Apple DEP with PreStage Enrollment

mschuring
New Contributor III

I have worked with Apple and have our DEP program setup. We have created the proper connection between Apple and our JSS and have also created the PreStage Enrollments. I have it setup also so that my devices are automatically supervised and registered through our MDM without the option of removing the MDM profile (all things we have been hoping for). However, when I go through the setup process with one of my iPads I am testing, I attempt to set the iPad up as a new iPad, am told that my school will automatically configure the iPad, I choose "Next" and I get the error: "The configuration for your iPad could not be downloaded from "my school" Invalid Profile.
I have looked through every setting I could imagine and do not see the root of the issue. I am wondering if it has to do with the trust certificate and it not being installed, but would assume that is happening in the background as a part of the enrollment. Anyone else had this issue or have suggestions?

1 ACCEPTED SOLUTION

mschuring
New Contributor III

I have played around with it a little more. My problem was in requiring authentication. When I unchecked that box, the iPad finished the enrollment process.

My iPad was running 7.0.4, and there is a note I see now that says that only works with devices running 7.1 or later.

Also, mcarasso, I did verify on my iPad, it reads "This iPad is supervised by (my school) under the Name field, in Settings/General/About.

View solution in original post

45 REPLIES 45

mcarasso
New Contributor III

Im glad someone brought this topic up i've run a few iPads through the prestage deployment no problem yet they never seem to supervise with prestage checked for supervision. Is there a spot Im missing where you can add the supervision profile?

mschuring
New Contributor III

Hi mcarasso,
When you look under in the Settings/General/About Name field, does it show supervised by... underneath the iPads name? The other place I would check is if it is listed as supervised under the managed tab in Jamf. Did you have to do anything to the iPads before running the restate deployment, like verifying they have the trust certificate?

mschuring
New Contributor III

I have played around with it a little more. My problem was in requiring authentication. When I unchecked that box, the iPad finished the enrollment process.

My iPad was running 7.0.4, and there is a note I see now that says that only works with devices running 7.1 or later.

Also, mcarasso, I did verify on my iPad, it reads "This iPad is supervised by (my school) under the Name field, in Settings/General/About.

SLSD
New Contributor

Where did you have to not require authentication?

SLSD
New Contributor

Figured it out.

SLSD
New Contributor

Actually, I figured out where to remove authentication, but I'm still getting the exact same error you described in your original post.

SLSD
New Contributor

Okay. I had to disassociate the iPad from Apple Configurator completely and we're good. The only issue is, without using Configurator, how can I get around having to manually enter the WPA2 password for our network?

mschuring
New Contributor III

I believe that you could use configurator to install the wifi profile without supervising the iPad. On the setup screen, turn off the toggle to supervise and check the profile that contains your wifi settings.

SLSD
New Contributor

I tired that earlier, but it seemed like Configurator was still interfering with my PreStage Enrollment...I'll give it another shot.

mcarasso
New Contributor III

I'm to seeing similar issues with apple configurtor and dep. it more or less feels like you can use one or the other

mcarasso
New Contributor III

I'm to seeing similar issues with apple configurtor and dep. it more or less feels like you can use one or the other

CasperSally
Valued Contributor II

I am not near being able to test 9.3/DEP but my apple rep told me that iPads enrolled in DEP are not going to be recognized by Apple Configurator.

wdpickle
Contributor

We are just looking into this also. However our Apple Rep said it is Configurator OR DEP.

SLSD
New Contributor

The only success I've had was foregoing Configurator completely and then DEP worked like a charm. However, you can't deploy the Configuration Profile without being on WiFi first...and without Configurator, that leaves a manual join.

jschoenrock
New Contributor II

I am have the same issue with regard to the Prestage enrollment and the Require Authentication. When I remove that, it enrolls just fine but I WANT to require Authentication so that the user is tied to the device for VPP Assignments.. Or is there another way to tie the User and the device they are enrolling. Without doing it manually in JSS.

freddie_cox
Contributor III

I've also been good at getting this error. What seems to cause it:

  1. Having Authentication Checked on a version of iOS prior to 7.1
  2. Not having PKI/Push Setup

Going through manual enrollment via the self enroll URL usually helps discover if there are issues with certificates or trust.

Regarding supervision - I haven't had any issues with OTA Supervision unless I restore an iCloud backup. The good news is the device is still enrolled, just not supervised.

mr_dent
New Contributor

I've been trying to find where to enable the authentication requirement in the jss so that my users would be prompted during the DEP pre-stage enrollment process. Where would I find it?

--Update--

Got it sorted. You need to have an LDAP connection setup for the option to show up.

afurbee
New Contributor

I'm having the same issue, however i get it whether authentication is checked or not.

All certificates are fine and I can enroll them through Apple Configurator and through the browser just fine.

