Big Sur Remote Enrollment Missing Profiles

PianoDanno
New Contributor II

I have enrolled a computer on osx 11.4 using recon's remote enrollment. The computer now appears in my inventory (yay) and is running some policies (yay) and even launches self service (yay)

But self service briefly instructs me to approve the MDM Profile. The message vanishes before I can click on "Open System Preferences."

Inside system preferences, there isn't any selection for Profiles. The button just isn't there.

I also decided to make the profiles available in self service. After doing that, they show up in self service with the status of "installing"

Any thoughts here?

5 REPLIES 5

mainelysteve
Valued Contributor

@PianoDanno I can immediately see that your method of enrollment may not mesh well or at all with Big Sur. I would remove the management record and do a user enrollment (browser). I'm assuming ADE(DEP) isn't setup or available in your environment?

Additionally Big Sur has restrictions on what you can do with loose configuration profiles. Essentially if it's not MDM provided it's not getting installed on that machine.

snowfox
Contributor II

As MainleySteve said, theres really only two ways to enroll a device now, Automated Device Enrolment (ADE) (via a prestage enrolment + Apple School Manager etc.) or User Initiated Enrolment (UIE) via yourjamfserverURL/enrol or /enroll.

I would forget about recon and also forget about quickadd packages. Apple's official MDM enrolment methods are the only way forward.

PianoDanno
New Contributor II

@mainelysteve We actually acquired a company and need to enroll their macs. We have DEP for ours and I want to do a user-initiated enrollment, but our company won't allow me to integrate active directory. I'm pretty sure an LDAP is a requirement for that...

Can I use automated device enrollment if the devices are they were not purchased under our apple business account?

Thank you for you responses

mainelysteve
Valued Contributor

@PianoDanno If the devices aren't in your ABM account then ADE won't be possible until they're added (see @sdagley 's post below). LDAP isn't a requirement for it to work, but without it you'll need to either manually stage a computer record before enrollment or do some post enrollment work to assign a machine to a user(if that's something you do).

You're on the right track, but a user enrollment with macOS these days requires either an emailed invitation or using your enrollment url in a browser on the machine you're enrolling. Using the recon utility isn't recommended, especially with Big Sur.

I assume these machines are already in use and had no management prior?

sdagley
Honored Contributor II

@PianoDanno Depending on where the company you acquired purchased their Macs from it may be possible to have them added to your ABM account. It's not possible for retail sales, but if it was via Apple's Business program or a reseller like CDW or Insight, they should be able to make that change.

Not that it helps at the moment, but macOS Monterey will add support for manually enrolling a Mac in ABM as is currently supported for iOS devices.