Posted on 07-20-2017 07:57 AM
One of my concerns with our DEP prestage enrollment deployment is that if the end user does not have an internet connect during their setup, they can just skip the DEP enrollment... But I've been told that a nagging notification should pop up telling the end user that their computer wants to be managed by company XYZ. I don't seem to get that notification. I've had a MacBook setup and connected to the internet for over a day now and no notifications. I found another post here that said to try "sudo /usr/libexec/mdmclient dep nag" and that results in show me all the DEP info: Organization Address, Department, Phone number, etc. Does anyone have some insight for me regarding this? Thanks!
Posted on 07-20-2017 09:47 AM
Is the test computer in PreStage Enrollments in your JSS? And does it have a check next to it?
Posted on 07-20-2017 10:17 AM
@stuartwilcox , It is and it does. What's interesting is I just went to take a screenshot of it, and it says it's completed it's prestage enrollment. This morning...
Posted on 07-20-2017 11:23 AM
@nvandam Interesting. I have not seen that before.
I can say that we have had several computers that were not connected to network and later did get the DEP nag that you mention and we were able to enroll them at that time.
Posted on 07-20-2017 02:11 PM
I can absolutely attest that it nags the heck out of you any time you have an internet connection!
Had my own machine set for DEP and it nagged me every 15 minutes or so.
Posted on 08-10-2017 01:25 PM
when this nag appears which I have seen on a laptop but have not been able to duplicate yet however, does the user use their local credentials they created to allow the profile to push down, then does that trigger the enrollment process over?
Posted on 08-11-2017 08:56 AM
Is the only way to turn off the 'Nag' by removing from the Pre-Enrollment?
Posted on 08-11-2017 11:00 AM
I asked Apple about this once, and they said the only way to stop it was to run through the Setup Assistant again.
Posted on 08-11-2017 11:49 AM
A method to disable the DEP nag popups
Posted on 08-11-2017 02:57 PM
If you cancel the DEP process in any way and then perform say an OTA enrollment the DEP portal does not contain any intelligence that you are currently enrolled in your MDM solution. So it will generate the
dep nag command and it will pop up until the device re-enrolls. I suggest filing radars with Apple to fix this or get into the habit of unscoping prestage profiles to devices in this state. If you have Apple Care Enterprise I suggest also filing a ticket with them as well as filing a radar.
To reproduce the issue scope a prestage enrollment profile to one of your Macs. Skip the Setup Assistant and do not connect to a network. Then OTA enroll the Mac into Jamf. You will now have a fully managed system but DEP will still nag it constantly.
Posted on 08-12-2017 09:47 AM
Hey Tom, thanks for the info..the one laptop finally starting nagging several hours after I posted about this..it's a definite issue and I am going to get in touch w. Apple about it. It doesn't make sense to have DEP/ASM if devices aren't force into the process. It's going to be a fun yr going this route, but once the fires are put out it'll be a much better way to deal with deployments..
Posted on 08-13-2017 12:05 PM
Hey guys -
Just wanted to post this link here: https://mosen.github.io/profiledocs/troubleshooting/mdmclient.html
It's some of the best documentation I've found on the mdmclient binary & Configuration Profiles in general.
Posted on 08-14-2017 09:26 PM
There is a bug with dep nag that goes as far back as 10.11.6. I have an open issue with them on this and it will be fixed in 10.13.
There are a few workarounds Apple gave me, but in my testing they caused issues and didn't work 100% of the time. If you're interested in the commands, reach out to me.
@erik on Slack
Posted on 01-26-2018 09:01 AM
Does anyone have a solid understanding of how and when the DEP notification is triggered? In my case, I'm not seeing the DEP notification triggered even if I run "mdmclient dep nag". The command shows me all of the relevant DEP information, but no notification is triggered. I am wondering if Apple changed something recently as I've definitely seen the notification before in prior testing. Currently, I'm not seeing the notification in 10.13 or 10.11.
Posted on 01-26-2018 10:17 AM
I think "mdmclient dep nag" is going away.. check the current beta..
Posted on 01-26-2018 11:03 AM
@gachowski I do see that some changes are coming on the OS side. The bigger question is still how DEP notifications work. Should they pop up automatically? Will they only pop up if a command is run to trigger them? Can the notifications themselves be controlled by your MDM somehow?
Posted on 01-26-2018 03:13 PM
In High Sierra there are new commands used to display the Notification for DEP enrollment.
profiles renew -type enrollment profiles show -type enrollment
It appears that the show command will provide a notification and relevant information about your Device Enrollment configuration.
The renew command appears to just bring the notification up without providing any other information.
Posted on 01-26-2018 03:19 PM
Posted on 07-23-2018 09:33 PM
@gachowski when you run "mdmclient dep nag" in HS 10.13.6, Apple will ask you to use the new command instead
PS. good to see you here...
Posted on 07-25-2018 12:28 PM
You can use sudo profiles renew -type enrollment or profiles -N to trigger a nag in High Sierra. If you want to read the cloud configuration record, sudo profiles show -type enrollment