Computer not enrolling with DEP

PhillyPhoto
Valued Contributor

Our DEP isn't working in QA (it looks like some ports may need to be opened), so I tried PROD just to play around with DEP. We're currently on 9.81 in PROD and 9.96 in QA (we need to do some backend changed before upgrading). I assigned the test device to our PROD JSS, and got the prompt to configure it on start-up. I entered my credentials and got prompted to create an account. I checked out the profiles, and saw the MDM profile in there, so I figured it was successful.

I checked out the computer record, but the inventory hadn't fully updated (no OS version, hardware info etc). I then created a smart group based on the Prestage Enrollment group, but it didn't show up. That's when I realized it wasn't managed, and checked the machine and the jamf binary wasn't on the device. I had user-initialized enrollment configured as I saw in another thread. The only thing that I could think of, was I had all LDAP users set to enroll institution-owned devices only, but there's no option for that in the Purchasing tab, so I don't know how to define that. I made all LDAP users able to enroll both institution and personal-owned devices now. My ID is part of the admin group anyway, so that shouldn't be the issue.

I re-imaged the device to try with all users able to enroll, but still no go. I got logged in and went through Safari to manually enroll (had to refresh each page in the process and manually download the package before I could run it, but it worked). So, there's something happening with this enrollment process, but I'm not sure if 9.96 will magically fix it or not. Anyone else run in to this type of issue?

29 REPLIES 29

jkuo
Contributor

I also just ran into this issue yesterday, and the only way I could get it to move forward was to manually enroll. Once I manually enrolled, then it added itself to the prestage based smart group and the proceeded with the rest of my DEP workflow. I don't know what happened, nothing has changed on my end.

Edited to add: We're also on 9.96.

esembly4
New Contributor III

I am also on 9.96 and am having the same issue. It is sporadic.

guidotti
Contributor II

Did any of you guys figure this out?
I am trying out Casper in the cloud, and trying out DEP at the same time, and it runs 9.96.
DEP is enrolling the devices - they show unmanaged, and there is no jamf binary present.

I don't know how to fix this.

-Bruce

jared_young
New Contributor II

I am running into this now too. I am on 9.97 cloud based. The only way around I have found is to user-initiate enrollment.

bmortens115
New Contributor III

I am having the same issue with a cloud hosted 9.97 JSS and DEP. The computer seeings the DEP prompt that it will be managed, but then the JAMF binary is never installed, the computer shows in the JSS as managed. Anyone having any success using DEP enrollment?

andykang
New Contributor

I'm having DEP issues today as well. Computer is assiged to a Pre-stage, but does not hit DEP during Setup Assistant.

guidotti
Contributor II

So for our issue I reported in December, I spoke to JAMF.
They mentioned that, in the payload for the DEP Prestage enrollment, don't add anything in the "Account Settings" section.
It will cause the enrollment to stop before the binary is laid down and enrollment with Casper is complete.
He mentioned it's a defect, but I am not sure what the number is.

So we are currently doing the Prestage enrollment with basic settings and using our create-administrator.pkg file like we usually do.

dshepp33
New Contributor III

Seeing this behavior consistently on a couple MacBooks and sporadically on Mini. For me, it sees a configuration and goes into the process of installing it and then bombs out to create computer account. If I do that, it does not install much at all. After a reboot or two, it does show up as managed and has information attached, but it is obviously not complete the way it should be. Have a case open for this but with the impending snow in NC I likely won't get to test/troubleshoot until maybe Tuesday.

DBrowning
Valued Contributor II

Starting seeing this issue Yesterday (23Jan2017) where it was working perfectly last week. I'm on 9.96 on-prem.

I've changed the Prestage to be very minimal and still no luck.

Any help would be greatly appreciated.

kquan
Contributor

I'm also seeing the same thing, was working last week as well. I had a machine i left running over night to see but it looks like nothing had happened in terms of enrollment , etc

tyra_robertson
New Contributor II

Throwing my hat into the ring as well, we started seeing it January 21st and are on 9.96 on premise. We've confirmed with Apple that recently enrolled devices are asking the JSS for a profile but not receiving one. Opening a ticket JAMF.

We are seeing if the manual refresh will help, just did the first refresh about an hour ago. Here's the entry from the Casper Admin Guide:

"Refreshing DEP Instance Information

The JSS allows you to manually refresh information in the DEP instance as needed.

  1. Log in to the JSS with a web browser.
  2. In the top-right corner of the page, click Settings images/download/thumbnails/12988078/Settings_icon.png .
  3. Click Global Management.
  4. Click Device Enrollment Program images/download/thumbnails/12988078/Device_Enrollment_Program.png .
  5. A list of program instances is displayed.
  6. Click the program instance you want to refresh.
  7. Click Refresh.

If there is updated information in DEP, this information is displayed in the JSS."

DBrowning
Valued Contributor II

Ended up working with JAMF Support and come to find out Java was updated on our server which was causing issues. Once we confirmed that Tomcat was looking at the correct version folder for JRE and updated the JCE policy files, everything started working again.

esembly4
New Contributor III

Do we have an answer for this? DEP not enrolling initially is very sporadic.

yippy3000
New Contributor II

I too am having this issue. Laptops are very unreliable about triggering DEP during Setup. We are using Jamf Cloud so don't have any control over Java or anything.

