DEP/PreStage Issue - Macs not picking up PreStage

smithjw
New Contributor III

Hey, not sure if this is a particular DEP issue or more so to do with macOS but I'm wondering if you've seen the following.

I'm starting to get a lot of new Macs shipping and while they are added to a particular PreStage, they do not immediately pick up that it's required. The issue goes like so:

  • New employee opens sealed laptop
  • Starts running through Setup Assistant and is prompted to connect to wifi
  • Mac connects and the next screen is the Migration Assistant screen NOT DEP page informing employee that the Mac is to be managed.

If the employee continues, they can successfully setup their Mac without the DEP PreStage being completed or being enrolled in JAMF.

In order for the User to be presented with the DEP Setup Assistant page they must do the following:

  • Start Mac and proceed through Setup Assistant
  • Connect to wifi and click Continue
  • On Migration Assistant page click Back button
  • Connect to wifi again (can be same or different network), then click continue
  • Now they see DEP SA page and are prompted for authentication.
  • Following this, they see all SA steps associated with the assigned PreStage and the Mac is successfully enrolled in JAMF.

I Have tested this on 6 brand new 2016 Macs plus several 2013-2015 macs that have been wiped back to factory with 10.12.2. All exhibit the same issues.

As you can imagine, this isn't great for UI as I need to communicate to make sure to click back then connect to wifi again, or be present for all enrolments.

Any ideas?

107 REPLIES 107

ebbinghoff
New Contributor

It was an issue for us as well. Our machines are purchased from Apples that they are in the DEP. We found that adding the machine to the pre-stage enrolment it was going to be used with a day before we turned on the machine for the first time was our workaround.

chris_miller
Contributor

Just tested it with a hotspot and had the same results. This particular model was in prestage for over 48 hours. So hopefully support can shed some light on this. Fortunately it's not widespread.

michaeloswell
New Contributor II

We just noticed it today too. Never had trouble like this with DEP at this job or any previous. Just enrolled it manually for now but would be nice to hear a reason. Machines purchased through Apple and verified it was on our DEP and Prestage.

Malcolm
Contributor II

It might be unrelated but if you have

settings > Global Management > User Initiated enrollement and the following enabled:
Restrict re-enrollment to authorized users only
Only allow re-enrollment of mobile devices and computers if the user has the applicable privilege (“Mobile Devices” or “Computers”) or their username matches the Username field in User and Location information.

any DEP user assigned management setup of a device will enrol unmanaged they can be manually set to managed via the Jamf Pro under each devices record, its not ideal, but Jamf are aware of the bug.

kuyker
New Contributor II

Just want to add that I am also experiencing the same issue as of the time of this response. The Macbook in question has been enrolled in ASM and shown up in the scope settings for PreStage for over 9 days before I turned on the machine for the first time. I have tried to unassign the device in ASM and release the device. I've readded the device and then reassigned it to ASM with no success. It shows up in Prestage scope as expected but still refuses to pick up DEP settings on boot. Tried it with wireless and wired with no success.

I spoke to Jamf support and they had me setup the device fully and then run

profiles renew -type enrollment

Which obviously works, but defeats the whole point of Zero Touch Deployment. I've asked for my case to be escalated, one of the primary reasons we wanted to go with Jamf was for the Zero Touch deployment features.

jonathan_mcc
New Contributor III

Again, we too are in the same boat. I have a fresh shipment of MacBook Pro's and straight out of the box - they fail to get to the Remote Management screen. If I do an internet recovery (or reinstall MacOS from USB) it will connect fine and get the Profile and see the Remote Management screen. We have communication with Apple Education but they are currently "Looking in to the underlying cause".

I have thought that some of the problem is the Auto-Advance part of Setup Assistant. If it connected to the wifi THEN allowed you to leave it connected for a minute. You could then click next at your own leisure, giving it time to check-in with apple time servers and ensure time and everything was correct.

Another part to note is the certificate verification URL's apple uses, aren't directly apple. Check out this Apple Support Article (Released August 7th 2019) for those of you also behind a firewall and make sure all is allowed out. We had issues where profiles weren't coming down at ALL, and once we allowed the certificate verification URL's through we saw much more success.

Still having inconsistent DEP enrolment, but more consistency now when reinstalling MacOS (non ideal solution).

BlakeRichardson
New Contributor

I have this exact same problem, I have tried what @SmithJ mentioned about connecting to a wireless network continue to the migration option and then go back and re-enter the wireless information but this didn't work for me.

