I have already deployed a number of Macs to my staff members and enrolled them via a QuickAdd package. We are now being asked to use the Apple DEP program on these devices however it is important that my users don't have to wipe their Macs to enroll. Does anyone know what will happen if a device that is already in JAMF gets added to DEP?
@tpattenbe I believe that all that will happen is that your users will receive a notification in Notification Center asking them if they want to enroll their computer into DEP. Once they click to enroll, the machine is enrolled in management.
I do not believe you need to wipe the machine for it to be enrolled. However I am fairly certain Configuration Profiles will re-apply, which could be problematic if you are pushing wireless config this way.
I would grab a machine and test to see what the results are.
@tpattenbe I was able to capture a screenshot of the notification users will receive. I have a machine that is enrolled in DEP that I imaged using Casper Imaging, so I did not run through Setup Assistant. I received the below message to enroll in DEP:
Once you click on "Details", System Preferences opens up to the Profiles item and you are presented with the following:
After clicking Allow the config profiles will remove themselves and then re-apply. So, if you have your wireless configured via Config Profile, your machines will drop off the network and will not finish applying profiles until re-connected. You either need to have users on ethernet when doing this, or explain to them how to connect to the wireless again to finish.
And to clarify, it was not enrolled via DEP. It was a machine that was being re-deployed. Wiped the drive, used Casper Imaging to lay down the OS and then run my post imaging script. Machine was enrolled via Casper Imaging. Yes, it is active in DEP, but not enrolled via.
We have this issue too. If a machine is in DEP when it is set up but is enrolled in casper via a non DEP method then later on the popup will appear. We have the profile panes locked by restrictions profile so clicking the details button cant do anything. De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated. This wasnt really an option for our users so they have to put up with it for now. Hopefully this gets fixed in Sierra.
We have seen issues with this as well (and we don't lock the Profiles panel). If you try to invoke the DEP setup after the fact it breaks communication with the JSS with a Device Signature error.
At the moment we're advising our techs to redo the machine using the DEP installation process if it was DEP-capable. However, if you don't want the pop-up on your existing machines, then you can go to deploy.apple.com and de-assign them (according to Apple Support). That should prevent the pop-ups, and you can always re-assign them if you should need to blow them away.
There's practically no reason to use DEP on a running machine anyway, it just binds the setup process to your MDM server.
@jrobb "De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated."
OK, that's a drag...definitely different from what we were told, however we're not back-filling machines so it's not a big issue for us (yet).
Since there is no Supervision on iOS, how the device is enrolled is not really important as long as the device is enrolled. So for devices deployed prior to setup of the PreStage enrollment, you could use any one of the other enrollment methods; enrollment invitation, user initiated enrollment via the enrollment URL (using a generic enrollment user, or LDAP authentication), or just manually installing a QuickAdd package.