Configurator 2.5 and Enrolling iOS 11 Devices in DEP

EduTech
New Contributor III

With the release of iOS 11 and Configurator 2.5 devices can now be enrolled in your organizations DEP. From what I can tell there is not a guide on how to do this as of yet. Can someone point mean a direction?

52 REPLIES 52

byrnese
New Contributor III

Go to the 17 minute mark of this video for step by step instructions:

https://developer.apple.com/videos/play/wwdc2017/304/

georgecm12
Contributor III

I have been waiting for this for a while now. Somehow, we ended up with a non-DEP device in one of our Configurator 2 carts. We're not exactly sure how it happened. Either way, this meant that we couldn't use automated enrollment on that one device.

I just installed Configurator 2.5, did a manual enrollment of the device while adding it to DEP, as shown in the video above.

Once added to DEP, I was able to reassign the device on school.apple.com to my JSS server, add it to the appropriate prestage enrollment, and from then I was able to do a standard automated enrollment on the device, just as if it had always been in DEP.

Very nice work, Apple!

EduTech
New Contributor III

Thank you for the video it is very helpful. The part where I am getting stuck is the Server. We always enrolled ours in the past using a BluePrint with a Certificate. When I try to do the server using https://OurCompanyName.jamfcloud.com/configuratorenroll it errors out. Any idea what the JamfCloud server should be?

b73313f66ff34aa9b7e14bdaacd748d8

byrnese
New Contributor III

You shouldn't need to include a blueprint with the an enrollment profile. The enrollment comes from apple through DEP or Apple School Manager in our case. As long as you follow the steps in the video it works.

EduTech
New Contributor III

Correct you do have to specify a server as shown in the video. Which when you have JamfCloud it apparently leaves Jamf baffled what the server url should be...
Not even sure if JamfCloud has a server address.
I have been back and forth with two of their Specialists today, very helpful but we appear stuck....

coreythomas
New Contributor III

So if using Configurator 2.5, it now asks you if you want to "leave remote management". It says that if you click that, it will remove it from DEP. The button will show up for the first 30 days and after that, it will automatically remove from DEP.

Does that mean that if you use configurator to enroll in DEP, it will be removed in 30 days?

EduTech
New Contributor III

CoreyThomas the new configurator enrollment has a 30 day grace period by which a device enrolled can still be unenrolled with in 30 days by the user. This is to prevent those situations in BYOD and it gets enrolled buy maybe you don't agree with it being locked down as it is your device. After 30 days it is locked to the DEP and the user cannot remove it but the Admin of the DEP can.

byrnese
New Contributor III

EduTech,

After taking another look at the your screenshot, I think you are getting the error because you aren't including the port for Jamf. In our case we used:

https://ouraddress:8443/configuratorenroll

rather than

https://ouraddress/configuratorenroll

That may help.

jmahlman
Valued Contributor

This unfortunately doesn't help the issue I'm having. When trying to add a device to DEP I get the error:

Provisional Enrollment failed error Network communication error. [MCCloudConfigErrorDomain – 0x80EF (33007)]

When I log into deploy.apple.com I have a new "Devices added by Apple Configurator 2" and it does NOT have a Key or Token. Not sure of the process to get that created...

byrnese
New Contributor III

Are you including a working WiFi profile? The one we were using for iOS 8-10 no longer worked and I had to create a new one. I would start there for that error. Just create a new Wifi profile and push it to a device. If that works then try again with the steps in the video.

EduTech
New Contributor III

Hey Everyone I am going to write a setup Guide I'll post a link Shortly when it is completed.

mark_buffington
Contributor

@jmahlman - I've seen that (or a similar) error with one device when testing Provisional DEP Enrollment during the beta process. With that issue, Configurator displayed the error, didn't continue enrollment, and didn't add the device to the "Devices added by Apple Configurator" server in Apple's deployment portal, similar to what you observed.

In that instance it did, however, add the device to the DEP account, but some additional work was needed to enroll it. (Other devices completed the process with no issues though.)

Here's what worked then, and may be worth trying:

  • Within the deployment portal, navigate to the "Assign Devices" area, enter the device serial number, and attempt to assign to an existing server.
  • If it worked, then your device made it into your organization's account.
  • Assign it to a PreStage in your Jamf server, and erase it again. It will then go through a DEP enrollment workflow.

Hopefully what I shared above helps for you too!