EDIT: Got it! This article solved my issue https://jamfnation.jamfsoftware.com/article.html?id=365 weird though because I never got that error. Just a heads up for anyone having similar issues.

dboeshart
New Contributor

We are running JSS 9.3 to test DEP pre-stage enrollment. Like many on this page, we received an 'Invalid Profile' error when attempting to download the configuration for pre-stage enrollment on an iPad. The iPad is running iOS 7.1.1 and we received the error whether Require Authentication is checked or unchecked.

The link that Furbee posted above fixed the problem for us. Thanks for finding that fix Furbee!

rbutler
New Contributor

I'm having the same issue as many of you. iPad 2 on iOS 7.1 that has been unsupervised from configurator. Require authentication is off in the prestage enrollment profile. I go through the process choosing accordingly and in my case, manually put in the wireless I want. Eventually I get to the message saying "the configuation for your ipad... Invalid Profile."

I know I'm missing something probably with certificates I'm guessing, not sure.

Mr. Dent:

I can see how LDAP would tie in with this process, especially regarding authentication, but where do you tie in the LDAP for this exactly? Is it in the JSS user groups, if so, what do you do there, if it's not there, what then do you do?

bthomason
New Contributor II

Having a major issue this week where now it says all my Apple Enrollments are invalid, I haven't changed anything, but I tried removing all the iPads from the JSS and create a new server in DEP, and it's now working now.

Kevin
Contributor II

The fix in the article:
https://jamfnation.jamfsoftware.com/article.html?id=365
…solved my issue. However, at first it didn't. I deleted, copied, renamed, restarted and got the same results. I forgot I had to do this on the JSS in my DMZ as well. As soon as I deleted, copied, renamed and restarted that instance of the JSS, I was able to complete the enrollment process.:

Just a heads up… If you have more than one JSS, do this to all of them.

CairoJXP
Contributor

For whatever reason, I used that article last week and it seemed to fix the issue with the NSURLErrorDomain - 1012 message I got. For whatever reason it's not working again. We stopped Tomcat and went into it on the Linux and and the "dep" folder was nowhere to be found, nor was the AppleCA.pem file! It has gone completely MIA! We even did a search for the specific pem file, but no luck there.

musat
Contributor III

@CairoJXP, this is the same issue we have. That DEP folder doesn't exist, and we are getting the "Invalid Profile" error.

CairoJXP
Contributor

@musat Were you able to find the folder or pem file at all anywhere? We checked our JSS logs and couldn't find when the folder or file had been removed. We're going through backups we have to see if we have it anywhere in there.

musat
Contributor III

@CairoJXP, I just scanned or JSS server and found the DEP folder in a backup from when we upgraded the JSS to 9.31. I have copied over the DEP folder and restarted Tomcat. Now to test to see if this resolved the issue.

We are running the JSS on LInux, so the backup was located in:
/usr/local/jss/backups/tomcat/2014-04-29_08-04-25/tomcat/webapps/ROOT/WEB-INF/frontend/enrollment/dep

CairoJXP
Contributor

We found the exact same thing and we restored the AppleCA and AppleIntermediate pem files to the DEP folder, but nothing's happening with that so far.

CairoJXP
Contributor

@musat knock on wood, but we've got the OTA deployment working again since we did the restore of the pem files and moved them accordingly. Hope it stays this way!

musat
Contributor III

We thought we were back to having issues, but then I noticed that the few that were having problems were not at 7.1. Once updating them those were back to working.

GabeShack
Valued Contributor III

So we are having the same issue but I figured it out. We have a guest network that is treated as an outside connection so it goes through our DMZ'ed casper server. This is causing a problem it looks like. When I connect the device to an internal network it works fine. So I'm not sure what is causing the issue.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

cdenesha
Valued Contributor III

I'm catching up on the threads now that I have time to properly test DEP.

I skipped testing 9.32 after a day when 9.4 dropped. Is this thread still valid for 9.4?

I don't have a tomcat/webapps/ROOT/WEB-INF/frontend/enrollment/dep folder.. in enrollment there is 'enroll' and 'osxenroll'.

In tomcat/webapps/ROOT/WEB-INF/trustanchors/dep I have an AppleiPhoneCA.pem and an AppleRootCA.pem, but the timestamp is from my 9.4 upgrade not from creating the DEP server.

I do have recent .pem files named with my DEP server name and the day I created it in /private/etc/certificate. They are: myjss.domain.name.guid.cert.pem myjss.domain.name.guid.chain.pem myjss.domain.name.guid.concat.pem myjss.domain.name.guid.key.pem

I *was* able to enroll three iPads running 7.1.2 last night via DEP.. but do have an InvalidPermissionsException error every minute in the JAMFSoftwareServer.log. Perhaps from my first failed attempt at DEP enrollment (trying again was successful)?

