One of my concerns with our DEP prestage enrollment deployment is that if the end user does not have an internet connect during their setup, they can just skip the DEP enrollment... But I've been told that a nagging notification should pop up telling the end user that their computer wants to be managed by company XYZ. I don't seem to get that notification. I've had a MacBook setup and connected to the internet for over a day now and no notifications. I found another post here that said to try "sudo /usr/libexec/mdmclient dep nag" and that results in show me all the DEP info: Organization Address, Department, Phone number, etc. Does anyone have some insight for me regarding this? Thanks!
If you cancel the DEP process in any way and then perform say an OTA enrollment the DEP portal does not contain any intelligence that you are currently enrolled in your MDM solution. So it will generate the
dep nag command and it will pop up until the device re-enrolls. I suggest filing radars with Apple to fix this or get into the habit of unscoping prestage profiles to devices in this state. If you have Apple Care Enterprise I suggest also filing a ticket with them as well as filing a radar.
To reproduce the issue scope a prestage enrollment profile to one of your Macs. Skip the Setup Assistant and do not connect to a network. Then OTA enroll the Mac into Jamf. You will now have a fully managed system but DEP will still nag it constantly.
Hey Tom, thanks for the info..the one laptop finally starting nagging several hours after I posted about this..it's a definite issue and I am going to get in touch w. Apple about it. It doesn't make sense to have DEP/ASM if devices aren't force into the process. It's going to be a fun yr going this route, but once the fires are put out it'll be a much better way to deal with deployments..
Hey guys -
Just wanted to post this link here: https://mosen.github.io/profiledocs/troubleshooting/mdmclient.html
It's some of the best documentation I've found on the mdmclient binary & Configuration Profiles in general.
There is a bug with dep nag that goes as far back as 10.11.6. I have an open issue with them on this and it will be fixed in 10.13.
There are a few workarounds Apple gave me, but in my testing they caused issues and didn't work 100% of the time. If you're interested in the commands, reach out to me.
@erik on Slack
Does anyone have a solid understanding of how and when the DEP notification is triggered? In my case, I'm not seeing the DEP notification triggered even if I run "mdmclient dep nag". The command shows me all of the relevant DEP information, but no notification is triggered. I am wondering if Apple changed something recently as I've definitely seen the notification before in prior testing. Currently, I'm not seeing the notification in 10.13 or 10.11.
In High Sierra there are new commands used to display the Notification for DEP enrollment.
profiles renew -type enrollment profiles show -type enrollment
It appears that the show command will provide a notification and relevant information about your Device Enrollment configuration.
The renew command appears to just bring the notification up without providing any other information.