Jamf Nation Community

@stevewood We've done that I think. Here's a screenshot of what our JSS looks like now.

It still won't trigger the "Hey, you have stuff to do!" prompt we got the first time we did the machine.

@stevewood I'm almost 100% that isn't true.

In order for the Mac to pick up the DEP settings it needs to go through SetupAssistant again (and a few other files need to be removed if you're not wiping).

How are you wiping the Mac @duffcalifornia

@jonnydford I just erased the Mac partition in Disk Utility and then reinstalled OS X.

@duffcalifornia that is the PreStage Enrollment for DEP, but is the machine still in the JSS? So if you take the serial number and do a Computer search in the JSS does the computer show up? If so, try deleting it from there.

@stevewood No, the serial doesn't return anything.

I think part of the problem is that when I deleted the DEP, it deleted the prestage enrollment settings we set up in Jump Start. When I recreated them, I didn't set the scope to the particular department. Some combination of remembering to set the department for the enrollment settings and/or completely reformatting the drive and reinstalling the OS brought back the DEP enrollment upon going through setup assistant.

Now, say I need to wipe this machine again for test purposes: how do I make the JSS not realize this machine has gone through pre-stage enrollment? I don't want to have to delete it from DEP and re-add it, but if that's how to do it, it's not a big deal I suppose.

You don't need to delete it from DEP, you just need to delete the Enrollment in JSS I have attached an image that I hope clarifies this as I can't think of how to explain it.

In the JSS, Click on Computers and search for the computer (if you don't know the name, just click on search and all enrolled devices will be listed)
Click on the link for the machine you want to delete to get to the Machine details
Then click on the management tab and then click on Wipe Computer
Enter in a six digit code and send the command
I wait for the computer to reboot into Recovery mode in case the command does not work
Once the computer reboots into Recovery Mode, in the JSS in the same place where I click on Wipe Computer in the bottom right I click on Delete to delete the computer, this removes the enrollment history of the machine but does not delete it from DEP Then reformat the HD, install the OS
Double check that the computer you are working with is scoped correctly in a Pre-stage Enrollment in the JSS
Next time you go through Setup Assistant you the machine should notify you that it will be configured by your organization

It should be noted that if the Wipe Command option does not work, you can just delete the computer from the JSS as described above and then reboot the computer into Recovery Mode manually and as long as its scoped in your Prestage Enrollment, it should go through Setup Assistant correctly.

Thanks @coryschumann

Something must be amiss - I've deleted it from the JSS, wiped the machine, it still shows assigned to a Pre-stage enrollment group, but the "download configuration" screen doesn't show up in Setup Assistant.

Try creating a new pre-stage enrollment and scope the device to that, if you deleted your DEP server configuration in JSS while there are pre-stage enrollments setup in the JSS and then setup a new DEP in JSS, the security certificates will not match and your devices will not communicate with your JSS.

in the past I had a certificate error and ended up nuking my DEP server in JSS, I reconfigured everything and got the JSS and DEP communicating correctly, but the certificate that was assigned in the original pre-stage enrollment was from the nuked DEP server and had the incorrect certificate. I created a new pre-stage with the current certificates and pre-stage enrollment has worked been working perfectly for me.

@duffcalifornia

To re-enroll the DEP Computer Without Wiping

In Terminal run the following 4 commands:

sudo rm /var/db/.AppleSetupDone
sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain

Reboot the machine and re-enroll via DEP

@duffcalifornia

Have you found a solution to this issue?
I've been having the same issue you described, I can't get the computer to PreStage Enroll if its already been in the JSS
I've done the following
- removed the computer from the JSS
- reimaged the computer
- cleared out the DEP instance and re-added it
- cleared out any PreStage Enrollment configurations
- unassigned/reassigned the computers to the PreStage Enrollment

It never gets the configuration settings during the Mac Buddy

In the past, we would have this issue and after a few hours it would magically work. But now it never works even after waiting days

IM on the same situation. I have used a mac before to test the settings, i have removed it from JSS and now i cant get it to pick up the JSS configurations again after a full system WIPE. Has anyone found a solution?

Was running into the same issue here.. It's quite annoying but you have to uncheck the computer from the scope of your assigned prestage enrollment, save the change, then readd the offending computer to the scope.

@jonnydford This was just what i was looking for when i came across this post. Thank You!

Anybody else having trouble removing the ConfigurationProfiles directory as per @jonnydford 's 4/26/16 post?

This is on 10.13, so I'm guessing the jacked up protections are preventing its deletion...

@ChrisJScott-work I had to disable SIP in order to delete /var/db/ConfigurationProfiles

We were having the same issue @duffcalifornia . Discovered it was that we had "Restrict re-enrollment to authorized users only" enabled. Unchecking this allowed our DEP re-enrollments to re-run the enrollment policy.

@kenny.botelho are you removing the computers from your jamfpro server? I don't have re-enrollment restricted and still run into the problem.
Having to remove computers from jamfpro for a re-enrollment is annoying for when field techs (who we do not allow deletes) to re-install a computer after wiping it. We have hundreds of computers and having a field tech contact someone each time so this works is not very effective as far as our process goes. We're using jamfpro to eliminate manual steps after all.

An alternative to deleting the computer from jamfpro to catch the "Enrollment Complete" trigger is to remove the computer from the log of the policies that activate on that trigger. This would save any other log data for the computer that was already on the jamfpro server if you wanted it.

If you do it before doing a wipe and re-enroll it should work fine so long as you're not disallowing re-enrolls.

If you've already done the wipe and re-enroll you can still remove it from the policy logs and manually invoke the trigger on the computer with the command-line tool via sudo jamf policy -event enrollmentComplete

I'm slightly embarrassed to report this, but I'm hoping it saves someone else some trouble.

In Settings > Global Management > Re-enrollment there is a checkbox for "Clear policy logs on computers" - this unsurprisingly clears completed triggers for policies. I think I must have misread it when going through this settings panel before, because I want to keep historical logs but not previous "active" info from the computer being re-enrolled.

Like I said, I hope this helps someone.

I had a similar problem, I forgot to tick the "Automatically assign new devices" tick box, then after I assigned the Mac it never enrolled or installed an MDM profile. I tried removing from PreStage scope, saving, then re-adding, but it didn't move.

I got it to kick in by going into Apple Business Manager and un-assigning the Mac from the MDM server, then re-assigning it. I erased the Mac, then on next setup it picked up the Remote Management, installed the required MDM profile and lived happily ever after.