Corporate devices without DEP are at risk - how to enrol in DEP without rebuild

nycnewman
New Contributor III

Looking for advice on how to get from user-initiated to DEP enrolled for existing device population and fix Activation Lock on personal accounts.

After one of our ex-employees was able to prove that he could remote manage his old device (erased, rebuilt and issued to a new user), we need to switch from user initiated enrolment to DEP. The ex-employee had used a personal Apple iCloud ID to manage the device and it was still showing in their "Find My" of iCloud. They could play a tune or worse lock or wipe the device.

So question is how do you get existing population of devices from user initiated enrolment to DEP without needing to rebuild every machine?

A long discussion with Apple suggests the following:
- They recommend a "best practice" of using DEP but realistically this is a Mandatory Practice
- Still have no way to bring retail purchased devices under DEP
- Users using their own iCloud accounts may "Activation Lock" the device and link it to their personal account. - Apple will only consider revoking such activations if you provide specific proof of purchase (which for us is 00's of machines across several countries)

Have others hit this issue and how did you resolve?

20 REPLIES 20

nelsoni
Contributor III

Just to understand better. Are you talking about Macs that do not exist in your DEP portal period? or you are setting it up and waiting for them to populate into you DEP portal?

cpresnall
Contributor

Macs are the easy side of this. The iOS devices are where my worry would be. For the Mac, if a device is enrolled in DEP/ABM/ASM then you only need to run one command to move them from user initiated to enterprise enrolled.

sudo profiles renew -type enrollment

But you can't do the same from an iOS device.

nelsoni
Contributor III

To add to cpresnall, if the image on the Mac is older then one year, you will have to delete the apsd.keychain file in /Library/Keychains and then restart the Mac otherwise the command will fail.

patgmac
Contributor III

@nelsoni You no longer need to delete apsd.keychain as of Jamf Pro 10.15.

adamcodega
Valued Contributor

For a lot of orgs this going to be a non issue when they are disallowing iCloud usage to begin with. You can prevent all or just parts of iCloud from being used, especially Find My, using a configuration profile.

vinny83
New Contributor III

@adamcodega We're in a similar boat where we're going to start DEP early next year and try to add older Macs in, but for today, if you were to re-purpose an existing non-DEP Mac where the previous user logged in to iCloud, erase and reprovision the Mac to a new user and then they log in to iCloud, would the new iCloud login not supersede the previous one and negates this?

I say/ask this as we don't block iCloud and wouldn't want to if we can help it, as there are a number of benefits to our users to leave it enabled (we have a 1:1 between users and Macs).

Curious if this will be an issue as I'll have to take it up internally with our own IT and InfoSec teams to start looking at getting DEP sorted quicker.

Shamagi
New Contributor II

for iMacs, the Activation Lock requires the T2 chip.
In JAMF, you can add FindMy.app in the app restrictions, and disable the System Preferences | Profiles icon to prevent removal of the MDM profile.

Ricky
Contributor

@adamcodega, where do you see the restriction for FindMy? We are fine with individuals in our institution using iCloud services, but want to restrict FindMy across the board.

Shamagi
New Contributor II

Log in JAMF, go in Computers, then Restricted Software on the left navigation bar.

gachowski
Valued Contributor II

@Shamagi Great solution !!! I was worried about this as it's a little more complicated than this thread has brought up...

https://www.jamf.com/jamf-nation/feature-requests/8673/macos-10-15-activation-lock-bypass

And there are more threads...

I am trying to configure profile to block FMM... hopefully that will work.. there is a thread here that says it doesn't...

Thanks

C

daniel_behan
Contributor III

I have a script set as a self service policy that will help users re-enroll at the bottom of this discussion.

https://www.jamf.com/jamf-nation/discussions/26435/macos-10-13-2-and-user-approved-mdm-enrollment

gachowski
Valued Contributor II

As that thread said, the profile won't work... Apple doc and Server app don't have an block/enable option for FFM macOS...

@Shamagi What are you using for the process name?

Shamagi
New Contributor II

The process name is "FindMy".

gachowski
Valued Contributor II

@Shamagi

Thank you!!!

adamcodega
Valued Contributor

What does restricting the process do? Prevent turning it on? Prevent a lock from taking affect?

To manage this with a configuration profile, create a new profile and browse to the Restrictions payload. Under the functionality tab are options to check off:

  • Allow use of iCloud password for local accounts
  • Allow iCloud Drive
  • Allow iCloud Desktop & Documents
  • Allow iCloud Keychain
  • Allow iCloud Back to My Mac
  • Allow iCloud Find My Mac
  • Allow iCloud Bookmarks
  • Allow iCloud Mail
  • Allow iCloud Calendar
  • Allow iCloud Reminders
  • Allow iCloud Contacts
  • Allow iCloud Notes

gachowski
Valued Contributor II

I wasn't able to get the process blocked or sub system perf.. stuck blocking all "Internet Accounts"

C

dgreening
Valued Contributor II

We have long had this little script snippet in our provisioning workflows which cuts down on this happening: nvram -d "fmm-mobileme-token-FMM"

nycnewman
New Contributor III

Going back to some of the questions, my case is a mix of DEP eligible machines (they were purchased under Business Account and show up correctly in JAMF under Pre-Stage but were NOT enrolled through DEP but a user side invitation script). The remainder are "retail purchased" machines that do not show up via DEP / JAMF Pre-Stage and as far as I understand from Apple there is no mechanism to bring these under DEP based management. This latter issue continues to be a pain point (I'm being very polite) as Apple do not seem to have any interest in solving this or making the experience easier. I have offices across several countries and several "home office" staff who purchase at a local store.

nycnewman
New Contributor III

@cpresnall The profiles command appears to work for DEP eligible devices. Need to plan rollout to the machine but thanks. Looks good. No if only Apple would solve the retail purchased devices outside of DEP..... ;-)

nycnewman
New Contributor III

@adamcodega I honestly hadn't been aware that iCloud would cause such issues. Caveat emptor. Now trying to back out of bad place. I had also been waiting on Business Manager and Federated Apple ID (i.e. SSO from Google rather than Azure AD) but this seems to be some time coming. Want to move to corporate managed iCloud accounts for exactly this reason.