Jamf Nation Community

The wifi you are connecting to on the Mac, is it a guest wifi or an internal corporate wifi? Also, to elmininate your wifi is the issue, can you connect to a hotspot and try to enroll that way?

Are you using your production network to enroll

or

are you using an enrollment or guest network?

How is your Wi-Fi profile distributed?

If you are enrolling on the network you are installing the Wi-Fi profile for as part of the enrollment process, you may see disruption in your network traffic.


As stated earlier test, try
- enroll on a mobile hotspot
- enroll on your guest network

You may also want to try to enroll, and let the computer bake for 5 minutes before you sign in for the first time.

We have two wifi options in our organization - a guest wifi that requires a generic username and password, and the main wifi that requires specific user account credentials (this wifi also requires trusting a cert when joining).

We have no wi-fi profile at the moment - allowing clients to connect to their preferred wifi prior to enrolling.
I'll try letting it wait for 5 mins or so after joining the network to see if that helps. If not, I'll see if I can use a hotspot for testing.

I had a similar issue in our WiFi environment. I got the following tool from the Apple Seed website which was a great help to troubleshoot the issue: "Mac Evaluation Utility"

https://appleseed.apple.com/sp/de/downloads/projects/1001315/downloads/1015469

I believe it's timing and saw similar issues during enrollment (802.1x) when devices are scoped with a wi-fi profile set to auto connect. 

Depending where you are in the process it can be enough for Jamf to dump the enrollment, leaving a half enrolled (sometimes no binaries) machine. There's a known issue for similar;

A drop in network connectivity may cause policies with an Enrollment Complete trigger to fail.

A couple of things;

- I moved to 1 x enrollment complete policy only using the run processes payload to call policies needed during enrollment eg. jamf policy -event xx.. In and out, the rest can be done on startup / check in etc.

- If you have a network wi-fi profile scoped to devices either un-scope until later in the enrollment and test (eg I use touch command for a enrollcomplete.pkg).

Or (what I did) if there's wpa2 network available, create a wi-fi profile that uses this network purely for onboarding, then remove after enrollment (select this profile to be installed first as part of the pre-stage enrollment). It looks like this;

DEP -> Onboard wi-fi installs -> All other profiles install-> Jamf / Enrollment complete tasks -> Install 802.1x profile

Lastly, get up and around this great article by Mr Purves, I'm about to myself! (It should be a feature of Jamf but hey, go community)

https://richard-purves.com/2022/03/10/repairing-broken-jamf-enrollments-for-fun-and-profit/

Sorry I just saw your post above about the guest wi-fi.

Try using the guest network in a profile installed first via the pre-stage (assuming it has appropriate network access to internal / external resources) then remove after enrollment for your usual wi-fi + cert profile.

Doing it this way allows me to enroll devices using either the wpa2 ssid or 802.1x + cert network, config profiles sort the rest out

Another option is to spin up a SSID for enrollment.
Depending on your organization and configuration, it can be made available to only one (or several) access points and depending on your organization you might have the physical access to these items and you connect it to power to spin up the enrollment SSID. You can rotate the password as well as needed.

Thanks for the suggestions! @Bol  I'm going to try this route out - a config profile during prestage, specifying the username and password and I'll see how that goes. Out of interest, do you still have to select a wireless network during the OOBE process before the config profile kicks in (wondering as by the wireless stage we haven't connected to Jamf yet). Thanks!