Enrolling restored supervised device fails with device not activated error.

Graeme
Contributor

Hi all,
I have been trying to restore a master image from a supervised iOS 9 iPad onto the other iPads in that trolley (cart) using Configurator 2. I have followed https://discussions.apple.com/thread/7302890 and https://discussions.apple.com/thread/7282845 and can now get them set up as supervised iPads in configurator 2 but cannot enrol them into Casper. Using ether manual enroll from https://jss.myschool.edu:8443/enroll or by pushing out the enrollment profile in configurator 2

it get an error saying the iPad is not activated.

I have tried a hard restart of the iPad (Holding down home and power buttons), restoring through configurator 1 & 2 and iTunes Mac & Windows but all produce the same result.

Has anyone had success in doing this? and are there other suggestions that anyone thinks I should try?

Many thanks
Regards
Graeme

1 ACCEPTED SOLUTION

Graeme
Contributor

Edit (again), I have updated this post to better reflect my current workflow.

I have a workaround that my be useful and it is very different from iOS8 and Configurator 1. It seems iOS 9 backup does not include the supervision profile or the apps. This is the same whether the backup is encrypted or not, made in iTunes or Configurator or on a Windows machine or a Mac. Also not included in the backup are any folders on the desktop that do not contain an icon from the factory image.

Preliminary steps:
1, Make your backup from a non supervised device.
2, Make a blueprint that restores (to factory default) and applies the backup you made in step 1.
3, Make a blueprint that prepares (supervises) the iPad, skips the setup steps, installs the CA certificate and a wireless profile that does not require user interaction.
4, Make a blueprint that applies the enrollment profile, desktop wallpapers, etc.

Workflow for Configurator Supervised Devices:
1, Plugin the target iPad (not the same one as you made the master image from).
2, Apply the blueprint you made in step 2 above.
3, Do not touch the iPad or follow the setup wizard. Leave the iPad alone.
4, While the iPad is still in the setup wizard apply the blueprint you made in step 3 above.
5, Apply the blueprint you made in step 4 above.
6, Now complete the setup wizard on the iPad.

Workflow for DEP Supervised Devices:
1, Plugin the target iPad (not the same one as you made the master image from).
2, Apply the blueprint you made in step 2 above.
3, Proceed through the setup steps until either all works and you are finished or the download fails.
4, Hard boot the device. Hard booting before this stage will not enable the extra WiFi options.
5, Begin the setup wizard on the iPad again and at the WiFi screen press the home button to enable the extra WiFi settings.
6, Setup your WiFi configuration, proxy etc. 7, Check the WiFi proxy settings. If the settings wont stay click "Forget this network" and try again.
8, Complete the setup wizard on the iPad

What I have not been able to do:

1, Get the apps to install in their folders with DEP or without adding a separate VPP account to Configurator 2
2, Get the apps to install reliably, Some stay at "The app ... is already scheduled for management". Clearing the command in JSS and updating inventory seems to work.
3, Get the deployment anymore hands off.

Hope the above is useful.

Regards
Graeme

View solution in original post

6 REPLIES 6

plawrence
Contributor II

@Graeme Have you seen this thread: https://jamfnation.jamfsoftware.com/discussion.html?id=17191. It reports some issues using the manual enrolment URL and they suggest trying https://jss.organization.org:8443/mdm/ServerURL.

qhle373
Contributor

The trick is to not add an MDM server at all in Configurator 2 settings. Leave it blank and just download an enrollment profile from your JSS. Here is what we've been doing:

We create a master backup with a blueprint that just skips all the setup screens, chooses manual enroll on MDM, adds org/supervision.

We restore the new master to the iPads.

We add a blueprint that skips all setup screens, chooses manual enroll on MDM, adds org/supervision, adds Trust Cert and Wi-Fi.

Hard Reset of each iPad.

Add MDM Enrollment Profile from JSS, and they're good.

Graeme
Contributor

Thank you both for your suggestions. To be fair I am unable to get automated enrolling to work, applying an enrolment profile in a blueprint and manually enrolling from the JSS website does work. That problem however would be a different thread.

