No Remote Management prompt after clean OS install

djrory
Contributor

After a clean install of macOS Catalina, the device does not recognise that it is remotely managed. Instead after connecting to wifi (corporate or hotspot) it takes you to the usual setup steps for a brand new device, Transfer data, created local account etc...

I checked the status of the device in DEP assignments, it was still marked as "Assigned"

I then deleted the computer record from JAMF, no change on device however the DEP assignments table now reports "Unassigned"

Logged into Apple Business Manager and assigned device to JAMF MDM, no affect on device.

The device is essentially a new device and has no connection to our MDM, this is concerning because if the device was stolen we would have no way to track or manage the device and the thief could set the device up as their own. Even though the serial number is assigned to our MDM in Apple Business Manager and it appears as "Unassigned" in the prestage enrolments.

52c369c87458425580f75734ce766747

4035a1be57794d23a96ae335a78e023b

b6996bdd6da843089de46469bb1b0730

adc4980569be441792865cacf43296c3

7b22cc3007294e638dc6f094df8c30fa

26 REPLIES 26

sdagley
Esteemed Contributor II

@djrory Have you tried erasing the Mac more than once and seeing if the failure repeats? There is a known issue with some fresh out of the box Macs failing to connect to the Apple server that does the MDM handshake. The suggested "fix" is to erase the Mac, re-install macOS and try again. That has worked on multiple Macs my org has encountered the problem on.

djrory
Contributor

@sdagley let me try that and report back!

djrory
Contributor

@sdagley how frustrating that it worked. Is this just something we have to lived with now? Installing the OS twice sometimes?
What is the 'correct' procedure with assigning, deleting from JAMF, un-assigning etc when installing a clean copy of OS?

sdagley
Esteemed Contributor II

@djrory There are multiple AppleCare Enterprise cases open for this, so it's definitely got visibility and Apple engineering is working on it. When they'll have it fixed is anybody's guess.

As for what needs to be done in Jamf for a Mac that exhibits this behavior, that should be nothing besides what you initially did to prepare for the Mac go back through DEP/ADE. Since the problem is that the Mac never gets a connection to Apple's servers that do the MDM handoff, there isn't any change in the PreStage Enrollment state for the machine, so an erase and macOS re-install should be all you need.

AdamCraig
Contributor III

go back to the choose language screen. summon Terminal as root with ctrl opt cmd + t. type in “sudo profiles renew -type enrollment” and click return. Then Proceed with through the setup assistant again.

djrory
Contributor

@strayer Thanks mate, will give this a try next troublesome device I come across.

Not applicable
go back to the choose language screen. summon Terminal as root with ctrl opt cmd + t. type in “sudo profiles renew -type enrollment” and click return. Then Proceed with through the setup assistant again.

I thought you couldnt sudo at that stage...

AdamCraig
Contributor III

@joecurrinkys Is that a recent change? Cause i've definitely done these steps dozens of times, though it has been a few months.

Not applicable

@strayer I will need to investigate we have always had to have the user enable MDM at the desktop. :/

AdamCraig
Contributor III

@joecurrinkys So I had a co worker whose setting up new laptops do this today and terminal pulled up as the root user and it worked for him. I also tried it on a test computer and terminal pulled up as _mbsetupuser and I was unable to sudo. I'm not 100% why one was able to be root and another was not.

djrory
Contributor

No luck, tried the method mentioned above but the device still goes to the regular setup process.

I have a feeling I am doing something wrong with the JAMF removal and assignment process. I am doing the following...
1. Reinstall OS
2. Delete computer from JAMF
3. Unassign in Apple Business Manager
4. Assign in Apple Business Manager
5. Boot the computer
6. No "Remote Management" prompt, just regular setup process.

