Macs unmanaged after enrolling in the JSS

jouwstrab
New Contributor III

All of our Macs are purchased through the DEP and show up in pre-stage enrollment in the JSS. When you boot up for the first time it even asks for your username and password to authenticate with the JSS and it skips all the setup functions that we have checked in the pre-stage. When checking settings our MDM profile is installed and it is non-removable just as selected. However, when you find the newly enrolled computers in the JSS they are "unmanaged" and the only way to manage them is by using "email invitations," "sudo jamf enroll," etc.

Can anyone give me any ideas as to why they get so, so close but just do not complete the process.

11 REPLIES 11

bwiessner
Contributor II

@jouwstrab How long have you waited for those devices to check in? How many have you tried? What version of JSS or JAMF Pro you are on . Have you tried some reboots?

Any other info that would help?

jouwstrab
New Contributor III

We're running 9.96. I've tried rebooting and I've tried leaving devices "just sitting" for hours. It effects every new Mac we buy, or any that we re-image. It's a an on going issue, but like I said if I enroll them via "user initiated or via email" then there are no issues. Sorry I left out some info.

davidacland
Honored Contributor II

Only possibility that I've seen a few times is the exclusion of "enable location services" in the pre-stage settings.

More on iOS but may have a bearing. For some reason, choosing to skip it can cause MDM enrolment to fail.

and are you creating a management account in the user initiated enrolment settings? It will use that to create the management account.

jouwstrab
New Contributor III

Location Services is one of the few settings that I did not disable.

Yes, I have an account setup in the user initiated enrollment section and it even creates that account just fine. The weird part is then when you monitor that computer in the JSS it is "unmanaged" then creating an issue where, obviously, you cannot set restrictions, deploy apps, etc.

KatieE
Contributor
Contributor

Hi @jouwstrab - what OS is your JSS running?

jouwstrab
New Contributor III

@kenglish Mac OSX 10.11.6

masi
New Contributor

Anyone has been able to solve this one?
Thanks!

j_meister
Contributor II

We have the same problem with jamf Pro 9.101 on Linux.

fafawe
New Contributor III

I've had one client so far with the exact same issue, here is what I did:

Create SmartGroup with Criteria on "Not managed with management account".
View results
Action
Edit the Management Account Information Enter the same password as you are already using for the management account.

This did resolve the issue for me, but as I said, I only had one so far. :)
Hope this helps

emily
Valued Contributor III
Valued Contributor III

We have seen similar things with Jamf Pro 9.101 and DEP devices; we're working with Jamf support on it. We do have to go in and re-add the management account to get it managed again, but once we do that seems to resolve it.

But like, why tho. I haven't been able to find any correlation between policies/profiles and the management being turned off yet.

In a nutshell:
- Devices is enrolled (brand new OOB) via DEP and enrollment seems fine
- Within 24 hours the Mac becomes unmanaged and profiles are removed, including ones that deliver network certificates (not great)
- Re-enabling management account manually on computer record adds management and profiles back
- Sometimes it'll happen again the next day, or within a few days of the enrollment and we have to manually fix it again

rustymyers
New Contributor II

I'm seeing a similar issue with a DEP macOS device. We create the local admin account as part of the prestage enrollment and allow the user to create their own admin account, skipping all the other setup assistant items.

The machine is enrolled and creates the admin account fine, but isn't in scope for any policies because it is shown as "unmanaged".

If I edit the General settings on the computer record and check "Allow JSS to perform management tasks" and enter the same account information that is in the prestage enrollment account pane, then it works and the policies are applied.

The issue here, outside of requiring me to manually enable management, is that none of our enrollment policies get applied until after this is done. Ideally, the device should be managed by the account that the prestage enrollment creates without having to enable that configuration on the inventory record.

UPDATE:

So we figured out what was wrong in our setup. macOS DEP enrollment is technically a User-Initiated Enrollment, as it takes a person to continue through the setup assistant. I guess that makes sense. Anyway, instead of adding a user in the PreStage Enrollment "Account Settings" pane we added the account to macOS under the Platforms tab of User-Initiated Enrollment. We also selected Create Management account, hide management account, and ensure ssh is enabled for our needs.

Once that was saved we ran a DEP enrollment again and the system was managed by that account. Don't know if that'll help anyone else, but we were definitely not considering that panel needed for DEP enrollments.