I'm not trying to spam the thread, just trying to identify potential issues while still in my test environment.

thanks,

chris

psliequ
Contributor III

Reviving this as I'm seeing this issue crop up on iOS 8.3, iOS 8.4 and Casper 9.73.
What happens on new devices enrolled via DEP is that we get the invalid profile error, but cycling back to the beginning of the setup assistant and then trying again results in success.

In all cases we're using self signed certs for the JSS. Interested to hear if others are experiencing the same issue, and particularly if it's only within the last week or so.

Sandy
Valued Contributor II

We also are seeing this. Either going back to the beginning of the Setup Assistant (3 - 15 times) or just letting the device sit on wifi for a few minutes and then they go.
iOS 8.4, JSS 9.7.3
Error occurs across multiple DEP instances, on different SSIDs, in different buildings
Using authenticated and non-authenticated DEP enrollment
Using JSS Built-in CA for certificate.
Checked times are synced: domain controllers and JSS and ext webapp
We are not authenticating with the students but assigning devices in jss after activation
whitelisted Apple's gateway of addresses going in and outbound on firewall, no ports are blocked
Any other ideas from anyone who has fixed this?

John_Wetter
Release Candidate Programs Tester

We haven't seen this issue @Sandy so I won't be able to help other than to say we have the same setup and have not seen the issue. Most iPads are on 8.3, but there are some 8.4's in there. We are authenticating users also.

Sandy
Valued Contributor II

We blocked the time.apple.com IP addresses (all IPs returned from pinging time.apple.com) on our firewall, and completely fixed this:

New devices enrolling via DEP: we get the invalid profile error, but cycling back to the beginning of the setup assistant and then trying again results in success.

We will now set an internal DNS redirect as others have mentioned to more permanently fix this

weird.

lionelgruenberg
New Contributor III

@psliequ @Sandy We were seeing the same Invalid Profile message during the iOS Setup Assistant. Similar JSS setup using a self signed cert. DEP enrollment on iOS devices was only working 50% of the time and this was infuriating! I spent countless hours renewing certs and testing authenticated/non-authenticated LDAP DEP enrollment Prestage Enrollments -- nothing seemed to decrease the probability of DEP enrollment failing / seeing the Invalid Profile error.

I decided to try setting our JSS server time zone to San Jose, CA (We're located in NJ) and haven't seen the invalid profile error since.

Sandy
Valued Contributor II

@lionelgruenberg @psliequ @john_wetter

I am mystified as to why this whole time server DEP issue was so elusive to figure out. I searched here and everywhere and found no reference to time.apple.com being an issue...
What was the reason, John, that you did the DNS redirect initially? was it to fix this issue?

We had similar problems last fall with iPad 2's and Apple told us to factory restore our used devices (800 of them) which DID allow us to activate them, but now I'm wondering if it was necessary.... was this the real fix needed?

I finally went down this path after being persistent with my TAM, because I do not really think this is a Casper Suite issue....but since they are the best source for anything Apple, I figured someone else must have been suffering as we were.... and yes.

I am still wondering what the unexpected side affects would be from either resetting my time zone on my jss servers OR blocking those IPs

psliequ
Contributor III

Seems to me that logs will all be timestamped in PST, any OS X policies that have do not run schedules or imaging prestages with start/end dates will have to be written in PST. It would also be interesting to see if setting the time zone of the JSS to UTC would also solve the problem. Will also be interesting to see if the problem persists in iOS 9. I agree with @Sandy that this seems to be an issue with the OS and not Casper.
@Sandy, if you have any devices you can test with (I don't currently) get a copy of iOS Console and watch the output as you're attempting an enrollment. This may not work with iOS 8.4 because the device won't trust your computer until you get to the home screen to OK the connection. But, if it does work and you see anything interesting post back the results.

lee_smith
Contributor

So, I have been having a similar issue as described above. I spoke with Korey and Al at JAMF who walked me through the below troubleshooting steps. Thank you Korey and Al!

Issue: "The configuration for your iPad could not be downloaded from "School Name. Invalid Profile.

I tried the following:
1. Unchecked Location Services under PreStage Enrollment.
- This would allow the iPad to set my timezone to CST.
-- Mobile Devices -> PreStage Enrollment -> "Your Enrollment Name" -> Steps to Skip -> Uncheck or leave blank Location Services
2. Checked my certs
- Everything appeared in order
-- Redownloaded and applied Server Token
---- Settings -> Global Management -> Device Enrollment Program -> "Your DEP Name" -> Server Token
3. Enrolled a device manually without issue
4. Deleted and Recreated my PreStage Enrollment (This resolved my issue)

My Resolution: Deleting and Recreating the PreStage Enrollment Profile.
-- It appeared that the anchor profile had become corrupt and could not install

I hope this helps!