DEP/PreStage Issue - Macs not picking up PreStage

smithjw
New Contributor III

Hey, not sure if this is a particular DEP issue or more so to do with macOS but I'm wondering if you've seen the following.

I'm starting to get a lot of new Macs shipping and while they are added to a particular PreStage, they do not immediately pick up that it's required. The issue goes like so:

  • New employee opens sealed laptop
  • Starts running through Setup Assistant and is prompted to connect to wifi
  • Mac connects and the next screen is the Migration Assistant screen NOT DEP page informing employee that the Mac is to be managed.

If the employee continues, they can successfully setup their Mac without the DEP PreStage being completed or being enrolled in JAMF.

In order for the User to be presented with the DEP Setup Assistant page they must do the following:

  • Start Mac and proceed through Setup Assistant
  • Connect to wifi and click Continue
  • On Migration Assistant page click Back button
  • Connect to wifi again (can be same or different network), then click continue
  • Now they see DEP SA page and are prompted for authentication.
  • Following this, they see all SA steps associated with the assigned PreStage and the Mac is successfully enrolled in JAMF.

I Have tested this on 6 brand new 2016 Macs plus several 2013-2015 macs that have been wiped back to factory with 10.12.2. All exhibit the same issues.

As you can imagine, this isn't great for UI as I need to communicate to make sure to click back then connect to wifi again, or be present for all enrolments.

Any ideas?

109 REPLIES 109

jwojda
Valued Contributor II

We purchase a lot of our stuff through corporate resellers and I've found that some are not as fast at submitting the serial number/orders/whatever to Apple for DEP Enrollment as others are. Some even a week or more after we've received the hardware before it gets registered in DEP.

Are you getting notices that the hardware has been submitted? Should look something like this..

Devices Available The devices submitted by <Reseller> on your behalf and received by Apple on December 7, 2016 at 4:50 PM (GMT) are now available to be enrolled in your Apple Device Enrollment Program account. Order Number Order Date 1234567 December 1, 2016

Once that emails been received I need to go in and assign it to the proper MDM (Jamf in this case). Once that's complete, then I can go into prestage enrollments and verify the box is checked.

smithjw
New Contributor III

@jwojda We purchase all our Macs directly through Apple so they are added to DEP as soon as they ship which means they have been assigned to a particular PreStage for at least a week before we get our hands on them.

The particular issue I'm seeing is that when they are connected to wifi for the first time, they don't see the particular PreStage enrolment. If you click the Back button, connect to wifi again, and click continue, they successfully see the PreStage enrolment.

MacSysAdmin
Contributor

Have you refreshed your DEP token?

Which size 2016 MacBook Pro's are you using also touch or non touch?

I've seen similar issues with 10.12, 10.12.1 and 10.12.2. The 2016 MacBook Pro's exhibit different behavior than even 2015 machines with variations of 10.12.

smithjw
New Contributor III

You can see a video of what I'm talking about here

https://cultureamp.wistia.com/medias/gaiq4f540s

fixer
New Contributor

We're seeing this exact problem, too. We've seen it with existing DEP machines plus new 2016 machines, and have seen it for at least a couple of weeks. Initially we thought it was because we're mid-switch from Meraki to JAMF, but with the arrival of new machines that were never tied to Meraki for DEP, we ruled that out.

Two of my colleagues did a call with JAMF support on Monday, and they were stumped. They asked us to capture system logs off of a successful enrollment and off of one of the misbehaving ones for comparison; since the call, none have failed. We have another batch arriving today, though, so fingers crossed.

The problem seems to happen less on a wired connection than on wireless, but has happened for us on both. We've tested on multiple networks to rule out LAN/ISP config trouble.

jsova
New Contributor

We are seeing it as well. all our machines are setup on wired connections as our wireless is only available once the machine is enrolled due to certificates. I not been able to try your work around as systems are in remote office due to our assumption DEP would just work like it always has. Will try your work around tomorrow and get back to you. I wonder... is this a JAMF issue or a DEP issue.

kcrawshaw
New Contributor

I'm seeing this same exact issue on a number of computers both on wired and wireless. I've tested on multiple networks, so I know it isn't a network issue. Sometimes we can go back and connect to wifi a second time and the prompt shows up, but not always. Has anyone found a solution to this?

truman
New Contributor II

I'm having this same issue...anyone figure it out?

jaymckay
New Contributor II

Bump

tom_hardin
New Contributor

This is s a consistant behaviour if the computer is not connected to a network. User can bypass the Pre-Stage setup and just create an account with Admin privileges and the JAMF binary never gets installed. Seems like a big hole in this process.

truman
New Contributor II

even after connecting to the network....and waiting hours sometimes it still will not pick up the prestige. This is very irritating.

ianhood
New Contributor

Obligatory "I have the same issues too!"
I can see the Serial Numbers in DEP as enrolled in our JAMF server, and on JAMF when I go to the "Device Enrollment Program" section I can see the Serial number listed there assigned with the appropriate PreStage. However, when I boot the MacBook it does not get the DEP prompt.

jaymckay
New Contributor II

Has anyone made any progress with these devices? I spoke to both Apple and JAMF, and still don't have a solution. Apple says this is something happening on the MDM side of things.

jaymckay
New Contributor II

So as it turns out, this was happening on devices that had the incorrect time after going through the MacOS setup wizard. Why the time is off I have no clue..

