green_Giant
New Contributor II

Are the machines showing that they are managed? You can verify this a few ways easiest way is if they have the MDM profile in system preferences. If it doesn’t show in system preferences if take a look at your prestage in Jamf 

The machines do not show up as being managed until they are wiped or a manual install goes. Polices do not appear to come down until either action is taken. Hopefully this is a backlog situation where after a month or more that the devices will automatically start registering. 

Fluffy
Contributor III

This has been an issue in the past (for quite a while) as you can see if you want to do some quick reading:

https://community.jamf.com/t5/jamf-pro/dep-prestage-issue-macs-not-picking-up-prestage/m-p/158057#M1...

I do not know of a solution at this time, but there may be a couple of tricks mentioned in that thread which may help. We had an issue last week of not being able to automate enrollment, though that was an issue with our LDAP after a controller was updated.

snowfox
Contributor III

Maybe I'm picking you up wrong but - Devices don't auto enrol in Jamf.  It's a manual process whether its Automated Device Enrolment via setup assistant or User Initiated Enrolment via web URL.

A reseller will register the serials in ABM for you and you then assign an MDM server to the serial numbers based on model type (Auto Device Assignment) but that doesn't mean they are enrolled in your MDM platform/server. 

Tick the box on your default prestage enrolment to auto add any new device serials pulled down from ABM by the Jamf server.  When a device boots up through setup assistant for the first time, assuming it is connected to the internet at that time, it should pick up the MDM server for auto configuration and enrolment. If you have auto advance turned on (for macOS 11 devics only, ethernet required) after 30 seconds at the first screen, setup assistant will skip through the screens itself until it gets to the login window and auto enrol the device in the process.

Unless you are doing each device yourself, a user could turn on the device offline for the first time and skip enrolment completely.  Same for UIE via web url, it's a manual process.  If this happens, the device is not enroled in Jamf.  The user will be prompted once every 2 hours by the OS that 'This device can be managed by Jamf' via a pop in notification message.  But there will be no forced enrolement of the device unless the user clicks the message.

Devices don't automatically register on Jamf without going through ADE first.

Apple Business Manager is sending the devices to the Jamf Server and are auto assigned but do not seem to show up in Jamf until the process kicks off. If the device is wiped it begins the process of going to our pre-stage enrollment and that is assigned to all devices and seems to work no matter how many times you wipe it further. I am trying to find this serial number assignment check box but do not see it in the Automated Device Enrollment or the Pre-Stage Enrollment. Curious if we need to do an Inventory Preload to get around this unless anyone can point me in the right direction.

Inventory Preload - Jamf Pro Administrator's Guide | Jamf

Apple Business Manager is sending the devices to the Jamf Server and are auto assigned but do not seem to show up in Jamf until the process kicks off.

That is correct, they wont.  This behavior is by design.  The enrolment process installs a certificate and MDM.config file on the machine so they can be managed, until that happens no machine account will appear on Jamf Pro.  Every device must go through either the setup assistant process (ADE) or be manually enrolled via the web URL (UIE).  The whole point of the certificate is to create a trust relationship between the workstation and the server.  Never let the ADE certificate expire on the server otherwise the trust relationship will be lost on ALL of your workstations and every device will have to be manually re-enrolled back into Jamf Pro again, either via a wipe and rebuild or via the web URL.  Either way it will be a painful lesson to learn.  You could do the inventory preload but none of the machines will have an established trust relationship with the server if they haven't been through the enrolment process and don't have a certificate & MDM.config file installed.

Sorry I maybe didn't word my reply previously correctly.  I was talking about Auto Device Assignment on ABM.  You can go into settings and configure device assignment by model type, if you have more than one MDM server i.e. we have Jamf and Intune.  Jamf is assigned for Mac Desktop devices and Intune is assigned for iPad devices.  You can also go through your ABM device/serial list and assign device serials to an MDM server if required.  In a prestage enrolment there is a tick button (under general) to assign new devices to this prestage enrolment.  Any existing serials that were not assigned to a prestage enrolment will have to manually assigned one by one.  That can be a pain if you have a lot of them to do. 

No machine record will appear in Jamf until the device goes through the prestage enrolment which wont happen until it goes through the setup assistant process or web URL enrolment process.

I hope this is making more sense this time.

You are correct! Thank you for your help! We originally had another configuration set to automatically assign the devices. As we ended up moving away from the original configuration and it got deleted, this did not get checked back on. PreStage.png