Asking to Enroll a Macbook Pro that is Already Enrolled

AdminHank
New Contributor II

When we attempt to take this MBP to 11.3.1, it gets about an hour through the update and then a screen pops up saying: "com.apple.preferences.configurationprofiles.remoteservice (System Preferences) is trying to enroll you in a remote management (MDM) service"

Macbook was enrolled (by invite) on 4/13. Installation/setup normal through a generic account and then assigned to a user login. It has an MDM Capable User that matches the local login ID. But his credentials don't work, nor does the manager default. Dozens of others are updating fine.

Tried doing this OS update from the usual spot, then from Apple Store, and then through a Self-Service policy. They all loop to this attempt an enrollment when an MDM profile is already there
9a538e7410214afdb63136c58cd67309
. Anyone else seen this?

6 REPLIES 6

jtrant
Contributor III

As the Mac was enrolled via user-initiated enrollment but the Mac seems to be in enrolled in ASM (but not enrolled using Automated Device Enrollment), the user will be prompted to allow remote management causing the prompt you see (as Big Sur requires user authentication for this).

As for macOS not accepting the password, what version of Big Sur is the machine running? Does the user have a secure token?

AdminHank
New Contributor II

The box went out the door with 11.2.3 While in the mail to the employee, they released 11.3, and then a few days later 11.3.1. So it's trying to jump from 11.2.3 to 11.3.1 but always comes around to this box where no login works. But yes it has a token. Didn't work. Keeps looping.

AdminHank
New Contributor II

Interestingly, when trying to get to Safe Mode, it now presents the user account we set up, and an OTHER account. There is no trace of this in SysPrefs --> Users & Accounts. Is this something jamf creates? The Guest account is still set to OFF. Strangely confusing as the whole shop is set up the same way, and we have about 40 laptops updated. Only this one seems to want to re-enroll endlessly.

mainelysteve
Valued Contributor

@AdminHank Other shouldn't be an account it allows you to click on it and do a manual input of the username and password. You probably have an account that's either been hidden or it's UID is below 501.

In System Preferences > Profiles highlight MDM Profile and see if it's been approved since you did an UIE. This is what @jtrant was pointing out above. Launching Self Service might point this out as well If this is truly the source of the problem.

AdminHank
New Contributor II

OTHER "shouldn't be" an account. But it is. Been trying to figure out the "shouldn't bes" with this laptop for days. Still very odd, and no obvious explanation of why it differs from all others. There's nothing in Self Service, though we did try to update from a MacOS update policy there (failed). But thanks for input, I'm happy to get any thoughts on this. The MDM profile is indeed verified. Fine-tooth-combed every aspect of it on the laptop, and on jamf Pro. I finally just deleted the entire MDM profile out of Computer Inventory, and re-invited. Seemed to work again, and able to update to 11.3.1. Still no underlying explanation of why this one particular machine has an OTHER account (or how to delete it now).

mainelysteve
Valued Contributor

I would check directory utility and see if the account is visible there. It's in /System/Library/CoreServices/Applications FYI. Switch over to Directory Editor locate your offending user and have a look.