Can an M1 Chip be Manually Enrolled W/out DEP

mbayhylle
New Contributor II

So an exec went and got an M1 Chip MacBook Pro without consulting me. It was purchased from a retailer rather than through Apple so it's not in our ASM account (is it possible to add this asset through Apple somehow???).

My primary question is this: Is it possible to manually enroll this device with a Quick Add package? I'm fully upgraded to 10.27 but this is the first M1 device in our environment (for a reason - usually I'm asked before a purchase like this).

6 REPLIES 6

sdagley
Esteemed Contributor

@mbayhylle You can't use a QuickAdd.pkg, but if you have User Initiated Enrollment enabled they could enroll by using Safari to go to https://your.jss.url/enroll and following the prompts to install the MDM Profile for your org.

Adding it to your ABM account will depend on if the dealer it was purchased from is a ABM enabled reseller. Just realized you said ASM, not ABM. I don't know if you can add a Mac not purchased from Apple to ASM.

shaquir
Contributor III

Quick Add is no longer supported on Big Sur:

Note: Due to security changes, enrolling computers with macOS 11 or later in Jamf Pro using a QuickAdd package is not supported. Consider the following: macOS 11 or later does not permit the installation of an MDM profile by a script or remote commands as previously initiated by the Jamf Management Framework or QuickAdd package. Running a QuickAdd package on computers with macOS 11 or later attempts to install the Jamf management framework. This allows for policy communication but does not enable MDM communication, preventing configuration profiles and remote commands from working. A CA certificate is no longer downloaded and installed when performing enrollment using a QuickAdd package. It is recommended to use an MDM-first enrollment workflow. This includes Automated Device Enrollment or user-initiated enrollment. In these workflows, an MDM profile is installed first, and later Jamf Pro automatically installs the Jamf Management Framework using an MDM command.

Unless the retailer is able to add to your ASM after, I believe you are limited to user-initated enrollment in this situation.

I believe the only difference that you'll have to look into is how Bootstrap Tokens and Kext are handled with non ABM/ASM purchased devices.

Apple has documentation on Adding kexts on a Mac with Apple silicon

Device Enrollment The MDM solution should notify the user they must restart into recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press will the Secure Enclave accept the change of policy. The user must then select Reduced Security, check “Allow remote management of kernel extensions and automatic software updates,” and restart the Mac. Contact your MDM vendor to see if they support this feature.

mbayhylle
New Contributor II

Thanks for the reply. Kind of what I thought. I tried enrolling the device in question on JAMF Pro 10.24.2 and it installed the MDM profile but it still showed as unmanaged and only the serial number was displayed. No policies would run. I ran the upgrade to 10.27 remotely so I'll I guess I'll try it in the morning.

mark_mahabir
Valued Contributor

I think macOS Big Sur was considered to be fully supported by Jamf after v10.25.x.

Certainly the macOS version number prior to that was reported as 10.16, rather than 11.x. I don’t have any problems with User Initiated Enrollments of Big Sur with machines that don’t appear in Apple School Manager.

jtrant
Valued Contributor

No issues with manual M1 enrollments after 10.25.0, but Jamf now follows an MDM-first approach so QuickAdd is deprecated.

Anonymous
Not applicable

Please check this page. https://apps.apple.com/nl/app/apple-configurator/id1588794674?l=en

"Apple Configurator for iPhone makes it easy to assign any Mac with the T2 Security Chip or Apple silicon to your organization in Apple Business Manager or Apple School Manager so that you can take advantage of Automated Device Enrollment."