DEP/PreStage Issue - Macs not picking up PreStage

We purchase a lot of our stuff through corporate resellers and I've found that some are not as fast at submitting the serial number/orders/whatever to Apple for DEP Enrollment as others are. Some even a week or more after we've received the hardware before it gets registered in DEP.

Are you getting notices that the hardware has been submitted? Should look something like this..

Devices Available The devices submitted by <Reseller> on your behalf and received by Apple on December 7, 2016 at 4:50 PM (GMT) are now available to be enrolled in your Apple Device Enrollment Program account. Order Number Order Date 1234567 December 1, 2016

Once that emails been received I need to go in and assign it to the proper MDM (Jamf in this case). Once that's complete, then I can go into prestage enrollments and verify the box is checked.

@jwojda We purchase all our Macs directly through Apple so they are added to DEP as soon as they ship which means they have been assigned to a particular PreStage for at least a week before we get our hands on them.

The particular issue I'm seeing is that when they are connected to wifi for the first time, they don't see the particular PreStage enrolment. If you click the Back button, connect to wifi again, and click continue, they successfully see the PreStage enrolment.

Have you refreshed your DEP token?

Which size 2016 MacBook Pro's are you using also touch or non touch?

I've seen similar issues with 10.12, 10.12.1 and 10.12.2. The 2016 MacBook Pro's exhibit different behavior than even 2015 machines with variations of 10.12.

You can see a video of what I'm talking about here

https://cultureamp.wistia.com/medias/gaiq4f540s

We're seeing this exact problem, too. We've seen it with existing DEP machines plus new 2016 machines, and have seen it for at least a couple of weeks. Initially we thought it was because we're mid-switch from Meraki to JAMF, but with the arrival of new machines that were never tied to Meraki for DEP, we ruled that out.

Two of my colleagues did a call with JAMF support on Monday, and they were stumped. They asked us to capture system logs off of a successful enrollment and off of one of the misbehaving ones for comparison; since the call, none have failed. We have another batch arriving today, though, so fingers crossed.

The problem seems to happen less on a wired connection than on wireless, but has happened for us on both. We've tested on multiple networks to rule out LAN/ISP config trouble.

We are seeing it as well. all our machines are setup on wired connections as our wireless is only available once the machine is enrolled due to certificates. I not been able to try your work around as systems are in remote office due to our assumption DEP would just work like it always has. Will try your work around tomorrow and get back to you. I wonder... is this a JAMF issue or a DEP issue.

I'm seeing this same exact issue on a number of computers both on wired and wireless. I've tested on multiple networks, so I know it isn't a network issue. Sometimes we can go back and connect to wifi a second time and the prompt shows up, but not always. Has anyone found a solution to this?

I'm having this same issue...anyone figure it out?

Bump

This is s a consistant behaviour if the computer is not connected to a network. User can bypass the Pre-Stage setup and just create an account with Admin privileges and the JAMF binary never gets installed. Seems like a big hole in this process.

even after connecting to the network....and waiting hours sometimes it still will not pick up the prestige. This is very irritating.

Obligatory "I have the same issues too!"
I can see the Serial Numbers in DEP as enrolled in our JAMF server, and on JAMF when I go to the "Device Enrollment Program" section I can see the Serial number listed there assigned with the appropriate PreStage. However, when I boot the MacBook it does not get the DEP prompt.

Has anyone made any progress with these devices? I spoke to both Apple and JAMF, and still don't have a solution. Apple says this is something happening on the MDM side of things.

So as it turns out, this was happening on devices that had the incorrect time after going through the MacOS setup wizard. Why the time is off I have no clue..

That being said, if you go into the settings once you hit the desktop, uncheck automatically set time, fix the time, then set it back to automatic - then open up terminal and type: sudo profiles -N it will prompt you to accept the DEP profile again. Accepting that worked, and all was enrolled in the JSS..

So there you have it - check the time ;)

@jaymckay - have you found a way to check/fix the time during the setup?

@jackhcurtis - I haven't... i think it can happen when a computer's battery is drained so low that the internal clock also turns off. I'm sure there are other reasons as well. I haven't seen it too many more times, but when I do, I just quickly run through the setup, reset the time, then run that command. Alternatively, you can run through the setup, reset the time, then re-image and hand off to the user.

I'm seeing this occasionally as well. If I reinstall the OS DEP picks it up but was wondering if there was a better way to get it to recognize DEP..

I've seen this issue, mostly related to network latency. If you need to kick off DEP manually the command has changed to:

profiles renew -type enrollment

Seeing an issue akin to this today. Mac Mini that picked up its DEP enrollment via Wi-Fi once today but not before multiple failures this morning and now seeing failures this afternoon (failures meaning the setup assistant offering the migration assistant prompt instead of configuration by my mdm).

If I run the command profiles show -type enrollment then I can see all the details of the prestage that my Mac should have picked up, but didn't. I am not seeing any blocked communication on the firewall except NTP traffic to Apple which always ages out.

Running the `profiles show -type enrollment command doesn't do anything fast.

I'm having the same problem as @nigelg here. On a couple test machines I've given up on the PreStage enrollment to create the first admin user with SecureToken, so after running SA and creating that user manually I'm sitting at the desktop waiting for the DEP popup with no luck.
profiles show -type enrollment shows me the PreStage Enrollment settings that aren't being deployed but there's no jamf binary and no MDM profile, user-accepted or otherwise.

I'm having this same exact issue. 10.13.5 and Jamf 9.101. Fairly easy to duplicate the issue when using wifi and the Remote Management prompt is a lot more reliable when using ethernet. Apple has mentioned network latency and I saw that mentioned in a comment above. I'm not having any issues with iOS devices (iPads) getting the Remote Management prompt, only macOS. Anyone figured this out yet?

I too have been having issues getting the Remote Management screen to appear during setup with a wireless connection. Using ethernet has solved the issue for now but I've got several hundred machines to setup at the end of the year so I'm still troubleshooting the issue.

The frustrating thing is that it was all working at the beginning of the year and I can't think of any environment changes that should be causing the issue. So far performing setup over the wireless works about 5% of the time.

I've seen this and other things occurring in DEP..

I solved a lot of my issues by swithching off 'network state change' triggers..

Just interferes with everything really.
SO, if you don't need it switch off!

Just received a new order of laptops today and powered one on to see if the batch came with 10.13 or or 10.14 and...no Remote Management notice. Just went through the normal setup screens as though it wasn't associated with our JAMF instance. I logged into Apple Business Manager and verified that the serial numbers were attached to our JAMF service yesterday. It was late in the day, so I powered the machine off and will try again tomorrow.

From what I'm reading though, some of this may be caused by Wi-Fi issues? Strange, because we have been setting up laptops from our previous order though yesterday and have not had a problem during pre-stage enrollment.

I haven't had this issue before, but other issues with MDM not managing the device after DEP. Got a ticket on it and working through it at the moment. Manual and non authenticated work fine.

I have a set time settings enrolment policy script set with my configuration, but I don't believe the device is hit with an enrolment profile, pre user authentication or not.

it does seem like time related. But perhaps it is also network security related, in regards to time, is the time protocol port blocked? could the standard time default addresses be blocked?

e.g. time.apple.com
time.asia.apple.com
time.europe.apple.com

.