Posted on 08-11-2016 06:04 AM
I have already deployed a number of Macs to my staff members and enrolled them via a QuickAdd package. We are now being asked to use the Apple DEP program on these devices however it is important that my users don't have to wipe their Macs to enroll. Does anyone know what will happen if a device that is already in JAMF gets added to DEP?
Posted on 08-11-2016 06:41 AM
If I am right you would have to wipe the device to use DEP as DEP works during pre-enrollment to make the setup easier.
Posted on 08-11-2016 06:57 AM
@tpattenbe I believe that all that will happen is that your users will receive a notification in Notification Center asking them if they want to enroll their computer into DEP. Once they click to enroll, the machine is enrolled in management.
I do not believe you need to wipe the machine for it to be enrolled. However I am fairly certain Configuration Profiles will re-apply, which could be problematic if you are pushing wireless config this way.
I would grab a machine and test to see what the results are.
Posted on 08-11-2016 09:02 AM
@tpattenbe I was able to capture a screenshot of the notification users will receive. I have a machine that is enrolled in DEP that I imaged using Casper Imaging, so I did not run through Setup Assistant. I received the below message to enroll in DEP:
Once you click on "Details", System Preferences opens up to the Profiles item and you are presented with the following:
After clicking Allow the config profiles will remove themselves and then re-apply. So, if you have your wireless configured via Config Profile, your machines will drop off the network and will not finish applying profiles until re-connected. You either need to have users on ethernet when doing this, or explain to them how to connect to the wireless again to finish.
Posted on 08-11-2016 11:16 AM
If the machine is already in enrolled but not through DEP the above prompt will result in an error, btw.
Posted on 08-11-2016 11:30 AM
@iJake hasn't ever resulted in an error for me. The machine I had that on this morning was enrolled in the JSS and then I clicked through those notifications with no issue.
Posted on 08-11-2016 11:32 AM
And to clarify, it was not enrolled via DEP. It was a machine that was being re-deployed. Wiped the drive, used Casper Imaging to lay down the OS and then run my post imaging script. Machine was enrolled via Casper Imaging. Yes, it is active in DEP, but not enrolled via.
Posted on 08-11-2016 11:33 AM
Maybe they fixed that issues then. I haven't tried it in a while.
Posted on 08-11-2016 12:37 PM
@iJake It does result in an error if you have barred access to Profiles through a configuration profile. If you left that open for the user, everything goes smoothly.
Posted on 08-14-2016 04:20 PM
We have this issue too. If a machine is in DEP when it is set up but is enrolled in casper via a non DEP method then later on the popup will appear. We have the profile panes locked by restrictions profile so clicking the details button cant do anything. De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated. This wasnt really an option for our users so they have to put up with it for now. Hopefully this gets fixed in Sierra.
Posted on 08-15-2016 01:35 PM
We have seen issues with this as well (and we don't lock the Profiles panel). If you try to invoke the DEP setup after the fact it breaks communication with the JSS with a Device Signature error.
At the moment we're advising our techs to redo the machine using the DEP installation process if it was DEP-capable. However, if you don't want the pop-up on your existing machines, then you can go to deploy.apple.com and de-assign them (according to Apple Support). That should prevent the pop-ups, and you can always re-assign them if you should need to blow them away.
There's practically no reason to use DEP on a running machine anyway, it just binds the setup process to your MDM server.
Posted on 08-15-2016 01:37 PM
@jrobb "De associating the computers from the capser server in the DEP portal will have no affect either. Our Apple contact investigated and the only way to fix it is to re invoke the apple setup assistant with the computer de associated."
OK, that's a drag...definitely different from what we were told, however we're not back-filling machines so it's not a big issue for us (yet).
Posted on 08-23-2016 01:48 PM
Would anyone know if DEP enrollment notifications will work on a computer that is in a prestage enrollment however dep did not get applied during setup assistant?
Posted on 08-25-2016 07:27 PM
Since there is no Supervision on iOS, how the device is enrolled is not really important as long as the device is enrolled. So for devices deployed prior to setup of the PreStage enrollment, you could use any one of the other enrollment methods; enrollment invitation, user initiated enrollment via the enrollment URL (using a generic enrollment user, or LDAP authentication), or just manually installing a QuickAdd package.