DEP enrolled ipad not being supervised

fdeltesta
Contributor

Hello,

I have a few Ipad that I have in my Business manager. Like, their serial numbers are appearing in my inventory, and they are assigned to my jamf MDM.

Though they don't seem to be enrolled in the apple business manager at all.
When reset they start up like any consumer ipad. You need to set up everything, and in the end nothing appears in the settings menu saying that the device is managed and no MDM profile is present.

I'm unable to re-enrolle the devices into "DEP" with configurator since these are already in my DEP inventory. Though if I only chose to supervise the device. It does work and the MDM gets uploaded fine.

Still the ipads themselves doesnt seems to be any linked to the business manager. Any clue on this ?

1 ACCEPTED SOLUTION

fdeltesta
Contributor

@RBlount Hello,

Thanks a lot for taking the time to answer me that thoroughly. Really, it did help:

After reading all your answers I ran different "enrollment workflows" to see what was the most effort-to-time efficient. And I came with the three following, which are the most relevant:

1 - My first conclusive workflow:
Since the only devices I have left at my reach are brand new, -meaning, not unboxed- I won't need to think about erasing them or anything.
- Plugged the device to my mac and AC2.
- Proceeded to a "Full enrolment", meaning I checked Add to ABM, Activate & Enroll, Supervise, and Add to MDM.
- I went through the whole setup process on the device.
- In ABM, assigned the device to the Jamf MDM so it is "linked" to the pre-stage enrolment. (And wait for the sync to finish, roughly 3 to 5 mins)
- Erased the device manually from within its settings.
- And BINGO ! Once the device went through the activation process the Organisation config was applied, the MDM was properly installed, and the device appears supervised.

2 - Second Workflow - Do I need to reset though ? Oh Heck no:
- Plugged the device to my mac and AC2.
- Prepared the device by only checking the "Add to ABM" and "Supervise" box.
- And here, since I did not chose to directly activate the OS; In ABM, assigned the device to the Jamf MDM so it is "linked" to the pre-stage enrolment.
- Finished the setup on the device. Once it reached the Activation process, everything loaded fine: Organisation config, MDM, supervision.

3 - Third Workflow - What about devices coming back from production ?
Lastly I manually setup one of the new devices, so it would look like it was given back to IT. The device is activated, not supervised, not enrolled in DEP or MDM.
- Plugged the device to my mac and AC2.
- Prepared the device by only checking the "Add to ABM" and "Supervise" box. Here, since the device was already setup and activated, AC2 prompted to erase it. So did I.
- The the device restarted, got added to ABM.
- Then again, assign to jamf in ABM, wait for sync...
- Finally finished the setup on the device, go through the activation process which donwloads the org config, the MDM the supervision.

I'm finally relieved to have understood all this mess, but this is finally making some sense to me. And you helped a lot, thank you again !
Still if you have anything to add to this, it'll be much appreciated.

View solution in original post

6 REPLIES 6

Tribruin
Valued Contributor II

Are they properly scoped to a PreStage Enrollment? Even if a device is assigned in ABM to an MDM server, it still needs to be scoped to a PreStage enrollment. Otherwise, it will activate like a regular iPad.

fdeltesta
Contributor

@RBlount Can't believe I was this stupid and forgot about that.

I created a pre-stage enrollment profile and after reseting the ipads it worked like a charm, thank you !

A few other questions though:
-Do I really have to systematically reset the iPad in order to have them applied the prestage enrollement profile ? I mean, the previous devices i've set up are only enrolled through the Apple Configurator. So Now I noticed that none of them have the non-removable MDM. (I wanna f*cking cry).

Every Iphone and Ipad we have have never been bought from apple, so none of them were directly assigned to the ABM. Explaining why I have to enroll every single one of them through AC2.
Here's my workflow so far :
- Plug the device to my mac
- In AC2 proceed to reset the device with the options to enroll in ABM/ASM and Supervise.
- If the device was properly activation unlocked and not already under our ABM, everything works fine, the device shows that is it managed by our organisation and the MDM profile is there (but removable).
- Then I need to log to ABM affect the device to our Jamf Pro MDM server eventhough the default assignement setting is set to Jamf pro in ABM (WTF is this for then ?).
- And now if I got it right I have to go to jamf and add the device the pre-stage enrollment scope (or maybe the "Automatically assign new devices" tick does it for me ?).
- Still here I'd have to reset the device again so it can get the non-removable MDM profile from the prestage enrollment...

How can I get this to be easier ?
Sorry if some of this can be obvious to you, but i'm all new to this.
Thanks for you help.

Tribruin
Valued Contributor II

Glad to help, everyone starts somewhere and we learn by doing.

Let me answer some of your questions:

-Do I really have to systematically reset the iPad in order to have them applied the prestage enrollement profile ? I mean, the previous devices i've set up are only enrolled through the Apple Configurator. So Now I noticed that none of them have the non-removable MDM. (I wanna fcking cry).*

Yes, to enroll an iOS device via DEP/ADE you have to start with a factory rest O/S and go through setup (or use AC2 with DEP enrollment.)

- In AC2 proceed to reset the device with the options to enroll in ABM/ASM and Supervise.

You can add a device to ABM in AC2 without walking through enrollment. That would allow you to add the device without having to walk completely through setup.

