Jamf Nation Community

mschuring · ‎03-26-2014

I have worked with Apple and have our DEP program setup. We have created the proper connection between Apple and our JSS and have also created the PreStage Enrollments. I have it setup also so that my devices are automatically supervised and registered through our MDM without the option of removing the MDM profile (all things we have been hoping for). However, when I go through the setup process with one of my iPads I am testing, I attempt to set the iPad up as a new iPad, am told that my school will automatically configure the iPad, I choose "Next" and I get the error: "The configuration for your iPad could not be downloaded from "my school" Invalid Profile.
I have looked through every setting I could imagine and do not see the root of the issue. I am wondering if it has to do with the trust certificate and it not being installed, but would assume that is happening in the background as a part of the enrollment. Anyone else had this issue or have suggestions?

mschuring · ‎03-26-2014

I have played around with it a little more. My problem was in requiring authentication. When I unchecked that box, the iPad finished the enrollment process.

My iPad was running 7.0.4, and there is a note I see now that says that only works with devices running 7.1 or later.

Also, mcarasso, I did verify on my iPad, it reads "This iPad is supervised by (my school) under the Name field, in Settings/General/About.

View solution in original post

Sandy · ‎09-16-2015

We will not edit: skip location services, as it is required for find my iPad and is the one chance we get to make sure students turn this on. Blocking Apple's time servers has completely 100% fixed this for us without making other changes. Not sure if my net admin has set up a DNS re-direct yet or not, probably not. And probably not coincidentally, our Apple Configurator syncing has been WAY more successful since we did this.

John_Wetter · ‎09-16-2015

@Sandy , Just out of an abundance of caution, to confirm, you actually have it unchecked, right? The dialog is "skip these" so unchecking it would show the location services. Before iBeacons, this was the main reason we showed the dialog was for the time zone setting. For the DNS, we don't have a redirect, but the time zone certainly got us back a few years ago. Now, iBeacons also need location services so that really is one that is hard to skip.

Sandy · ‎09-16-2015

For Middle School Student rollout, we skip everything (by checking boxes for all ) except Location Services and Apple ID and Siri.
I found in testing that even if we did not Enable Location services, we still had the connection issues, but once we blocked the time server IPs on the firewall, the issue IMMEDIATELY went away

lionelgruenberg · ‎09-17-2015

@lee.smith which time zone are you in?

Sandy · ‎09-30-2015

We did the DNS redirect of time.apple.com to our own internal time server, when we discovered that when we blocked the associated IPs we could no longer activate an Apple TV.
Now in our iPad 1 to 1 rollouts we are back to the same issue: cannot walk through the activation in timely manner, as we get an error when downloading the MDM enrollment.

To work around this, we take the iPads out and take each one to Enable Location Services, then let them sit for several minutes at that point.
If they sit there for 3-5 minutes, they will proceed with no errors, so we then hand those out to the students.

Most of them start up on Cupertino time, then once we enable Location Services, often after A COUPLE MINUTES the time changes, but not always. On those that do not change while sitting, they change to our time as soon as we click to the next screen.

Sandy · ‎10-01-2015

Hot off the presses:

I was provided the following response for a solution.
There’s a new NTP server. time-ios.apple.com. Block this now.

Jamf Nation Community

Apple DEP with PreStage Enrollment