Looking for advice on how to get from user-initiated to DEP enrolled for existing device population and fix Activation Lock on personal accounts.
After one of our ex-employees was able to prove that he could remote manage his old device (erased, rebuilt and issued to a new user), we need to switch from user initiated enrolment to DEP. The ex-employee had used a personal Apple iCloud ID to manage the device and it was still showing in their "Find My" of iCloud. They could play a tune or worse lock or wipe the device.
So question is how do you get existing population of devices from user initiated enrolment to DEP without needing to rebuild every machine?
A long discussion with Apple suggests the following:
- They recommend a "best practice" of using DEP but realistically this is a Mandatory Practice
- Still have no way to bring retail purchased devices under DEP
- Users using their own iCloud accounts may "Activation Lock" the device and link it to their personal account. - Apple will only consider revoking such activations if you provide specific proof of purchase (which for us is 00's of machines across several countries)
Have others hit this issue and how did you resolve?
Macs are the easy side of this. The iOS devices are where my worry would be. For the Mac, if a device is enrolled in DEP/ABM/ASM then you only need to run one command to move them from user initiated to enterprise enrolled.
sudo profiles renew -type enrollment
But you can't do the same from an iOS device.
To add to cpresnall, if the image on the Mac is older then one year, you will have to delete the apsd.keychain file in /Library/Keychains and then restart the Mac otherwise the command will fail.
For a lot of orgs this going to be a non issue when they are disallowing iCloud usage to begin with. You can prevent all or just parts of iCloud from being used, especially Find My, using a configuration profile.
@adamcodega We're in a similar boat where we're going to start DEP early next year and try to add older Macs in, but for today, if you were to re-purpose an existing non-DEP Mac where the previous user logged in to iCloud, erase and reprovision the Mac to a new user and then they log in to iCloud, would the new iCloud login not supersede the previous one and negates this?
I say/ask this as we don't block iCloud and wouldn't want to if we can help it, as there are a number of benefits to our users to leave it enabled (we have a 1:1 between users and Macs).
Curious if this will be an issue as I'll have to take it up internally with our own IT and InfoSec teams to start looking at getting DEP sorted quicker.
for iMacs, the Activation Lock requires the T2 chip.
In JAMF, you can add FindMy.app in the app restrictions, and disable the System Preferences | Profiles icon to prevent removal of the MDM profile.
@Shamagi Great solution !!! I was worried about this as it's a little more complicated than this thread has brought up...
And there are more threads...
I am trying to configure profile to block FMM... hopefully that will work.. there is a thread here that says it doesn't...
I have a script set as a self service policy that will help users re-enroll at the bottom of this discussion.
What does restricting the process do? Prevent turning it on? Prevent a lock from taking affect?
To manage this with a configuration profile, create a new profile and browse to the Restrictions payload. Under the functionality tab are options to check off:
Going back to some of the questions, my case is a mix of DEP eligible machines (they were purchased under Business Account and show up correctly in JAMF under Pre-Stage but were NOT enrolled through DEP but a user side invitation script). The remainder are "retail purchased" machines that do not show up via DEP / JAMF Pre-Stage and as far as I understand from Apple there is no mechanism to bring these under DEP based management. This latter issue continues to be a pain point (I'm being very polite) as Apple do not seem to have any interest in solving this or making the experience easier. I have offices across several countries and several "home office" staff who purchase at a local store.
@adamcodega I honestly hadn't been aware that iCloud would cause such issues. Caveat emptor. Now trying to back out of bad place. I had also been waiting on Business Manager and Federated Apple ID (i.e. SSO from Google rather than Azure AD) but this seems to be some time coming. Want to move to corporate managed iCloud accounts for exactly this reason.