-Mark

jmahlman
Valued Contributor

@byrnese I am adding a wifi profile, I may have to double check that it has access to apple.

@mark.buffington I've tried assigning the device in the portal and it doesn't work.

ncarvalheiro87
New Contributor II

Hi all,

Just wanted to share my experience as I was playing with adding existing iPads to DEP. Hope this might help those willing to go this route, or improve my steps further.

  1. Updated/Restored iPads to iOS 11 -- a prerequisite action for adding to DEP.

  2. In Apple Configurator 2.5
    -> Click Prepare Button
    -> Ticked the Option "Add to Device Enrolment Program"
    -> unticked the automate enrolment (I like to setup from the iPad for a true OTA config).
    -> Created a DEP Wifi profile that uses the MacBook Pro Internet Sharing SSID
    -> Configured the remaining steps relating to supervision and iOS steps (i selected: don't show any).
    -> When it asked for the Apple ID to add to DEP, I chose the account that has the 'Device Manager' or 'Administrator' role in Apple School Manager (ASM).

  3. In ASM, go to MDM Server -> Devices added by Apple Configurator 2
    -> Keep an eye on the number of devices added on the "Devices added by Apple Configurator", if it changed from 0, the above action has added the devices into DEP server.
    -> Click on the blue 'download' link next to the device type and quantity added which downloads a csv file.
    -> Open the CSV file, copy the Serial Numbers (first column, row 2 onwards) and use a text editor to format the serial numbers in comma versions, e.g. SN1, SN2

  4. In ASM, go to Device Assignment
    -> Put the formatted serial numbers from the text editor in previous step and put them in the Serial Number textbox.
    -> Below, chose the option 'Assign to server' dropdown, and then on the right my institution Jamf Pro MDM server

  5. In Jamf Pro, go to Mobile Devices and then PreStage Enrolment
    -> Click on the existing PreStage enrolment or create a new PreStage enrolment
    -> Go to scope & click refresh button
    -> Click edit and assign the iPads that has the modified date: "added less than a minute ago"

  6. In Apple Configurator 2.5
    -> Performed another restore onto the iPads and then setup the freshly restored iPad without the Apple Configurator just as you would setup a DEP iPad.
    -> This step was to remove any supervision profiles that was performed during the prepare stages, the idea is to see "Activating iPad" message -- and if you performed step 3 to 5 correctly, you should see "Looking for configuration/Downloading Configuration" and then "Remote Management" screen showing up -- this means DEP is working and applied.

My PreStage enrolment has user authentication to an Active Directory, so when an AD account is used, e.g. a student account, it gets assigned to the iPad record in Jamf along with Department, Job Position, Building info etc, which triggers all the Apps and configuration profiles that has been scoped to the Department/Smart Group.

This has worked pretty well for me. My 2 cents of experience.
(Apologies for the long post)

EDIT: If only there was an option to add MacBook/iMacs to the DEP servers.

Thanks,
Nuno Carvalheiro
Pymble Ladies College - Technical Support Officer

jmahlman
Valued Contributor

"Created a DEP Wifi profile that uses the MacBook Pro Internet Sharing SSID"

Creating an shared SSID is a damn good idea for networks that require MAC enrollment.

jmahlman
Valued Contributor

Just an update, I got this to work following @ncarvalheiro87 's advice. I originally wasn't having success because of our network blocking communication.

Thanks!!

mohammedsirkhot
New Contributor

Good Afternoon All

I hope someone can help me as I am struggling abit with apple configurator 2.5 after I prepare the Device it gives and error after it trys to activate the IOS on the Ipad. please see picture below.

Much appreciatedbe24b43ec1fb4eb89a506371ef8fc259

ross_burdick
New Contributor II

Our web filter was the culprit in our setting when enrolling/preparing devices. When they rolled out iOS 11, they must have changed the site that devices use and it isn't open for us. Waiting on my network admin to find out which sites need to be opened in order to get it to work properly. Using an iphone and cell network as a work around right now to get my devices enrolled.

Graeme
Contributor

We found we had to open ocsp-ds.ws.symantec.com.edgekey.net and exclude it from any https inspection. iOS10 worked fine without it open but iOS11 didn't.

