Posted on 03-30-2016 07:02 AM
Hey guys. Just finished our Jump Start yesterday. We have a few machines we're trying to do a variety of prestage enrollments on for our proof of concept, but we're running into a couple problems.
First, if we've gone through prestage enrollment and wiped the machine clean, how do you make the JSS recognize the machine through DEP but not think it's already completed prestage enrollment?
Second, after deleting our DEP and all things associated with it and re-adding it (we only had one computer in there at the time) we now have the machine showing in the JSS and assigned for prestage enrollment, but we don't get the prompt during the setup assistant. Anybody know why this might be?
Posted on 03-30-2016 07:05 AM
@duffcalifornia in order for a machine to catch a pre-stage, whether a PreStage Enrollment or PreStage Imaging, the machine cannot be in the JSS already. So, if the machine is showing up in the JSS, you just need to delete it from the JSS for it to be picked up in a PreStage. Make sense?
Posted on 03-30-2016 07:16 AM
@stevewood We've done that I think. Here's a screenshot of what our JSS looks like now.
It still won't trigger the "Hey, you have stuff to do!" prompt we got the first time we did the machine.
Posted on 03-30-2016 07:35 AM
@stevewood I'm almost 100% that isn't true.
In order for the Mac to pick up the DEP settings it needs to go through SetupAssistant again (and a few other files need to be removed if you're not wiping).
How are you wiping the Mac @duffcalifornia
Posted on 03-30-2016 07:46 AM
@jonnydford I just erased the Mac partition in Disk Utility and then reinstalled OS X.
Posted on 03-30-2016 07:56 AM
@duffcalifornia that is the PreStage Enrollment for DEP, but is the machine still in the JSS? So if you take the serial number and do a Computer search in the JSS does the computer show up? If so, try deleting it from there.
Posted on 03-30-2016 08:10 AM
@stevewood No, the serial doesn't return anything.
I think part of the problem is that when I deleted the DEP, it deleted the prestage enrollment settings we set up in Jump Start. When I recreated them, I didn't set the scope to the particular department. Some combination of remembering to set the department for the enrollment settings and/or completely reformatting the drive and reinstalling the OS brought back the DEP enrollment upon going through setup assistant.
Now, say I need to wipe this machine again for test purposes: how do I make the JSS not realize this machine has gone through pre-stage enrollment? I don't want to have to delete it from DEP and re-add it, but if that's how to do it, it's not a big deal I suppose.
Posted on 03-30-2016 08:58 AM
You don't need to delete it from DEP, you just need to delete the Enrollment in JSS I have attached an image that I hope clarifies this as I can't think of how to explain it.
In the JSS, Click on Computers and search for the computer (if you don't know the name, just click on search and all enrolled devices will be listed)
Click on the link for the machine you want to delete to get to the Machine details
Then click on the management tab and then click on Wipe Computer
Enter in a six digit code and send the command
I wait for the computer to reboot into Recovery mode in case the command does not work
Once the computer reboots into Recovery Mode, in the JSS in the same place where I click on Wipe Computer in the bottom right I click on Delete to delete the computer, this removes the enrollment history of the machine but does not delete it from DEP
Then reformat the HD, install the OS
Double check that the computer you are working with is scoped correctly in a Pre-stage Enrollment in the JSS
Next time you go through Setup Assistant you the machine should notify you that it will be configured by your organization
It should be noted that if the Wipe Command option does not work, you can just delete the computer from the JSS as described above and then reboot the computer into Recovery Mode manually and as long as its scoped in your Prestage Enrollment, it should go through Setup Assistant correctly.
Posted on 03-30-2016 09:14 AM
Thanks @coryschumann
Something must be amiss - I've deleted it from the JSS, wiped the machine, it still shows assigned to a Pre-stage enrollment group, but the "download configuration" screen doesn't show up in Setup Assistant.
Posted on 03-30-2016 11:22 AM
Try creating a new pre-stage enrollment and scope the device to that, if you deleted your DEP server configuration in JSS while there are pre-stage enrollments setup in the JSS and then setup a new DEP in JSS, the security certificates will not match and your devices will not communicate with your JSS.
in the past I had a certificate error and ended up nuking my DEP server in JSS, I reconfigured everything and got the JSS and DEP communicating correctly, but the certificate that was assigned in the original pre-stage enrollment was from the nuked DEP server and had the incorrect certificate. I created a new pre-stage with the current certificates and pre-stage enrollment has worked been working perfectly for me.