- Then I need to log to ABM affect the device to our Jamf Pro MDM server eventhough the default assignement setting is set to Jamf pro in ABM (WTF is this for then ?).

I haven't looked too closely if default assignments work with devices added via AC2. But for any devices purchased and enrolled by your vendor, they should automatically assign to the selected MDM.

- Still here I'd have to reset the device again so it can get the non-removable MDM profile from the prestage enrollment...

Like i mentioned above, you should be able to add the device to ABM without doing a full setup, thus minimizing that step.

- And now if I got it right I have to go to jamf and add the device the pre-stage enrollment scope (or maybe the "Automatically assign new devices" tick does it for me ?).

Yes, if you check the box to Automatically Assign new devices, any iOS device added to ABM and assigned to the Jamf server will automatically be added to this PreStage Enrollment profile. If you only have/need one Prestage, it doesn't hurt to check the box.

A couple of other notes:

1) Any device added to ABM via AC2 and enrolled via Automated Enrollment has a 30 day grace period in which the MDM profile can be removed by the end user, even if the profile is marked as non-removable. That is a security feature that Apple built in. It is recommend that you enroll the device and stick it on a shelf for 30 days if you want to make sure that someone doesn't remove the device

2) Most resellers can add devices to your ABM portal, not just Apple. Talk to you reseller. if the can't add devices to ABM, it might be time to find a new reseller. That would make your life so much easier by not having to take the extra step to manually add the devices.

fdeltesta
Contributor

@RBlount Hello,

Thanks a lot for taking the time to answer me that thoroughly. Really, it did help:

After reading all your answers I ran different "enrollment workflows" to see what was the most effort-to-time efficient. And I came with the three following, which are the most relevant:

1 - My first conclusive workflow:
Since the only devices I have left at my reach are brand new, -meaning, not unboxed- I won't need to think about erasing them or anything.
- Plugged the device to my mac and AC2.
- Proceeded to a "Full enrolment", meaning I checked Add to ABM, Activate & Enroll, Supervise, and Add to MDM.
- I went through the whole setup process on the device.
- In ABM, assigned the device to the Jamf MDM so it is "linked" to the pre-stage enrolment. (And wait for the sync to finish, roughly 3 to 5 mins)
- Erased the device manually from within its settings.
- And BINGO ! Once the device went through the activation process the Organisation config was applied, the MDM was properly installed, and the device appears supervised.

2 - Second Workflow - Do I need to reset though ? Oh Heck no:
- Plugged the device to my mac and AC2.
- Prepared the device by only checking the "Add to ABM" and "Supervise" box.
- And here, since I did not chose to directly activate the OS; In ABM, assigned the device to the Jamf MDM so it is "linked" to the pre-stage enrolment.
- Finished the setup on the device. Once it reached the Activation process, everything loaded fine: Organisation config, MDM, supervision.

3 - Third Workflow - What about devices coming back from production ?
Lastly I manually setup one of the new devices, so it would look like it was given back to IT. The device is activated, not supervised, not enrolled in DEP or MDM.
- Plugged the device to my mac and AC2.
- Prepared the device by only checking the "Add to ABM" and "Supervise" box. Here, since the device was already setup and activated, AC2 prompted to erase it. So did I.
- The the device restarted, got added to ABM.
- Then again, assign to jamf in ABM, wait for sync...
- Finally finished the setup on the device, go through the activation process which donwloads the org config, the MDM the supervision.

I'm finally relieved to have understood all this mess, but this is finally making some sense to me. And you helped a lot, thank you again !
Still if you have anything to add to this, it'll be much appreciated.

Tribruin
Valued Contributor II

Glad to help. Just want to add some final thoughts.

You mentioned you don't buy your iPads from Apple. Does you vendor not participate in Apple Business Manager? If not, might be a good time to find a new vendor. All the major Apple vendors can add devices directly to ABM when purchased through them. Combine that with setting up ABM to automatically add new devices to your Jamf server and then checking the box to make your prestage enrollment the default for all newly added devices, you should be able to get to the point where a new device can taken directly from the box and enrolled in your MDM without touching ABM or Jamf.

Also, depending on the vendor, they may be able to go back to past purchases and add them retroactively. That would not immediately affect your existing devices, but in your third workflow, once you reset the device, they would immediately enroll in your Jamf just like a new device.

fdeltesta
Contributor

Sadly, our reseller does not participate in ABM. And Our past macs and devices are not elligible for integration with ABM. It's still the same guy we buy the products from when we had only ±40 users. Now we have 250+ and its getting unmanagable indeed.
At first this reseller was chosen for some price advantage. Today we still deal with him cause Apple has some stupidly long shipping delays.
But we are aiming to change that. We'd love to register to some renting service directly through Apple, so we can always have our macs bound to apple, and if anything is wrong with the hardware, it's dealt with the right way. (We have a lot of users breaking their macs, and mostly iphones) On that point it would be profitable in a matter of costs, and we'd always have the latest hardware and proper repairs.

But, safe to say I'm aware about everything you can do to have your hardware directly in ABM. We're planning on changing that. It's just taking too long to be dealt with, so that's why I'm struggling a bit with the devices we already have.

Again, thanks for your help !