Regards
Graeme

jared_f
Valued Contributor

I just saw this - very exiting. I have so many non-DEP devices from before we started our Apple Custom Store account. Giving this a test run currently.

maurits
Contributor
Contributor

late to the party, but my blog post has screenshots of the process: https://www.lai.nl/en/add-ios-devices-dep-account/

I had the same error @mohammedsirkhot had, where the device is already in (some) DEP account.

coreythomas
New Contributor III

So I was able to successfully enroll a device through Configurator, but it doesn't seem to actually add the device to DEP. It does enroll and supervise, but it's nowhere to be found in DEP. Is that normal?

lachlanharris
New Contributor

Hi there
Thanks for all the help in this thread. Unfortunately we're still getting the

MCCloudConfigErrorDomain – 0x80EF (33007)

error. Our network is not blocking any of the ports, and we can't enrol or disown the device from the DEP portal. My only thought is that the device is enrolled in some other DEP account, not ours.

Is anyone able to provide further assistance? Thank you @maurits for the guide, unfortunately we still can't add the device.

Thank you!

jared_f
Valued Contributor

@lachlanharris Try deleting Configurator and re-installing it. Make sure you add back any organizations, servers, and supervision identities when setting up your new configurator instance.

mohammedsirkhot
New Contributor

thanks a lot @maurits I will try your screenshots and let you know

chriscollins
Valued Contributor

Anyone know if you can add a device again after a person clicks the leave remote management button at the setup assistant on a provional DEP enrollment?

We have this working fine but one of our techs clicked that button on one of the devices we were using to test by mistake and it dropped out of DEP as expected but now we can’t add it back. Curious if it’s the same as when it’s a vendor/regular DEP device and you drop it from DEP and it’s gone forever or if there is a “cool down” period before you can provionally add it in to DEP again through Configurator.

lachlanharris
New Contributor

Thanks for the suggestion @jared_f .

With further testing, we found the issue was fixed when we included a Wi-Fi configuration profile to our network. Thanks to those above for the suggestions to do this.

For anyone out there with similar problems, note that it is essential for the devices themselves to connect to the network to complete the enrolment. They don't do this via the USB, they need an independent conneciton. So unless you have a cellular-based iPad with SIM and connection to the Internet, you must add a configuration profile in the step where it asks you to.

This resolved the

MCCloudConfigErrorDomain – 0x80EF (33007)

error for us. As such, this error may not pertain to whether the device is already enrolled - unless it means both. We tried to unenroll the device with the error returning that it was "NOT_ACCESSIBLE", i.e. it could have been enrolled in another DEP account, but this was not so as the issue was fixed by the above.

jkosowski
New Contributor II

@chriscollins We were intentionally testing this same thing, (also asked our Apple SE) and were able to remove device from management (i.e. remove from DEP) and re-add to DEP again using the same workflow.

Note: when you click "Prepare" in Configurator to manually add to DEP a 2nd time, and you're presented with the various checkboxes, we were unable to re-add to DEP a 2nd time with the option to "Activate and complete enrollment" unchecked. Per https://help.apple.com/configurator/mac/2.5/#/cad99bc2a859), "enable “Activate and complete enrollment” if you have an existing device that already has a record in, and is managed by, your MDM."

The way I read that, you'd want to check this box only if the device in question was already enrolled in your MDM and you were simply adding it to DEP. But in our testing, it only worked to re-add a device to DEP for a 2nd time that the "leave remote management" button was tapped on if “Activate and complete enrollment” was checked too.

russeller
Contributor III

We were getting the same "Provisional Enrollment Failed" error, but only with AppleTV (4th Gen). iPads work fine. It's the craziest thing.

Malcolm
Contributor

At first glance, the underlying issue is that apple have moved some of their DEP enrolment servers that are resolving to *.apple.com domains to 23.0.0.0/8 range which is akamaitechnologies

As I found our firewall has been struggling with IOS 11 with DEP
here is a list of domains an Ipad hit upon attempting to process DEP (non apple config 2 enrolment method)

init.ess.apple.com
init-p01st.push.apple.com
init-p01md.apple.com
init.ess.apple.com
sr.symcd.com
s2.symcd.com
gspe35-ssl.ls.apple.com
gspe21-ssl.ls.apple.com
gspe1-ssl.ls.apple.com
configuration.apple.com
sr.symcd.com
init.itunes.apple.com
bag.itunes.apple.com
cf.iadsdk.apple.com
init.itunes.apple.com

And because my firewall wont work on domain names and only IP's this could be an ongoing battle, as I cant just work with wildcards or just approve 17.0.0.0/8 which we have done in the past.