This problem only occurs when I restore a backup from a master iPad. All works well until I try to enrol into Casper using either an enrolment profile or manually from the Casper website.

The workflow is 1, Use a blueprint to restore from the backup of the master iPad. A trick here is on completion I must not go through the setup wizard on the iPad or else I am unable to prepare.

2, Prepare using a blueprint and apply CA certificate and wireless profile that does not require any user interaction. Unlike Configurator 1, I cant restore from backup and supervise in the one operation.
3, use a blueprint to apply an enrolment profile.

During the enrolment (step 3) the device will error out with the not activated error. If I don't restore from backup (step 1) it enrols ok.

Currently I am having to prepare to factory default and then manually arrange the apps into folders. Regards
Graeme

Graeme
Contributor

Edit (again), I have updated this post to better reflect my current workflow.

I have a workaround that my be useful and it is very different from iOS8 and Configurator 1. It seems iOS 9 backup does not include the supervision profile or the apps. This is the same whether the backup is encrypted or not, made in iTunes or Configurator or on a Windows machine or a Mac. Also not included in the backup are any folders on the desktop that do not contain an icon from the factory image.

Preliminary steps:
1, Make your backup from a non supervised device.
2, Make a blueprint that restores (to factory default) and applies the backup you made in step 1.
3, Make a blueprint that prepares (supervises) the iPad, skips the setup steps, installs the CA certificate and a wireless profile that does not require user interaction.
4, Make a blueprint that applies the enrollment profile, desktop wallpapers, etc.

Workflow for Configurator Supervised Devices:
1, Plugin the target iPad (not the same one as you made the master image from).
2, Apply the blueprint you made in step 2 above.
3, Do not touch the iPad or follow the setup wizard. Leave the iPad alone.
4, While the iPad is still in the setup wizard apply the blueprint you made in step 3 above.
5, Apply the blueprint you made in step 4 above.
6, Now complete the setup wizard on the iPad.

Workflow for DEP Supervised Devices:
1, Plugin the target iPad (not the same one as you made the master image from).
2, Apply the blueprint you made in step 2 above.
3, Proceed through the setup steps until either all works and you are finished or the download fails.
4, Hard boot the device. Hard booting before this stage will not enable the extra WiFi options.
5, Begin the setup wizard on the iPad again and at the WiFi screen press the home button to enable the extra WiFi settings.
6, Setup your WiFi configuration, proxy etc. 7, Check the WiFi proxy settings. If the settings wont stay click "Forget this network" and try again.
8, Complete the setup wizard on the iPad

What I have not been able to do:

1, Get the apps to install in their folders with DEP or without adding a separate VPP account to Configurator 2
2, Get the apps to install reliably, Some stay at "The app ... is already scheduled for management". Clearing the command in JSS and updating inventory seems to work.
3, Get the deployment anymore hands off.

Hope the above is useful.

Regards
Graeme

plawrence
Contributor II

@Graeme

Thanks for providing the steps you've been using to restore backups using Configurator 2. I am attempting to restore backups to DEP Supervised devices but keep running into an "Invalid Profile" error. The console of the iPad contains the following log entries:

iPad profiled[86] <Error>: Can't convert pem cert
iPad profiled[86] <Notice>: (Error) MC: Could not create machine info dictionary. Error: NSError:
    Desc   : Your iPad is not activated.
    US Desc: Your iPad is not activated.
    Domain : MCInstallationErrorDomain
    Code   : 4014
    Type   : MCFatalError
    Extra info:
    {
        isPrimary = 1;
    }

I get this error if I try to use an Automated Enrolment blueprint and even if I just try and manually progress through the Setup Wizard after restoring the backup.

Have you seen this error? Are there any other steps you used to restore your DEP backups to another device?

Graeme
Contributor

Taking the backup from a non supervised device and getting the proxy settings right seems to be what worked for me. We also had lots of issues here because all state schools internet went through a large proxy array and the activation would get confused if different parts of the activation request to Apple came from different IP addresses. All traffic to gs.apple.com now goes direct.

don't know if this will help and sorry for the late reply

Regards
Graeme