Posted on 03-19-2021 05:49 AM
Hello. I just finished enrolling 42 MacBooks (40 M1 MB Airs) and (2 MB Pros). We use Apple School Manager and DEP. After taking way too much time to configure them since DEP would hang, they're finally done, at the school, but now when they're turned on, the Apple shows, and after halfway through the line going across the screen, everything stops unless we turn the Mac off. If we start in recovery mode or connect the Mac to ethernet, it loads fine all the way to the NoLoAD screen, and a user can sign in. I've never known of Macs not fully loading simply because they're not connected to wifi. Is anyone else seeing this happen?
Posted on 03-19-2021 06:14 AM
@ZG-Banks This smells like an AD or Nomad Login issue. Use auth changer to change it back to the normal login window and see what the boot process does after that.
Posted on 03-19-2021 04:50 PM
@mainelysteve I will definitely try that. I spoke to Jamf today on a separate issue, and he gave me some steps to take that others have suggested regarding Automated Enrollment and my issue. Actually, let me post it in case others are having this issue.
Here is the workflow that I mentioned about resetting the DEP Cache when hanging on the activation record during enrollment. Something to try next time:
When a freshly built or rebuilt Mac gets to the “country choice” screen as part of Setup Assistant, and is connected to a network, the device checks in with Apple to see if it is assigned to be enrolled to an MDM service using Automated Device Enrollment (what we used to call DEP). If you forget to assign the device to the correct MDM service before getting to this point, it can be difficult to get it to enroll to the service you intended without reinstalling the OS once again. In recent times, the following command, which is supposed to reset the DEP cache, has become more reliable:
sudo profiles renew -type enrollment
The question is, how to run this command during the Setup Assistant process? You can bring up Terminal during Setup Assistant, but since there is no admin account on the device up to the point when Device Enrollment takes place, one cannot run the above command.
Gaining root access at the Setup Assistant to be able to run the above command, we need to gain root access.
First, we need to re-enable the Language Chooser Screen, which is the first screen in Setup Assistant but is not shown by default on computers more than once.
To do this, we can do one of two things:
Enabling the Language Chooser screen on Macs without a T2 chip
Boot into Single User Mode using Cmd-S.
On a Mac running Catalina or greater, run the following commands: mount -uw /System/Volumes/Data touch /var/db/..RunLanguageChooserToo reboot
On a Mac running Mojave or earlier, run the following commands, replacing the volume name if your system volume is not named Macintosh HD: mount -uw / touch /Volumes/Macintosh HD/var/db/..RunLanguageChooserToo reboot
Upon restarting, you should see the “language chooser” screen.
Enabling the Language Chooser screen on Macs with a T2 chip:
Single User Mode is not available on T2 Macs, so instead, boot into Recovery Mode using Cmd-R and open Utilities > Terminal (you can also do this on non-T2 Macs if you wish). Then, run the following commands:
chroot /Volumes/Macintosh HD
Now, quit Terminal, and reboot back into the system volume, and you should see the “language chooser” screen.
Opening Terminal as root on the Language Chooser screen:
To open Terminal at this screen, click Ctrl-Alt-Cmd-T (all keys pressed together). Terminal at this point is running as root. So, now you can run:
profiles renew -type enrollment
Then close Terminal and continue with Setup Assistant as normal. In my recent experience this has always been successful in resetting the DEP cache so that it will check in with Apple again and get the correct current DEP status.
Posted on 03-23-2021 10:01 AM
I have had pretty good success with the profiles command lately. Zero touch deployment is something we've done a lot since the pandemic, and often users don't successfully connect to a network in setup assistant, so even if they manually enroll in MDM later, they show up as unsupervised. But I've applied the profiles command (provided the s/n is is a prestage group) to retroactively get them supervised months after initial setup with pretty good success rates.
Posted on 05-13-2021 06:18 PM
@ZG-Banks have you actually seen this method working? I saw it on Graham Pugh's site as well https://grahamrpugh.com/2020/02/21/resetting-dep-without-reinstalling.html but I've tested it without success. I've tried
mount -uw /System/Volumes/Data touch /var/db/.RunLanguageChooserToo reboot
chroot /Volumes/Macintosh HD touch /var/db/.RunLanguageChooserToo
The first method, that location isn't found to mount. I also tried the same method mounting /Volumes/Macintosh HD, with the same result. I check and the .RunLanguageChooserToo file is in /var/db, but I'm not shown the language chooser screen on reboot where I can open a Terminal window with root.
Also tried mounting /Volumes/Macintosh HD - Data but got "unknown special file or file system /Volumes/Macintosh - HD/."
When I try the chroot method, after the chroot command, I get "Killed: 9" and while I can successfully create the .RunLangaugeChooserToo file, I still don't get that screen on reboot.
I think you may be right @teodle that Apple has completely locked this method out, which is a shame. Hate to have to do a full erase & install if someone accidentally advances in the setup assistant before a device is assigned. Would love to find a working method though if anyone has one.
Edit: Immediately after posting the above, I tried
mount -uw /Macintosh HD/var/db/.RunLanguageChooserToo touch /Macintosh HD/var/db/.RunLanguageChooserToo reboot
This worked to bring back up the language chooser, but cmd-opt-ctrl-t does not open a Terminal window. I think Apple has killed this method.
Edit 2: I should add that all my testing was on M1 devices running Big Sur. I've still seen the language chooser method working on Intel/Catalina devices.