JSS 9.96, iOS 10.1, DEP, PreStage Enrollment, iCloud Restore

Kennedy
New Contributor II

Hi all,

We are rolling out new iPhones to our users. We have the phones enrolled in DEP and scoped to the prestage enrollment in JSS.

If we set the phone up as a new phone, the enrollment works perfectly every time. This proves connectivity to the JSS is fine, and the prestage enrollment is setup correctly.

If we restore from iCloud, it get's stuck at "Installing configuration for ...". Packet capture on the JSS shows that it connects through after entering JSS credentials, but then once it starts installing the configuration it will stop with zero traffic to the JSS from that point on...forever.

I've done some reading on here, and some older threads mention it not being possible to restore iCloud backup in addition to DEP + Prestage enrollment. This would be disappointing with the latest versions of everything.

Edit: I can also confirm that restoring from iTunes backup results in the same issue. Stuck at "Installing configuration from..." with no data being sent to or received from the JSS.

Anyone out there successfully doing this, or am I dreaming?

Cheers,
Gavin

14 REPLIES 14

cdenesha
Valued Contributor II

Hi Gavin,

I was on some of those original threads although My current district no longer uses iCloud backup.

It is a problem to go from one Supervision entity to another with the same device. However you have new devices so it should work. I'd contact Support.

chris

mlavine
Contributor

@Kennedy What you are encountering is a known issue with iCloud Backup and Restore of a supervised device. I should preface this by saying that we use MobileIron for our iPhones but the same idea applies as this is specific to the backup and restore process and not the management software.

When a user gets a new iPhone enrolled in DEP and they try to restore a backup from their old iPhone, also a supervised device, the new iPhone is also restoring the supervision profile from the old iPhone and then can't install the new profile.

For our iPhone upgrade program we advise users to set their iPhone up as a new device instead of restoring from a backup.

If they need to restore their old phone we have them follow a few steps first:

1) Uninstall the MobileIron application.
2) Remove the management profile.
3) Backup their old iPhone to iCloud.
4) Restore backup to new device.

Once they restore the backup to their new device, the management profile will be reinstalled and the rest of the process will continue normally.

Kennedy
New Contributor II

Our devices aren't supervised, but they are enrolled. I'll try removing the MDM profile, doing a fresh backup and restoring that with prestage enrolment and I'll report back.

Thanks for the input.

Gav

Kennedy
New Contributor II

Even with an unsupervised device, removing the MDM profile before performing the backup allows the whole process to go through correctly.

I still believe this is a bug, as you don't always have the opportunity to do that if the phone is lost, stolen or damaged beyond use.

I assume everyone else is seeing the same issues?

Gav

mlavine
Contributor

@Kennedy I also believe this should be considered a bug but I believe I remember reading that it was intentional to an extent.

Here is the reference: https://www.jamf.com/jamf-nation/discussions/10528/dep-pre-stage-enrollment-or-icloud-restore

Kennedy
New Contributor II

Yeah I've seen that thread, but I don't get why it might be intentional.

I feel like iCloud backup on unsupervised device, device is stolen, then iCloud restore on new DEP prestaged device should work.

hawaii-5-0
New Contributor

I may be having the same issue with performing iCloud restores in a supervised (and DEP) environment. The first half of the iCloud restore goes normally: signing into wi-fi; enabling location services; selecting restore from iCloud; signing into iCloud; accepting terms; waiting for the restore to download; and watching the iPad reboot.

It is the second half that exhibits the problem. I "continue" after the "completed update", then I patiently wait between screens as I hope and pray not to get stuck on the same "Installing configuration..." screen you mentioned. (JAMF support suggested giving it time between these screens.) Then I enter the credentials at the enrollment Log In screen. I know when it fails when I don't see "Configuring iPad" at the top of the next screen.

Today I completed iCloud Restores for 5 iPad Pros. Two went without any issue. The other three were repeated over 7 times each, hoping that they would take at some point. What I noticed was the first two did not have iCloud Photo Library turned on. So I tried turning OFF iCloud Photo Library and running a totally new iCloud backup. This restore then completed.

On the next two, I turned off iCloud Photo Library, and tried restoring again (without running a full new iCloud backup). The first time, it failed. But the second time, perhaps after the iCloud servers updated information, both restores completed.

If anyone else runs into the problem of getting stuck at "Installing configuration...," lets see if your devices also have iCloud Photo Library turned on. Then you can see if turning that option OFF, and giving it some time, makes this problem go away.

hawaii-5-0
New Contributor

Wanted to provide an update to this situation...