Frustratingly, I tried doing the Apple config 2 enrolment method off of my phone internet, but it still wouldn't proceed past the error: MCCloudConfigErrorDomain – 0x80EF (33007)
Presumably, this could be a time setting issue as enable location services on the device is no longer a prompt in IOS 11 it appears. Or it simply isn't available in some countries yet. (Australia being me)

Malcolm
Contributor

Managed to get past MCCloudConfigErrorDomain – 0x80EF (33007) the ipad we were using, although new, had already been DEP enrolled by another onsite tech. Still working my head around how to use a wifi profile for the enrolment and then have the MDM remove the wifi profile later on. Also last attempt, while using user credentials, didnt assign the user to the device, is this a bug?

riverajo
New Contributor II

We got iPads in DEP, we have authentication required so our users are given the iPads in a restored state, they log in with LDAP creds which then populates user info in JSS. Now, if a user leaves and iPad needs to be assigned to another user, how do we get the iPad back that user auth page to adjust the user data in JSS? It would be great to be able to send a command to the iPad from JSS to do this.

We used wipe, but that just restored it and it skipped the user auth part, I’m guessing because that data is already on JSS? I tried with a different iPad by wiping and deleting it, but that just lost all management and required usb connection to prepare again.

Anyone found a more efficient way to assign an iPad to another user and require that user to sign into the iPad and have those credentials update JSS?

Graeme
Contributor

I run a script that gets the iPad assignments from our job management system (Disco discoict.com.au) and the export from our school management system (the UserCreator export) to assign the ipads to users in JAMF Pro and rename the devices to include their name.

If you are willing to get your "hands dirty" with python it could be changed to get its data from any text file.

Regards
Graeme

Malcolm
Contributor

I've been working through my bugs with this process... and finally came up with a solution, which I thought I would share here as it may come in helpful for some.

scenario
we use wifi authentication via profiles assigned through jamf pro, which will assign their wifi against their username and password, using a wildcard and a generic password for all students.

The reason for this method is, it individualises the connectivity on the wireless land controller, so we can locate devices easier, but it also passes authentication against our proxy as our proxy will assign proxy access based on wifi user auth.

The problem was generated through the manual enrolment DEP AC2.5 process as the profile we created in AC2.5 which has a specific user assigned to it to connect wifi, would also then get absorbed by the mdm profile, preventing it from being removed at a later date, and as a result not being the correct wifi user on the device.

In the past it appears the method around this was to set a self removing profile, but as it gets absorbed by AC2.5 this doesn't seem to remove on its own. This never seemed to work for me any way.

As we are using wpa2enterprise we cant wifi share our macOS connection via lightning bolt and pass the requirement for the internet access, which has been a bypass for some.

And the jamf prof generated profile wont work with wildcards in AC2.5

To resolve the issue, I duplicated our wifi profile within casper, and renamed it with manual DEP at the end
I then didn't scope the profile to anyone, and also excluded all managed devices also.

This allows the MDM to recognise that the profile shoudn't be on the device if it is found

Then I downloaded the profile, and collected the profile identifier code, and created a AC2.5 version for a generic user auth wifi profile, to be used during the enrolment process.

This allows our ipads to go through the manual enrolment process, and then recognise that the profile is incorrect and remove it, which then allows us to connect the wifi manually and receive the correct profile.

It's not the best solution, but it works.

I am also looking at sharing the internet access option, with a wired desktop over my laptop.

MikeT
New Contributor III

(Below for Jamf Cloud Hosted only)
In addition to the above information the below may help jamfcloud customers that are still having issues. It could be because we have a dedicated jamfcloud instance, not 100% sure. The main takeaway from the below is the URL name being different for the MDM URL setting.

From working with Jamf Support this morning:

First, we select the device in Apple Configurator and hit the Prepare button. We chose to perform a Manual Enrollment, Assign the Device to DEP, and allowed the device to pair with other computers.

When prompted for the URL for your MDM server, since you are a cloud customer, we had to use the following URL format (This is not our Jamf cloud web URL login, etc).

https://instancename-mdm.jamfcloud.com/mdm/

For example our normal Jamf Cloud server URL is https://instancename.jamfcloud.com:8443/ (we had them change it to 8443 on our dedicated hosted Jamf cloud server due to a cloud hosted content filter in order to bypass via a GRE Tunnel to Zscaler) Jamf Support said this was a little different for cloud hosted customers to use this instead for this process replacing instancename with your instancename "Including" the -mdm.