I have also reinstalled the OS without erasing the drive but this didn't work either so I have just erased the drive and reinstalling the system again.

Once its connected I will also leave it for a few minutes to see if that makes any difference.

kuyker
New Contributor II

Adding in that a second Macbook is having the same issue now. Just opened the box for the first time today, made sure it was assigned to the correct PreStage Enrollment, but refuses to pick up anything from Jamf.

tjhall
Contributor III

Does the Mac exists in Prestage and is it ticked? We've had a couple of Mac's which for some reason are DEP but aren't ticked in JSS. After reboot they are usually picked up.

tnielsen
Valued Contributor

I had a tech report this issue to me a few days ago. I assumed he/she did something wrong. Now I see that may not be the case.

By default we are just opening the box, wiping the hard disk and re-installing the OS.

kuyker
New Contributor II

@tjhall The devices are assigned and ticked off on the correct PreStage. If we wipe them and reinstall the OS it picks up the PreStage info just fine. Only when they come right from the factory do we have issues. Figured they should check against DEP and then against the MDM on first boot (if assigned in ASM or ABM) before kicking off the Setup Assistant, but something happens where it doesn't do that.

GabeShack
Valued Contributor III

My surefire way is using dongles and ethernet. I ordered 50 of them just for these setups. Once you pick "other" for connecting to internet, it takes you to a DHCP screen and then everything kicks off as intended. So far no issues after switching to ethernet.

"EDIT"
Just FYI our DHCP screen when selecting other, shows nothing, but when I click through it, it works as it should"

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

merps
Contributor III

@gshackney which ethernet dongles are you using? I don't have the model numbers on hand but we are using the black Belkin USB-C ethernet adapters. Unfortunately we're finding that multiple reboots are needed to obtain a DHCP address on systems straight from the factory.
As others have stated, there are no issues when doing a wipe/reload - it's only when the system is out of the box for the first time.

garybidwell
Contributor III

@merps strange you should say that about the black Belkin’s
We’ve been using the Kanex USB-C to Ethernet adapters for several years without issue but recently had a supply issue getting hold of them so swapped to the black Belkin version and we now are getting strange issues with devices giving the JSS a 172.x.x.x address even though on the device they have the correct DHCP LAN address they should have and failing DEP installs

Iooking in ifconfig it reports back a really strange en number as well (like en28) even though other enternet dongles/dock ports configure themselves with low numbers like en0,en1 etc...
Definitely worth trying different manufacturers dongles to see if it changes anything

GabeShack
Valued Contributor III

We are using the White belkin ethernet adapters sold by Apple. As long as I add them each as a removable MAC address ahead of time, we haven’t had a single issue with the new 2019 MacBook Airs that we just received. Gone through about 20 of them so far. Have another 140 to set up so I’ll let you know if we see anything.

Gabe Shackney
Princeton Public School

Gabe Shackney
Princeton Public Schools

nwsbear
New Contributor II

@gshackney - could you elaborate on what you mean when you say "As long as I add them each as a removable MAC address ahead of time". Thanks!

GabeShack
Valued Contributor III

@nwsbear There is a section in your settings Under computer management that has a button called removable MAC addresses. This is to keep JAMF from looking at the mac address of that adapter and assigning it to a specific computer. If you don't enter the ethernet adapters as "Removable Mac Addresses" then Jamf Pro assumes you are just re-enrolling the same computer over and over and over again and may cause issues with imaging and DEP.

So you just have to take the mac address of that dongle and add it to removable to keep that from happening.

Also see my edit of my post above, when selecting "Other" during the initial dep setup, the DHCP screen doesn't show any info for our network but when I click continue everything does work properly.

0a79a9ed71f449e0aa7e1922aa7c8852
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

kwoodard
Contributor III

Having this same issue with 12 MBA's... Not using wifi, but ethernet... None of them are catching any profiles... Have no idea what to try next.

