Posted on 10-06-2017 08:51 AM
We are just starting to manage MacBooks using JAMF and I am seeing an issue where an MacBook that was already enrolled, either through Capser Imaging or through Recon will, at some point receive an enrollment Prompt. If you click allow, all of the profiles (most importantly WiFi) that are installed on the computer are removed and it attempts to re-enroll the device.
I've verified that the computer is not scoped in a Pre-Stage Enrollment policy, but I'm not sure what else would be causing this. Don't want to hand the computers out to users and have them get the prompt, accept it, and then have everything break even temporarily.
Posted on 10-09-2017 09:45 AM
This sounds like an Apple DEP nagging notification. I ran into similar issue after my company started to deploy macOS 10.12.5. It was explained to me by a jamf system engineer that this is apple's way of aggressively getting people who have Apple DEP enabled to use Apple DEP. I resolved this issue by logging into deploy.apple.com with my company's credentials and moving all of my macOS clients associate to my MDM to unassigned. This leaves the clients in a limbo state where there is no assigned MDM to the client through apple secure protocol but will allow you to set the client later once you are ready to use Apple DEP. This workaround has resolved my Apple DEP Nagging for my clients. Note, mac hardware automatically gets assigned to Apple DEP from your vendor if you have Apple DEP setup and vendor code entered in your companies Apple DEP account. Let me know if I am off base. Hope this helps.
Posted on 10-11-2017 07:31 AM
We are using DEP, and for the other 3-4 other MacBooks I have set up, I've not seen the issue. The one MacBooks is still showing the prompt to enroll frequently, despite having removed the device from the scope of any Pre-Stage Enrollment and un-assigning the device in DEP.
It's just one MacBook at this point, but not know what is causing it is my concern.
Posted on 11-14-2017 11:17 AM
Have you looked for a stray Mobile Device record with that serial number? I've seen about half a dozen computers where something chokes and it makes a double record. The computer ends up with a record as a Mobile Device as well. It'll probably be searchable only in an advanced computer search for the serial number. The the system starts fighting itself when this happens.