DEP not forcing MDM enrollment OS X

Damien
New Contributor

I'm just in the process of testing a DEP rollout for new devices.
The devices are hitting the preStage Enrolments they are assigned to but don't;

  1. Skip items defined in the "OSX Setup Assistant" payload
  2. Force the MDM profile to be installed

Once the machine has run through the Setup Assistant, the users is prompted via a Notification that Device Enrollment is available, but not enforced.

I have tried a few different PreStage Enrolments, with changes to the "Require Authentication" but this didn't change the outcome.

Any thoughts on this or other users experiences would be much appreciated.

Versions: JSS 9.8
OS X Client 10.10.3

7fc50e1156b14536a358f2d454526426
74ea760cd7564cd0957584c673be4d91
4068a5c8b08b409880e204d572037e22

9 REPLIES 9

Damien
New Contributor

Just as an update:
During the Setup Assistant I have tried both an active wired connect, and connection to a WPA2-PSK network.

psliequ
Contributor III

If you can, go to 9.81, test again, and report back.

anastnic
New Contributor

Hey d4mo1337,

Sorry to see you are dealing with issues. Is the machine you are testing this on running an image you created yourself, or is it running the OS X image that is given out of the box? I was also wondering if these are new machines you have purchased, or if they have been in your environment for some time. I assume they are a recent purchase because of the OS X version being 10.10.3. I did find [https://jamfnation.jamfsoftware.com/discussion.html?id=16970](this thread) where other jamfnation users described similar issues to yours while on 10.0.1/9.8. I would try running "sudo jamf enroll" via terminal to see if you have any luck with that just verify that the machine can even be enrolled at all. Let me know what you find out. Hope we can all get this figured out!

mpermann
Valued Contributor II

@d4mo1337 I remember reading in another thread about a problem with enrollment of OS X devices if Make MDM Profile Mandatory was checked. When I tried testing DEP on a Mac OS X system I couldn't get it to properly enroll either. I had the Make MDM Profile Mandatory option enabled. I didn't test with the option off so I am not certain that would have solved my issue. Can you try unchecking that option and trying again to see if it works like you expect? Of course, un-checking that option is a less than optimal choice in my opinion so I pretty much gave up on using that method until this issue is resolved.

Damien
New Contributor

Firstly thank you for the ideas.

I haven't updated to 9.81 yet but, it now appears to be working now. The changes I made were to; Backup the JSS database
un-tick and re tick the "Make MDM profile Mandatory"
remove the computer from the PreStage Enrolment scope, and add it back in
I will do some more testing, to pin point what (dare i say it) the fix is/was.

@anastnic Thes are newly delivered laptops, I have been re-imaging the test machines with a never booted capture taken from one of them. Once you click the Notification item it does install the MDM profile and is fully enrolled and managed in the JSS.

Bongardino
New Contributor III

@Damien Sorry to necro the thread, but we're dealing with a similar issue now.

Can you clarify your process? When you say un-tick and re tick the Make MDM profile Mandatory, did you do anything between those steps or did you just toggle it on then off?

Were you able to find out if this was actually the fix?

Thanks!

normanchan
New Contributor II

@Bongardino

We recently had issue with DEP and machines not becoming managed. Not sure if it's been fixed but there was an issue with the Accounts payload in PreStage Enrollments. We opted to remove the whole Accounts payload and DEP started working as expected.

Management account still gets installed, and you're prompted to create a new user (will default to Admin) at Apple Setup wizard. If you're running Standard users in your environment, you can just run a script post enrollment to convert the Admin to a Standard account.

Bongardino
New Contributor III

Our issue is more around the Device Enrollment OS X notification.
Essentially only half of our computers were purchased with DEP, the others predate our Casper setup.

We're trying to enroll everyone in to DEP without creating that notification

normanchan
New Contributor II

@Bongardino We had an issue with that recently as well. A JAMF engineer basically explained that a flag was suppose to be turned on after a machine has been DEP'd successfully. This is stored in the /var/db/.AppleSetupDone file. However; when that flag gets removed for whatever reason, client machines will start displaying Device Enrollment OS X notifications. The client essentially is contacting Apple constantly thinking it needs to DEP the machine.

To remedy, we need to remove that machine(s) from your PreStage Enrollment so it no longer tries to DEP. Then we need to re-run the Apple Setup Wizard, but this time, when client contacts Apple for activation, it will just activate normally and not think it needs to go through DEP. After that is all done, you can re-add the machine back into your PreStage Enrollment in case it needs to get imaged again in the future.

Steps:
1. Remove machine from PreStage Enrollment
2. This can be done either on the affected machine or thru ARD/SSH:
sudo rm /var/db/.AppleSetupDone
3. Reboot the machine and run through Apple Setup (note: the machine should not ask to be automatically configured by XYZ company)

The steps above was enough in our environment to fix the issue. However, the JAMF engineer does recommend these steps if the above fails:
sudo rm /var/db/.AppleSetupDone
sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain
sudo jamf removeFramework
remove from PreStage Enrollment
reboot the affected machine
reinstall JAMF via OTA enrollment or quickadd

Hope that helps!