GabeShack
Valued Contributor III

@kwoodard Are you using ethernet to thunderbolt adapters? Have you entered those ethernet to thunderbolt adapters into removable Mac Addresses as mentioned above? If not, then the JSS will just think you are reimaging the same machine over and over.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

kwoodard
Contributor III

@gshackney Yes, I only have one adapter, so it was easy enough to add.

jonathan_rudge
New Contributor III

Same here, also have it with Apple TV's, end up going through setup assistant, factory resetting then DEP kicks in?!

dgreening
Valued Contributor II

Uhhh NOT pleased to hear that defining Removable MAC Addresses is a thing again. We have literally THOUSANDS of thunderbolt/usb-c ethernet adapters globally, and having to enter them into Jamf to get ABM to work reliably is a non-starter. Hey Jamf! I thought we were using UDIDs as the primary identifier of a machine?

myronjoffe
Contributor III

@dgreening AFAIK its the serial number as the unique identifier.

rafaelnr
New Contributor II

Good to know that this is still an issue, nearly three years after the first report. Just ran into this this afternoon with an Early 2015 MacBook Air, fresh out of the box. I'm wiping and reinstalling Mojave, just to see if that solves the issue.

kwoodard
Contributor III

I did discover a strange work around which leads me to think that this issue has something to do with networking. When you boot up the computer for the first time out of the box, you get to a language selection screen. Select a language...THEN hit the back button. It seems that the setup "package" that runs for the first time reloads. I let it sit for about 30 seconds and then go through the initial setup and the pre-stage catches. If you go through it too quickly and not wait, you sometimes will get to the screen that says that the computer will be managed and rather than it having your "org" listed, it will say "null". I let it sit here for a bit and the "null" changed to the name of my "org" and then things worked. I would imagine if your network is slower than mine, that wait time might need to be increased.

Let me know if this works for anyone else. My curiosity is peaked.

rafaelnr
New Contributor II

@kwoodard Ooooooh - I'm going to try that the next time I run into this issue. Nuking & repaving seem to have done the trick here. Thank you for sharing this; much appreciated.

kwoodard
Contributor III

I've been working more with this issue and I am convinced its a network deal between the new computer and Apple servers/DEP. I was talking with our Jamf tech contact and asked him about this and here is the process a new computer goes through.

  1. Initial boot up
  2. Network selection
  3. Apple DEP servers contacted
  4. DEP says "Yes! This is an institutional computer, please go to your MDM (Jamf in our case) for enrollment."
  5. Jamf kicks in and we get the screen where it tells the user that the computer is going to be managed. Hazzah!

So, the breakdown is happening between 2 and 3. If Apples DEP validation computers are getting hit hard, there will be a delay in the new computer being introduced to our JSS. So what the Jamf tech told me today is to select your network and wait, or if you are on ethernet, I would imagine waiting on the select keyboard screen for a while, would allow enough time to pass so the DEP server can make the bridge between the new computer and Jamf.

Going to try that in a bit... Will report back.

GabeShack
Valued Contributor III

Three Things,

  1. I just saw this PI "PI-007502 In environments with multiple Jamf Pro web app instances using a single Tomcat instance, devices fail to enroll with Jamf Pro using a PreStage enrollment if there is an Enrollment Customization configuration added to the PreStage."

  2. Just to clarify my previous post:
    My surefire way is using dongles and ethernet. I ordered 50 of them just for these setups. Once you pick "other" (on the bottom left of the screen and then select ethernet) for connecting to internet, it takes you to a DHCP screen and then everything kicks off as intended. So far no issues after switching to ethernet.
    "EDIT"
    Just FYI our DHCP screen when selecting other, shows nothing, but when I click through it, it works as it should

  3. I ran through all my steps and one that I don't bypass is the location settings. I always have to click through the turn on location services (during setup) and then let it find my time zone. I used to see issues with this on mobile devices when the time zone was incorrectly set and how it communicated with Apples servers.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

AlanSmith
Contributor

So nearly another 6 months later and we have a whole new batch of machines to deploy and first one out of the box strikes this problem! Tried most relevant solutions short of wipe and re-install OS, none of which have worked.
Tried a 2nd computer and everything worked as expected. "There is something rotten in the state of Denmark!"
So now am wiping and reinstalling the OS on the first computer.
This is obviously a serious bug with Apple, does anybody know if a ticket has been raised?

EDIT: Can confirm @BlakeRichardson comment that the HD needs to be wiped and the OS installed, not just installed overtop of current system, for this to work.

ufccjamfadmin
New Contributor

I have encountered this issue this morning and have been working through most of your solutions thus far, but to no avail. Have finally found out the root cause of the issue for us anyway. The issue ended up being that on the Catalina Setup Assistant it was unable to fully accept the certificate that our organisation has for our Wi-Fi (Even attempting to connect to another network that didn't include the after would fail as it was still trying to resolve the certificate).