That being said, if you go into the settings once you hit the desktop, uncheck automatically set time, fix the time, then set it back to automatic - then open up terminal and type: sudo profiles -N it will prompt you to accept the DEP profile again. Accepting that worked, and all was enrolled in the JSS..

So there you have it - check the time ;)

jackhcurtis
New Contributor

@jaymckay - have you found a way to check/fix the time during the setup?

jaymckay
New Contributor II

@jackhcurtis - I haven't... i think it can happen when a computer's battery is drained so low that the internal clock also turns off. I'm sure there are other reasons as well. I haven't seen it too many more times, but when I do, I just quickly run through the setup, reset the time, then run that command. Alternatively, you can run through the setup, reset the time, then re-image and hand off to the user.

mapurcel
Contributor III

I'm seeing this occasionally as well. If I reinstall the OS DEP picks it up but was wondering if there was a better way to get it to recognize DEP..

Even after reinstalling, I still got the wrong time and it did not pull DEP :(

All through the past few week I have been seeing a time server issue with automatic time settings, something on the specific machines, blocking the time server, manually setting time should fix this. presumably screen time settings or a firewall setting or website anonymiser setting causing the underlying issue.

jason_d
New Contributor III

I've seen this issue, mostly related to network latency. If you need to kick off DEP manually the command has changed to:

profiles renew -type enrollment

nigelg
Contributor

Seeing an issue akin to this today. Mac Mini that picked up its DEP enrollment via Wi-Fi once today but not before multiple failures this morning and now seeing failures this afternoon (failures meaning the setup assistant offering the migration assistant prompt instead of configuration by my mdm).

If I run the command profiles show -type enrollment then I can see all the details of the prestage that my Mac should have picked up, but didn't. I am not seeing any blocked communication on the firewall except NTP traffic to Apple which always ages out.

Running the `profiles show -type enrollment command doesn't do anything fast.

noahdowd
Contributor

I'm having the same problem as @nigelg here. On a couple test machines I've given up on the PreStage enrollment to create the first admin user with SecureToken, so after running SA and creating that user manually I'm sitting at the desktop waiting for the DEP popup with no luck.
profiles show -type enrollment shows me the PreStage Enrollment settings that aren't being deployed but there's no jamf binary and no MDM profile, user-accepted or otherwise.

tanderson
Contributor

I'm having this same exact issue. 10.13.5 and Jamf 9.101. Fairly easy to duplicate the issue when using wifi and the Remote Management prompt is a lot more reliable when using ethernet. Apple has mentioned network latency and I saw that mentioned in a comment above. I'm not having any issues with iOS devices (iPads) getting the Remote Management prompt, only macOS. Anyone figured this out yet?

curullij
Contributor

I too have been having issues getting the Remote Management screen to appear during setup with a wireless connection. Using ethernet has solved the issue for now but I've got several hundred machines to setup at the end of the year so I'm still troubleshooting the issue.

The frustrating thing is that it was all working at the beginning of the year and I can't think of any environment changes that should be causing the issue. So far performing setup over the wireless works about 5% of the time.

kerouak
Valued Contributor

I've seen this and other things occurring in DEP..

I solved a lot of my issues by swithching off 'network state change' triggers..

Just interferes with everything really.
SO, if you don't need it switch off!

macmanmk
Contributor

Just received a new order of laptops today and powered one on to see if the batch came with 10.13 or or 10.14 and...no Remote Management notice. Just went through the normal setup screens as though it wasn't associated with our JAMF instance. I logged into Apple Business Manager and verified that the serial numbers were attached to our JAMF service yesterday. It was late in the day, so I powered the machine off and will try again tomorrow.

From what I'm reading though, some of this may be caused by Wi-Fi issues? Strange, because we have been setting up laptops from our previous order though yesterday and have not had a problem during pre-stage enrollment.

Malcolm
Contributor II

I haven't had this issue before, but other issues with MDM not managing the device after DEP. Got a ticket on it and working through it at the moment. Manual and non authenticated work fine.

