Corporate devices without DEP are at risk - how to enrol in DEP without rebuild

Just to understand better. Are you talking about Macs that do not exist in your DEP portal period? or you are setting it up and waiting for them to populate into you DEP portal?

Macs are the easy side of this. The iOS devices are where my worry would be. For the Mac, if a device is enrolled in DEP/ABM/ASM then you only need to run one command to move them from user initiated to enterprise enrolled.

sudo profiles renew -type enrollment

But you can't do the same from an iOS device.

To add to cpresnall, if the image on the Mac is older then one year, you will have to delete the apsd.keychain file in /Library/Keychains and then restart the Mac otherwise the command will fail.

@nelsoni You no longer need to delete apsd.keychain as of Jamf Pro 10.15.

For a lot of orgs this going to be a non issue when they are disallowing iCloud usage to begin with. You can prevent all or just parts of iCloud from being used, especially Find My, using a configuration profile.

@adamcodega We're in a similar boat where we're going to start DEP early next year and try to add older Macs in, but for today, if you were to re-purpose an existing non-DEP Mac where the previous user logged in to iCloud, erase and reprovision the Mac to a new user and then they log in to iCloud, would the new iCloud login not supersede the previous one and negates this?

I say/ask this as we don't block iCloud and wouldn't want to if we can help it, as there are a number of benefits to our users to leave it enabled (we have a 1:1 between users and Macs).

Curious if this will be an issue as I'll have to take it up internally with our own IT and InfoSec teams to start looking at getting DEP sorted quicker.

for iMacs, the Activation Lock requires the T2 chip.
In JAMF, you can add FindMy.app in the app restrictions, and disable the System Preferences | Profiles icon to prevent removal of the MDM profile.

@adamcodega, where do you see the restriction for FindMy? We are fine with individuals in our institution using iCloud services, but want to restrict FindMy across the board.

Log in JAMF, go in Computers, then Restricted Software on the left navigation bar.

@Shamagi Great solution !!! I was worried about this as it's a little more complicated than this thread has brought up...

https://www.jamf.com/jamf-nation/feature-requests/8673/macos-10-15-activation-lock-bypass

And there are more threads...

I am trying to configure profile to block FMM... hopefully that will work.. there is a thread here that says it doesn't...

Thanks

C

I have a script set as a self service policy that will help users re-enroll at the bottom of this discussion.

https://www.jamf.com/jamf-nation/discussions/26435/macos-10-13-2-and-user-approved-mdm-enrollment

As that thread said, the profile won't work... Apple doc and Server app don't have an block/enable option for FFM macOS...

@Shamagi What are you using for the process name?

The process name is "FindMy".

@Shamagi

Thank you!!!

What does restricting the process do? Prevent turning it on? Prevent a lock from taking affect?

To manage this with a configuration profile, create a new profile and browse to the Restrictions payload. Under the functionality tab are options to check off:

• Allow use of iCloud password for local accounts
• Allow iCloud Drive
• Allow iCloud Desktop & Documents
• Allow iCloud Keychain
• Allow iCloud Back to My Mac
• Allow iCloud Find My Mac
• Allow iCloud Bookmarks
• Allow iCloud Mail
• Allow iCloud Calendar
• Allow iCloud Reminders
• Allow iCloud Contacts
• Allow iCloud Notes

I wasn't able to get the process blocked or sub system perf.. stuck blocking all "Internet Accounts"

C

We have long had this little script snippet in our provisioning workflows which cuts down on this happening: nvram -d "fmm-mobileme-token-FMM"

Going back to some of the questions, my case is a mix of DEP eligible machines (they were purchased under Business Account and show up correctly in JAMF under Pre-Stage but were NOT enrolled through DEP but a user side invitation script). The remainder are "retail purchased" machines that do not show up via DEP / JAMF Pre-Stage and as far as I understand from Apple there is no mechanism to bring these under DEP based management. This latter issue continues to be a pain point (I'm being very polite) as Apple do not seem to have any interest in solving this or making the experience easier. I have offices across several countries and several "home office" staff who purchase at a local store.

@cpresnall The profiles command appears to work for DEP eligible devices. Need to plan rollout to the machine but thanks. Looks good. No if only Apple would solve the retail purchased devices outside of DEP..... ;-)

@adamcodega I honestly hadn't been aware that iCloud would cause such issues. Caveat emptor. Now trying to back out of bad place. I had also been waiting on Business Manager and Federated Apple ID (i.e. SSO from Google rather than Azure AD) but this seems to be some time coming. Want to move to corporate managed iCloud accounts for exactly this reason.