Posted on 04-26-2016 05:47 AM
To re-enroll the DEP Computer Without Wiping
In Terminal run the following 4 commands:
sudo rm /var/db/.AppleSetupDone
sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain
Reboot the machine and re-enroll via DEP
Posted on 07-05-2016 08:17 AM
Have you found a solution to this issue?
I've been having the same issue you described, I can't get the computer to PreStage Enroll if its already been in the JSS
I've done the following
- removed the computer from the JSS
- reimaged the computer
- cleared out the DEP instance and re-added it
- cleared out any PreStage Enrollment configurations
- unassigned/reassigned the computers to the PreStage Enrollment
It never gets the configuration settings during the Mac Buddy
In the past, we would have this issue and after a few hours it would magically work. But now it never works even after waiting days
Posted on 11-02-2016 12:51 PM
IM on the same situation. I have used a mac before to test the settings, i have removed it from JSS and now i cant get it to pick up the JSS configurations again after a full system WIPE. Has anyone found a solution?
Posted on 01-18-2017 04:23 PM
Was running into the same issue here.. It's quite annoying but you have to uncheck the computer from the scope of your assigned prestage enrollment, save the change, then readd the offending computer to the scope.
Posted on 10-03-2017 10:49 AM
@jonnydford This was just what i was looking for when i came across this post. Thank You!
Posted on 11-17-2017 04:49 PM
Anybody else having trouble removing the ConfigurationProfiles directory as per @jonnydford 's 4/26/16 post?
This is on 10.13, so I'm guessing the jacked up protections are preventing its deletion...
Posted on 12-26-2017 06:26 PM
@ChrisJScott-work I had to disable SIP in order to delete /var/db/ConfigurationProfiles
Posted on 04-21-2018 10:41 PM
We were having the same issue @duffcalifornia . Discovered it was that we had "Restrict re-enrollment to authorized users only" enabled. Unchecking this allowed our DEP re-enrollments to re-run the enrollment policy.
Posted on 08-21-2018 07:35 AM
@kenny.botelho are you removing the computers from your jamfpro server? I don't have re-enrollment restricted and still run into the problem.
Having to remove computers from jamfpro for a re-enrollment is annoying for when field techs (who we do not allow deletes) to re-install a computer after wiping it. We have hundreds of computers and having a field tech contact someone each time so this works is not very effective as far as our process goes. We're using jamfpro to eliminate manual steps after all.
Posted on 08-21-2018 08:48 AM
An alternative to deleting the computer from jamfpro to catch the "Enrollment Complete" trigger is to remove the computer from the log of the policies that activate on that trigger. This would save any other log data for the computer that was already on the jamfpro server if you wanted it.
If you do it before doing a wipe and re-enroll it should work fine so long as you're not disallowing re-enrolls.
If you've already done the wipe and re-enroll you can still remove it from the policy logs and manually invoke the trigger on the computer with the command-line tool via sudo jamf policy -event enrollmentComplete
Posted on 08-22-2018 10:59 AM
I'm slightly embarrassed to report this, but I'm hoping it saves someone else some trouble.
In Settings > Global Management > Re-enrollment there is a checkbox for "Clear policy logs on computers" - this unsurprisingly clears completed triggers for policies. I think I must have misread it when going through this settings panel before, because I want to keep historical logs but not previous "active" info from the computer being re-enrolled.
Like I said, I hope this helps someone.
Posted on 09-30-2018 02:16 PM
I had a similar problem, I forgot to tick the "Automatically assign new devices" tick box, then after I assigned the Mac it never enrolled or installed an MDM profile. I tried removing from PreStage scope, saving, then re-adding, but it didn't move.
I got it to kick in by going into Apple Business Manager and un-assigning the Mac from the MDM server, then re-assigning it. I erased the Mac, then on next setup it picked up the Remote Management, installed the required MDM profile and lived happily ever after.