Posted on 11-16-2017 02:05 AM
Hello fellows,
Could anyone share their workflow for using DEP with JAMF Pro please? Below what we'd like to achieve:
Until now we manage to enroll the machine but Jamf Pro says it is still unmanaged and there is no user created.
Any insight would be helpful since we never worked with DEP before. We (until now) use Deploy studio for a basic image with binary and then Jamf Pro takes over.
You must also know we are in a school environment with shared iMacs where we can not let the students execute any installation. So it must be as "zero touch" as can be.
Thanx for any input
Solved! Go to Solution.
Posted on 11-28-2017 02:29 AM
Eventually, we figured out the cause of the problem. It was due to the fact a few ports were disabled on our network by our Network engineer. After he opened a few extra ports everything worked out fine concerning the Jamf Binary enrollment in combination with a DEP device.
Posted on 11-16-2017 03:30 AM
Good day,
In the JSS, go to Computers, then select PreStage Imaging
You will find everything you need in there.
You can then scope this via Serial Number, Mac Address or Network segment.
cheers!
Posted on 11-16-2017 03:31 AM
How far along are you with DEP? Have you got it setup at deploy.apple.com?
Posted on 11-16-2017 03:32 AM
Of course, you need to enroll them as per @Retrac
Posted on 11-16-2017 03:48 AM
We have Apple DEP in place with some test machines. Also the connection with Jamf Pro is working. We created a pre-stage enrollment but there is no Jamf Binary installed on the computer.
Posted on 11-16-2017 04:10 AM
Do you have user-initiated enrollment enabled? and then in the pre-stage account settings a management account configued to match?
Posted on 11-16-2017 04:34 AM
I have entered details about a management account in the user-initiated section AND in the pre stage enrollment section but the machines should not be enrolled by the user-initiated url but automatically when started for the first time.
Should the binary be installed automatically or do I have to do some extra configuration for this to happen somewhere?
Posted on 11-16-2017 04:50 AM
What OS version is the iMac running? I have seen what you are describing with DEP on 10.11. The machine would remain unmanaged in JAMF unless it was logged into.
Posted on 11-16-2017 07:59 AM
What version of the JSS are you running? 9.101 has a product issue that can prevent the jamf binary if the Accounts payload is configured in a prestage.
[PI-003771] When the Account Settings payload is configured for a computer PreStage enrollment, the MDM profile is installed on the computer, but the jamf binary may not install due to a timeout.
This seems to be fixed in 10, but it was extremely frustrating in 9.101.
Posted on 11-16-2017 10:41 AM
I think you need to create a smart group. The prestage enrollment only gets you so far. I have a Smart Computer Group that has the criteria "Enrollment Method: Prestage enrollment is DEPname." Then I have a policy scoped to that Smart Group that installs all software packages, scripts, printers, dock items, and menu items. The policy is triggered by enrollmentComplete.
Posted on 11-20-2017 04:53 AM
I assumed the binary was installed with DEP Prestage enrollment but if that is not the case, I will create a smartgroup with prestage enrollment is DEPname and target a policy to this group to install the binary.
BTW, from watching this JNUC 2017 session @ 4:15 there is no mention about getting the binary on the machine with some policy or whatso ever. Or am I missing something here? [https://www.youtube.com/watch?v=vrYXgoOwbtw](link URL)
Posted on 11-20-2017 06:00 PM
I have been having major issues testing DEP and prestage enrollments. The binary should enroll during the PSE. In my testing it works less than half the time. You know it isn’t going to work when you don’t get the “Configuration Available”, “This Mac will be configured by “XXXXXX” screen, which means that the computer has/hasn’t been recognized as being in DEP. At that point if you look at the scope of the PSE it shows as complete for that computer even though nothing has happened and the entire DEP/PSE process has failed. I have a case open with JAMF support. I have had the same failures with v9.101 and v10.0.0. Not sure if this is an Apple DEP problem, a JAMF problem, or a combination of both.
Posted on 11-21-2017 02:25 AM
Could it perhaps be due to the need for a valid signed certificate for the binary?
Posted on 11-21-2017 05:58 AM
My issues are sporadic. Sometimes I can get DEP to work, other times I cannot. Tested it this morning and the JSS crashed. Send the crash logs to Jamf in the case I already have open.
Posted on 11-28-2017 02:29 AM
Eventually, we figured out the cause of the problem. It was due to the fact a few ports were disabled on our network by our Network engineer. After he opened a few extra ports everything worked out fine concerning the Jamf Binary enrollment in combination with a DEP device.