If someone has stolen a dep mac or trying to re-image it, this person can actually bypass DEP/Pre-Stage Enrollment by not connecting to the Internet.
How do we enforce Internet Connection during a pre-stage enrollment with jamf?
You don't. SA needs an active network connection to check for a dep enrollment. Anyone can bypass DEP with a non active connection to the network.
That being said, DEP nag will prompt upon connecting to a network saying there's a corporate device policy for that mac every hour or so..
For us, our dep workflow if it is connected to the network, skips a bunch of steps and creates an account. The Info for DEP says this machine is stolen please contact x at y.
Let's say if my users actually re-install the entire system on their own (full wipe and re-install) and manage to start up with the MacOS without Pre-Enrollment.
Will this Macbook checks in with DEP/JAMF to receive update prompts that this device needs to be enrolled in 15mins etc?
@jsim My understanding of DEP is that your computer checks with Apple's servers to see if it's in dep. If it is then it gets pointed to your MDM server. You could wipe that drive 100 times but it wouldn't matter because all the DEP info is stored online, not on the machine itself. It's kind of like if you have an Apple SUS. The computer goes to get the update, but then the server see's that it's been seeing a SUS from the same IP so it redirects it to the SUS.