YoshiiZee
New Contributor II

Same issue here...DEP triggers during setup, enter in the account details and then sits on the desktop not doing anything. Used to work prior to 9.97 but we are on a Cloud instance so I can't roll back.

Noticed in the config URL it points to jssinstance/cloudenroll. The link itself doesn't work from a web browser so not sure if that link has modified in anyway.

NobleK
New Contributor II

Hm, we're having issues as well. DEP is configured, Pre-stage is configured, but the MacBooks selected are not triggering DEP during startup. Our instance is cloud based as well. Anyone come across a solution?

steagle
New Contributor III

Same issue here as well. We're on cloud-managed 9.98. Sporadic behavior - Some laptops semi-enroll and appear in Jamf computer list but do not receive the Jamf binary; upon reboot they are fully enrolled. And some DEP laptops do not enroll at all after initial setup.

kquan
Contributor

@steagle im on 9.96 and having a specific weird issue posted here : https://www.jamf.com/jamf-nation/discussions/24237/dep-w-10-12-5-done-from-internet-recovery-account-creation-issue

going up grade jss to see if it changes

steagle
New Contributor III

FYI the Jamf tech support person who is dealing with my case said this is a known bug and to disable the Account Settings payload in order for DEP enrollment to fully complete. This is a little inconvenient for me because I ship new laptops over to our Berlin office where I am relying on DEP to create my admin account and auto-enroll users, as we have no IT support on site there, but I can come up with a workaround. Hopefully this gets worked out soon though because the Account Settings payload is one of the best features of prestage enrollment.

guidotti
Contributor II

I concur with @steagle Once I made that change, it started working again for us.
We currently deploy a pkg to create our administrator account, but a full DEP workflow will change the order of operations somewhat.

bmagistro
New Contributor II

@steagle , thanks for posting this. Had been having this issue, this just saved me a bit of time. Still need to package up the accounts, but this gets my DEP enrollment working (again). Do you happen to know if there is an associated issue number?

For others, can confirm this issue exists on 9.99.2 too.

d_koleg2217
New Contributor II

Same issue here, I would like to skip account creation, but enabling Account Settings payload producing unmanaged Macs. Most likely I will open a ticket with JAMF support.

csa
New Contributor III

Same issue here as first reported by @ jkuo. We are on JSS 9.100.0-t1499435238 hosted version. Support stated that the accounts payload issue was fixed in 9.8 version and the troubleshooting is on-going. Worth it to re-test without the accounts payload just in case. Also seeing that manual enrollment using "jamf enroll -prompt" from the terminal restores functionality and other packages start flowing as they should.
Unfortunately removing the Accounts payload did not work for me.

pueo
Contributor II

Hello All

Is there an update to this issue before I submit a support request?
We are on 9.10 (Hosted).
There is a laptop which will not accept the configuration or enrol into Jamf Pro yet I see the 'Configuration page' during set up. We are not creating accounts using Account Settings, just using the predefined Management Account. I can say it used to work prior to the .10 upgrade.

Ash

csa
New Contributor III

In additional testing for us, configuring anything other than the general tab in PreStaged Enrollment breaks the process. Also the machine if ending up in the "none" site even though a specific site is configured in DEP setup and in the PSE. Support acknowledges this to be an open issue that they are expecting to fix soon.

tfoggi
New Contributor II

Wanted to post this in case it helps anyone else -

Running 9.96 on-prem here.

I've been fighting this same issue off and on for a few days. PreStage enrollments were not completing - machines were being left in an "unmanaged" state with no Configuration Profiles or Policies running on them and no Self-Service installed. I tried everything mentioned above - no dice. What finally worked for me was to disable this setting under the "User Initiated Enrollment" settings:

Restrict re-enrollment to authorized users only
Only allow re-enrollment of mobile devices and computers if the user has the applicable privilege (“Mobile Devices” or “Computers”) or their username matches the Username field in User and Location information

I also granted all LDAP users access to enroll Institutional devices (in "User Initiated Enrollment" > Access tab), which I'm guessing is also necessary, but didn't test without.

I had enabled the "Restrict re-enrollment..." setting previously since it seemed like a good idea to restrict re-enrollments only to users who had that privilege. I was trying to avoid users being able to un-enroll to bypass restrictions, then re-enroll whenever they wanted, and seemed like a harmless setting at the time.

As soon as I disabled this setting, pre-stage enrollments completed as expected, deploying Conf. Profiles and Policies and resulting in a fully managed machine.

Hopefully that helps someone else fighting the same issue.

FOLIO_Admin
New Contributor

We are facing same issue on 10.10 cloud.
So far no luck.

kerouak
Valued Contributor

I just configured a DEP Macbook this morning, We're not cloud based, so maybe it's that?

Gluck!

marcel
New Contributor

@tfoggi what you posted did the job for me. thx.