Does a device enroll itself with the JSS, if the end user skips the WiFi setup step during Zero Touch Deployment?

Damon_Byg
New Contributor III

While I was testing the Zero Touch deployment process on our student devices, I noticed that there is an option to skip the WiFi step after reinstalling the OS. I found that if the user decides to skip the WiFi setup, the device will skip the enrollment process with our JSS. Which means the device is not controlled by our JSS, and the user is pretty much given full access to the machine. If the device connects to WiFi at a later point it never checks in with our JSS.

I have contacted JAMF support and found that they have informed Apple of this issue and are waiting to hear from them about a solution. So until a solution is found by Apple, I will probably end up using JAMF Imaging to ensure that our machines enroll with our JSS.

Has anyone found an alternative solution to make sure their Zero Touch deployed devices check in with their JSS?

4 REPLIES 4

alexjdale
Valued Contributor III

Yes, there is no way to force Zero Touch as far as I know. A user can simply set it up off-net. Even if you could force them to set up WiFi, you can't force them to be in range of a WiFi network.

Dylan_YYC
Contributor III

Hmm, would having the devices in DEP make a difference? If its a registered device, i think you can force it to do that.

Asnyder
Contributor III

If it doesn't enroll initially it should enroll as soon as it's connected to the internet, in my experience. That's where the DEP nag comes in for user approved mdm.

marklamont
Contributor III

I hoped dep nag would be useful but it doesn't work as far as I can tell on 10.13.3 and up. works great in 10.12. I wanted to use it to annoy people who had acquired some missing machines but if they had upgraded to 10.13 it just doesn't nag at all.