In the end we created a hidden SSID that had no certificate attached to it for the devices to connect to, using this method resulted in 100% success rate of the MacBooks getting to the "remote management" screen. As for the devices that we already attempted accepting the certificate for, unfortunately we had to re-wipe those again.

joshuaaclark
New Contributor III

This still an issue. It is 2020.

sdagley
Honored Contributor III

I'm not convinced this is Jamf specific. I have a case open with AppleCare Enterprise Support for some new in box Macs not hitting the Remote Management screen, and I know my case is linked to others. So far wipe and re-install macOS seems to be the solution for users in the field that have run into this, but I have a test Mac in my hands that failed enrollment today and I'm hoping to do some excavating to see if there's any clue as to where things failed. Since I don't see a partial computer record (i.e. DEP-<SerialNumber>) created from a failed device certificate push like I do when our SSL filters bork the initial APNS connection (you really need to whitelist *.push.apple.com if you're doing SSL inspection as *courier.push.apple.com doesn't cut it with Catalina) I'm pretty sure the Mac never hit my Jamf Pro server. Doing a sudo profiles renew -type enrollment on the Mac does recognize that our Jamf Pro system can manage it, and it leaves a breadcrumb in the PreStage enrollment status for the computer by changing it from Assigned to Completed

sdagley
Honored Contributor III

To follow up on my last post, the logs show my test Mac failed to connect to Apple's servers for Device Enrollment configuration. This failure pattern is a known one, and it's not Jamf specific. Wiping the Mac and re-installing macOS Catalina resulted in a successful enrollment.

lamador
New Contributor III

this has been an issue for us as well. Its not a jamf issue. its with apple. all of our iOS devices 100% of the time get the remote management page. macOS. its a hit and miss. Does anyone have a radar link of the stuff you guys submitted with apple? I have having to tell users to go into the terminal and run profiles -renew type or other commands at the language setup assistant.

lamador
New Contributor III

this has been an issue for us as well. Its not a jamf issue. its with apple. all of our iOS devices 100% of the time get the remote management page. macOS. its a hit and miss. Does anyone have a radar link of the stuff you guys submitted with apple? I have having to tell users to go into the terminal and run profiles -renew type or other commands at the language setup assistant.

lamador
New Contributor III

this has been an issue for us as well. Its not a jamf issue. its with apple. all of our iOS devices 100% of the time get the remote management page. macOS. its a hit and miss. Does anyone have a radar link of the stuff you guys submitted with apple? I have having to tell users to go into the terminal and run profiles -renew type or other commands at the language setup assistant.

Sandy
Valued Contributor II

We received 600 MacBook Airs In December. Initially DEP worked pretty well.
Then things went crazy and they sat in their boxes for 6 weeks, and afterward they would fail to go to the DEP screen about 80% of the time during setup.
I tried all variables: wired, wireless, firewall, no firewall, This switch, that switch and more.
Finally gave up, bypassed dep at setup, updated the OS to newest (10.15.4 at the time) and enrolled in DEP From the desktop. Worked fine, lots of extra clicks.
Today i got a one-off Pro with touch bar. Skipped DEP, updated to 10.15.5.
Now, i can enroll in DEP, but the jamf side never works. Wiped, reinstalled os, dep during startup, works, jamf side Is incomplete. No binary, no Self Service, Device record in Jamf is incomplete.

I read some say recreate prestage, i use the prestage enrollment for some Smart group scoping and if i delete and recreate the prestage It may be removed from the existing dep devicess’ jamf recordS, which i believe will break those smart groups....
Has anyone deleted and recreated a prestage using the exact same name and had it stay in the device records for previously activated devices?

sdagley
Honored Contributor III

@Sandy You may be running into this problem which causes your JSS cert to be invalid: HTTPS connection to specific sites fail with cURL on macOS

Sandy
Valued Contributor II

@sdagley, you've lost me there. MyTomcat servers are using a third party cert expiring 12/11/20 (network solutions)
My self signed CA Cert expiration is 3/23/23

Also getting this error if I try recon to enroll:
"error retrieving last session due to absence of an active session"
My hidden ssh account exists on the device, either created by Prestage or by enrolling from URL

I can get the computer into DEP, but without jamf (device record is created in jamf but no inventory is taken, no name, no other details). If I enroll in jamf using: https://myjss /enroll profiles download and install, and it changes enrollment in the device record to: "user Initiated no invitation" and removes the DEP profiles.

Either way I get no Binary and no Self Service

sdagley
Honored Contributor III

@Sandy It's not that your cert has expired, but it could be one of the Root CAs in the trust chain for it has. This can result in the Mac's attempt to download the jamf binary, and all that comes along with it, from your JSS failing.