I have a set time settings enrolment policy script set with my configuration, but I don't believe the device is hit with an enrolment profile, pre user authentication or not.

it does seem like time related. But perhaps it is also network security related, in regards to time, is the time protocol port blocked? could the standard time default addresses be blocked?

e.g. time.apple.com
time.asia.apple.com
time.europe.apple.com

.

rframe
New Contributor III

seems like a minor/obvious thing to check - BUT is the PreStage Enrolment configured to auto apply for newly added devices or do you need to go to your JSS and manual select to enable the PSE for each device before you try to build?

macmanmk
Contributor

Can't speak for anyone else, but ours is set to auto assign for new devices.

kerouak
Valued Contributor

I leave the 'location services' splash on at statup.. just to be safe and ours run fine now.

tanderson
Contributor

We've had this issue too. It was pretty frequent (meaning, bad) with versions of 10.13 prior to 10.13.6 though it still happens sometimes there. Most reliable way we've found to get it working when it happens is to use Recovery to wipe the drive and reinstall the OS. Very annoying.

climberbry
New Contributor

Same issue here as well. smh.

jennmurphy
New Contributor II

This is happening in our environment as well, with brand new machines right out of the boxes. We've been DEP enrolled for years, purchasing hardware directly through Apple - our MDM tokens have been recently refreshed, our JSS is set to auto-assign new devices, we've reinstalled OSes from Recovery, Pre-Stage enrollment is stating the device is assigned, and the MDM profiles still don't populate sometimes. Like many folks mentioned above, it could have to do with network latency but we're experiencing this on wired and wireless connections.

When all else fails, setting up the Mac like "normal", creating an administrator account, and running sudo profile -N in Terminal typically gets the profiles installed. In my experience, next steps vary from there but it's a good place to start if you're at wit's end. We've got 1000+ Macs in our environment and this issue is no fun to run into.

lehmanp00
Contributor III

We have this issue periodically. I recreate the prestage enrollment profiles from scratch. Works every time so far.

macdadmin
New Contributor II

@smithjw

The times I've seen this happen in our environment, once I've connected to wifi and don't see the Remote Management screen, clicking the 'Back' button, connecting to wifi again, and clicking continue, seems to allow the system to see the PreStage enrollment.

totalyscrewedup
New Contributor III

I just opened a case with them for this very issue. I tried recreating the prestage, tried switching from Ethernet to Wi-Fi and going back and reconnecting....It's just not taking it. The funny thing is that I have 4 that worked without a glitch and 4 that aren't playing along, no matter what I try. I've checked the serial numbers on the case against what's MDM having as well as what's in the scope list of the prestage.....

a_simmons
Contributor II

@totalyscrewedup Were you given a solution? I think I've tried everything you suggested.

nreppa
New Contributor

@totalyscrewedup have you heard back at all? We have this same issue with all of our macs, not just a few, and have tried all the above suggestions.

AlanSmith
Contributor

Just adding in a 'me too' to this thread.

We've had a new shipment of iMacs for our student labs, all connected via ethernet. We went through 23 machines without a hitch, then set up the next batch of 10 machines and 4 of the 10 won't get the MDM screen. So instead, after the 'select keyboard' screen we get the 'Data & Privacy' screen.

I just went through setting one of these failed ones up manually and the 'time' certainly wasn't an issue as it had the correct time. I am now attempting an 'Internet Restore' to see if that triggers the screen prompt.

@totalyscrewedup did you get any resolution to this from your logged case with Apple?

EDIT:
UPDATE: So I tried removing a machine from our JAMF's Prestage Enrolment, then I unassigned it in Apple School Manager. I refreshed our Jamf Cloud server to confirm that the machine no longer showed up in the Scope list. I then once again Assigned it to our MDM Server in ASM. I then refreshed our Jamf server until it appeared in the Scope list and reassigned it to our Prestage Enrolment! Result: It still wouldn't see the MDM management acceptance screen. Straight to Data & Privacy after the select keyboard screen.

So then I tried the 'Internet Restore' option, erased the Drive and reinstalled macOS. After the long wait for it to install I was then able to see the MDM acceptance screen and the machine was enrolled as expected! I know this is not a great option for a lot of people, but hopefully it may help some others who only have a few machines failing to be DEP enrolled.

The one interesting thing that came out of this is one of our Network Engineers did a network trace on the machines, both a failing one and one that worked and he could see no difference whatsoever in the network traffic up until the screen after the Keyboard Select screen. It was only after I click on the 'Continue' button on the MDM acceptance screen, did he see any internet traffic. So this raises the question,
"How does the computer know that it can connect to MDM Server to be configured and managed? i.e. what is it actually telling it to bring up that screen, if there is no 'outside' network traffic up until that point?" I just said it was magic!