Example:
https://eastracademy-mdm.jamfcloud.com/mdm

(For example in this case the normal login URL would be https://eastracademy.jamfcloud.com:8443/)

They had us remove the 8443 from the end even though our server is setup this way.

It will give an error when you click next but continue. You know it worked if it asks for your certificate which would be *.jamfcloud.com

Select a WiFi profile you have created previously and tested.

Create the login to your DEP/ASM in the next steps.

If you prepare and run this your iPad should reboot during activation and show up in the Apple Configurator MDM in your ASM. Then just just assign that serial # to your Jamf and roll on.

I didn't go into extreme detail since all has been explained above. Mainly the instancename-mdm.jamfcloud.com was the ticket for our issue.

Jamf support mentioned they have been running into random glitches with this and some customers may have an issue that another does not with bringing a non DEP iOS device into the fold.

MikeT
New Contributor III

We had one iPad with the MCCloudConfigErrorDomain – 0x80EF (33007) error. The iPad that was accidentally disowned that was in our DEP previously. If it has ever been in anyones DEP previously the Configurator 2.5/iOS 11 method to get it back into a DEP/ASM will not work according to AppleCare. So in theory if you had some iPads/iPods donated from another school system or business that had them in DEP even though they disown them it will not allow them back into DEP at this time (10/31/2017). However they did take the serial # and I took a picture of the back of the iPad and uploaded to the Applecare ticket but he didn't hold out much hope it could be added back into any DEP account.

mlarsen
New Contributor II

We have a locally hosted Jamf Pro installation and the issue I'm seeing with trying to enroll the devices via Configurator is that the devices will get up to the Remote Management screen and eventually just return "The request timed out". Anyone else seen this?

Malcolm
Contributor

@MikeT I came across that one also, with one enrolled within our own dep, even removing it wont work, as I believe it has to be disowned by the original purchaser before it will work. Which in a school environment may occur, as I initially never disowned devices rather than unmanaged them through the DEP portal, in the event the student came back, or a seperate issue of ownership arrived, I could renrol it, locking it back into our infrastructure.

This from the look of it will never have a solution, or at least for several years. e.g. if they built an interface in the start up saying who the device belongs to, so the matter can be requested through the original purchaser.

pueo
Contributor

Hello All
So it was an interesting experience using AC2.5 and a iPhone 8. I read the above post and followed @ncarvalheiro87. I followed the documentation until i got to the Server and MDM Url. I then found the other post by @MikeT as we using JamfCould and changed my URL to suit. I received errors, made some modifications (removed the -mdm from URL) and got through to the next screen. I entered our Schools Apple ID to connect to our ASM and continued with the process.
After that I really don't know what happen, errors on the phone, errors on AC2.5 after completing 14 of 16 steps. I decided to re do it all and had the same experience. After a 2nd failure I checked DEP the iPhone was there. After wondering WTF. I disconnected the phone, wiped it and now I can use DEP to manage it.

I kinda wish the process was 'cleaner' if that makes sense. I think after i enter the School Apple ID and the phone went through the first few steps thats when it registered with DEP. After that, It does not matter for us as do not use AC here.
Anyway, I don't know if I was much help, but thought I would add my 2 cents.

Cheers
P.

*UPDATE: Completely failed. The SN did not appear in Jamf even after Refreshing the DEP menu. Went back to ASM try to re add the SN and received a Not Accessible Error. Back to AC2.5 and a phone call to AppleCare.

Hello All

I had another attempt at self enrolling via AC2.5 and DEP. This time I had more success.
Here is the rough process:

Insert SIM card
Connect iPhone to AC2.5
Click 'Prepare'
Fill out all details - Server, URL etc.
AC shows ‘Preparing “iPhone”
Phone is showing 'Select WiFi and Syncing information'
At this point I checked ASM and it showed a Device added to ASM.
Downloaded the CSV
Assigned device to institution Checked Jamf Prestage.
Refreshed
It worked this time - Device SN was in Prestage. Ran a DEP Test and it worked fine.
Deployed to User.

Yesterday I did the same steps and the SN disappeared from ASM.