For a couple more cases where the restores got stuck at the same place, turning OFF iCloud Photo Library didn't help. But what I tried additionally, which may have helped to get the process to complete was to 1) update the iOS to 10.1.1, and 2) perform a Reset All Settings. Keep in mind that the Reset All Settings says it doesn't delete "data" but I do know that it at least requires you to re-establish your Wi-Fi connections and to manually turn Location Services back ON. I then run another iCloud backup for the iPad.

I still patiently wait between the screens. For these two cases, the Reset All Settings may have helped to complete the restore process. Basically, I'm trying all sorts of things and pray they work. I have wasted too much time running restore processes over and over again when they fail. Someone please tell me there is a decent solution to this.

RLR
Valued Contributor

I've been seeing this quite a bit recently. Sometimes trying a different iPad works but not always. The only way round it that I've found is to restart the iPad once it gets stuck at the Installing Config page and quickly go through the setup before it connects to wifi. Once at the Installing Config profile page press the home button and the iPad will go to home screen and carry on restoring - this has to be done very quickly. This means the profile never gets installed but I can then manually enrol the device by going to jss.name.com:8443/enrol . This is very messy but it's the only solution I've found.

ItsMe_Sean
Contributor

I have seen this issue recently with changing supervision identities on iOS devices, IE. with 2 different JSS servers.

Refer to my post on this thread for how I worked around it.
It ends up being a certificate issue for me.

https://www.jamf.com/jamf-nation/discussions/21929/ios-10-1-10-1-1-restoring-and-installing-configur...

I recently have had this issue in our environment, here's what I did to work around the issue. **Note, we have 2 JSS servers running and the issue was with migrating this users data from 1 iPad on the old server to an iPad on the new server. Both servers use DEP No attempts of restoring the data was working at first and when the data was restored to the replacement DEP iPad, it got to the configuration screen for enrolment login and sat at the "Installing configuration from xx" screen indefinitely. It turns out that even if the users data was restored to an iPad not enrolled with any JSS, it still contains the JSS CA cert hidden in the root trust store and since this cert did not match the cert on the new server, it would stall during the enrolment (likely) because it is trying to use currently installed CA cert for the JSS and being rejected. Usually this cert is downloaded and installed during enrolment, but seeing as this cert already "exists" it doesn't try to download and overwrite it with the new cert. The way I got around this is by downloading the CA cert from the new server and loading it into a MDM profile and installed it via Configurator. Once installed, a backup is taken of the device and restored to the DEP iPad, it then enrolled successfully and it was on it's way off my desk.

hawaii-5-0
New Contributor

Still no solution, and no idea what is causing this for us. I was told that Apple engineers are looking into it, but they gave me the impression that this is a rare case and of little significance to them.

I have done a lot of iCloud restores over the past several weeks as a bunch of 12.9" iPad Pros have come in with various issues (which could end up being a whole different posting). The problem restore does appear to be getting worse. I spend all day long attempting to complete iCloud restores over and over again, hoping things go through. And maybe because I'm so numb to it already, I don't really pay attention to all the options I am selecting on the screen.

The last couple of times that a restore completed successfully, I don't recall seeing the "Location Services" screen after the reboot and Update Complete screen. Does anyone else get the Location Services screen at that later stage of the restore process?

pkerobinson
New Contributor III

We're seeing the same thing, iPads that were enrolled on a local JSS, backup to iCloud, then restored but connecting to a JAMF hosted instance. Typically in that scenario we either don't see the config screen at all, even though we know they're assigned to us in DEP and have a prestage enrollment scoped, or they get stuck on the installing config screen. For days, in one case, until I gave up and used DFU mode to erase and start over as a new iPad.

What's more odd is that when we made the switch between servers, back in August, we had a whole lot of people do exactly this process with no problem. I'm wondering if one of the updates this fall has caused the issue.

Will try unenrolling then creating backup, then restoring that.

Mikro
New Contributor

Is it possible to take a non DEP enrolled device and back up to iCloud, then wipe enroll in DEP and then restore the backup from iCloud without breaking DEP enrollment? I

CairoJXP
Contributor

I'm having this same issue. I need to restore an iCloud backup of a student's iPad (that's in DEP) to a loaner of ours which is also in DEP. The loaner gets to the second configuration and says installing cofiguration, but locsks up and I have to DFU wipe it. I was told a work around was to restore an iCloud backup from a DEP device to a device that's not in DEP or JSS. After it's restored, do a backup. Then run your DEP device (in my case, the loaner) through and restore that latest backup and it should work. We don't have any non DEP devices, so I haven't tried this.