DEP on devices after they've been deployed (OS X)

tpattenbe
New Contributor

I have already deployed a number of Macs to my staff members and enrolled them via a QuickAdd package. We are now being asked to use the Apple DEP program on these devices however it is important that my users don't have to wipe their Macs to enroll. Does anyone know what will happen if a device that is already in JAMF gets added to DEP?

13 REPLIES 13

jamest
New Contributor

If I am right you would have to wipe the device to use DEP as DEP works during pre-enrollment to make the setup easier.

stevewood
Honored Contributor II
Honored Contributor II

@tpattenbe I believe that all that will happen is that your users will receive a notification in Notification Center asking them if they want to enroll their computer into DEP. Once they click to enroll, the machine is enrolled in management.

I do not believe you need to wipe the machine for it to be enrolled. However I am fairly certain Configuration Profiles will re-apply, which could be problematic if you are pushing wireless config this way.

I would grab a machine and test to see what the results are.

stevewood
Honored Contributor II
Honored Contributor II

@tpattenbe I was able to capture a screenshot of the notification users will receive. I have a machine that is enrolled in DEP that I imaged using Casper Imaging, so I did not run through Setup Assistant. I received the below message to enroll in DEP:

aaca72c679ca4de88fa49a12ea6b3136

Once you click on "Details", System Preferences opens up to the Profiles item and you are presented with the following:

a974f2a894254abf87041079b342f360

After clicking Allow the config profiles will remove themselves and then re-apply. So, if you have your wireless configured via Config Profile, your machines will drop off the network and will not finish applying profiles until re-connected. You either need to have users on ethernet when doing this, or explain to them how to connect to the wireless again to finish.

iJake
Valued Contributor

If the machine is already in enrolled but not through DEP the above prompt will result in an error, btw.

stevewood
Honored Contributor II
Honored Contributor II

@iJake hasn't ever resulted in an error for me. The machine I had that on this morning was enrolled in the JSS and then I clicked through those notifications with no issue.

stevewood
Honored Contributor II
Honored Contributor II

And to clarify, it was not enrolled via DEP. It was a machine that was being re-deployed. Wiped the drive, used Casper Imaging to lay down the OS and then run my post imaging script. Machine was enrolled via Casper Imaging. Yes, it is active in DEP, but not enrolled via.

iJake
Valued Contributor

Maybe they fixed that issues then. I haven't tried it in a while.

McAwesome
Valued Contributor

@iJake It does result in an error if you have barred access to Profiles through a configuration profile. If you left that open for the user, everything goes smoothly.

jrobb
New Contributor

We have this issue too. If a machine is in DEP when it is set up but is enrolled in casper via a non DEP method then later on the popup will appear. We have the profile panes locked by restrictions profile so clicking the details button cant do anything. De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated. This wasnt really an option for our users so they have to put up with it for now. Hopefully this gets fixed in Sierra.

chris_kemp
Contributor III

We have seen issues with this as well (and we don't lock the Profiles panel). If you try to invoke the DEP setup after the fact it breaks communication with the JSS with a Device Signature error.

At the moment we're advising our techs to redo the machine using the DEP installation process if it was DEP-capable. However, if you don't want the pop-up on your existing machines, then you can go to deploy.apple.com and de-assign them (according to Apple Support). That should prevent the pop-ups, and you can always re-assign them if you should need to blow them away.

There's practically no reason to use DEP on a running machine anyway, it just binds the setup process to your MDM server.

chris_kemp
Contributor III

@jrobb "De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated."

OK, that's a drag...definitely different from what we were told, however we're not back-filling machines so it's not a big issue for us (yet).

gregleeper
New Contributor

Would anyone know if DEP enrollment notifications will work on a computer that is in a prestage enrollment however dep did not get applied during setup assistant?

jcarr
Release Candidate Programs Tester

Since there is no Supervision on iOS, how the device is enrolled is not really important as long as the device is enrolled. So for devices deployed prior to setup of the PreStage enrollment, you could use any one of the other enrollment methods; enrollment invitation, user initiated enrollment via the enrollment URL (using a generic enrollment user, or LDAP authentication), or just manually installing a QuickAdd package.