Posted on 06-25-2018 01:30 PM
We recently started using DEP for our NYC office and we purchased some new machines. I checked deploy.apple.com and checked our prestage on JAMF and the serial numbers were listed as assigned for our ZeroTouch enrolment, but upon booting up the machines, they didn't automatically enroll and manage themselves, instead moving onto the backup screen (setting up without JAMF) so I am unsure what happened.
A reboot, and uncheck/recheck on the Prestage scope fixed the issue but we don't want to do that for every machine.
Any ideas?
Let me know if you need further info. Much appreciated :)
Posted on 06-26-2018 06:46 AM
Couple things may be going on here. It sounds like the clock is skewed so far from time.apple.com that it isn't allowing the machine to enroll properly. You can boot into recovery mode and open a terminal and do an ntpdate -u time.apple.com.
The other issue is that once the provisioning fails, you have to do some voodoo to get it to a place where it will offer to enroll again. Assuming you're not on 10.13.4 or higher, do the following (after confirming the clock is set correctly):
From single user mode, mount the filesystem as rw and do:
rm -rf /var/db/ConfigurationProfiles
rm -rf /Library/Keychains/apsd.keychain
reboot
It's astounding that Apple doesn't show you the clock during the Setup Assistant.
Posted on 06-26-2018 07:32 AM
Forgot to mention that if you are on 10.13.4 or higher, you'll need to disable SIP and reboot before deleting those two files.