Enforce Internet Connection during Pre-Stage Enrollment

jsim
New Contributor II

If someone has stolen a dep mac or trying to re-image it, this person can actually bypass DEP/Pre-Stage Enrollment by not connecting to the Internet.

How do we enforce Internet Connection during a pre-stage enrollment with jamf?

6 REPLIES 6

Look
Valued Contributor III

Currently I don't believe it can be done for macOS.

rderewianko
Valued Contributor II

You don't. SA needs an active network connection to check for a dep enrollment. Anyone can bypass DEP with a non active connection to the network.

That being said, DEP nag will prompt upon connecting to a network saying there's a corporate device policy for that mac every hour or so..

For us, our dep workflow if it is connected to the network, skips a bunch of steps and creates an account. The Info for DEP says this machine is stolen please contact x at y.

jsim
New Contributor II

How does the MacOS without DEP enrolled received DEP nag prompt once it online?

Other than preventing users to wipe and re-setup machine from JSS, any others ways or workflow do you all do to prevent such cases from happening?

Thanks guys!

rderewianko
Valued Contributor II

MDM client checks in with the DEP server at a preset interval (i'm not sure what that interval is)

When a machine is reported stolen we push a wipe to it.. Chances are they're gonna connect it to the network upon setup.

jsim
New Contributor II

Cool Thanks

Let's say if my users actually re-install the entire system on their own (full wipe and re-install) and manage to start up with the MacOS without Pre-Enrollment.

Will this Macbook checks in with DEP/JAMF to receive update prompts that this device needs to be enrolled in 15mins etc?

Asnyder
Contributor III

@jsim My understanding of DEP is that your computer checks with Apple's servers to see if it's in dep. If it is then it gets pointed to your MDM server. You could wipe that drive 100 times but it wouldn't matter because all the DEP info is stored online, not on the machine itself. It's kind of like if you have an Apple SUS. The computer goes to get the update, but then the server see's that it's been seeing a SUS from the same IP so it redirects it to the SUS.