16f82e8375a14eb58d114f445d9c2352

jimmy-swings
Contributor II

We often see this behaviour and have raised with AppleCare Enterprise on numerous occasions. DEP is simply not resilient and users typically need to be supported during on boarding activities.

andrew_nicholas
Valued Contributor

I'm seeing something similar but different in that it our DEP instance has, since some time this weekend, begun to some how push devices to our test server, which has not had an entry in our ABM for several years. Even running profiles show -type enrollment on existing machines is pulling down that they are pointed to the test server. I've tried removing devices from ABM and reassigning but 50/50 come back as unassigned and never pick up their prestage. This has by and large worked without issue for several years so it is a bit concerning. I've a case open with support but I will be contacting Apple today to open a case as well.

Maks_Suski
New Contributor II

I too am seeing much more inconsistencies with DEP/ABM at the moment. Ive had three users this week get the management prompt, 1 of them hit next, setup and Jamf completely didnt recognize his computer as a managed machine once he got in. Had to do a full wipe to get it to work. Had another that failed at the management screen and had to do a wipe, and had another that never showed the management screen. That was resolved by running the -profiles command above to resolve it.

djrory
Contributor

How frustrating that such a core piece of functionality for management would break (be broken) now of all times.

Swesymphony
New Contributor II

Same issue here. Noticed an increase in reports about this from IT in the last day or so and even experienced it on a new test. Does anyone have a case number with Apple we can track?

Swesymphony
New Contributor II

Also, I noticed the above terminal command works if you restart and get all the way back to the first language screen (before _mbsetupuser takes over) and can run as root.

Swesymphony
New Contributor II

Found a workaround (which I hate to even think about, thanks Apple!) Restart and at the very first screen for language choose yours and hit CTLR+OPT+CMD+T to get the root terminal, then:

sudo profiles -N

Setup the keyboard and now the management screen appears. Guuuuh! So much for Zero IT touch :( b8d8b6ca050e46728341bc56d0e9d5d3

Could you go into a little more detail about this? I tried restarting the mac, clicking my region, then pulling up terminal but it is still stuck in setupuser. Running Big Sur 11.6.5.

andrew_nicholas
Valued Contributor

@Swesymphony you were likely getting that "profiles: missing profile identifier" because of a syntax error. The correct command is

profiles renew -type enrollment

I think I narrowed down my issue to a fault on my part for having a test database that was running old data (but still the active token) that was all "fine" until I'd changed the test databases URL to test something else. I'm thinking there was a race condition previously unnoticed because all devices were pointing at the correct production URL. I also think something happened to force ABM to resync on my production instance as there was a time stamp from Sunday morning to basically reset all of my devices into an unassigned state, though I'm not sure if that was an Apple, Jamf or user error.

Maks_Suski
New Contributor II

Has anyone found that there are also issues with account creation having issues in addition to DEP not fully enrolling. Generally when I do a pre-enrollment and it succeeds, it appears in my jamf pro as macbook pro while when it fails, it will appear as DEP - Serial Number and all the information about the comptuer will be wrong like the Operating system. Deleting the entry and wiping the computer resolves but its a terrible onboarding experience for a new hire to have to wipe their machine. I had two users complete successfully on Saturday and Sunday without me, and then since monday all 4 new machines have these errors. Im wondering if there is a way to leverage the terminal to ensure a connection to the server before proceeding?

bfrench
Contributor III

@strayer Thanks - first one out of the box this morning had this issue. Erase and reapply OS works but takes time. Hopefully I wont have to try this out but from what everyone else is stating it's only a matter of time before I hit another one.

bfrench
Contributor III

Wow - like fate the next one out of the box failed. The command worked like a charm!

cgeorge
New Contributor III

has anyone been to get this work on an M1 running Monterey? Even at the language selection screen, when Terminal is opened the user is _mbsetupuser, not root.

I don't think this works anymore.

jcatx
New Contributor

Command worked for me except for an M1 MacBook Pro running macOS 12.5 I had to execute that command AFTER going through Setup Assistant. Then I used the System Preference option to "Erase all Content and Settings" and then went through Setup Assistant again. This time around the Remote Management screen appeared in Setup Assistant. When the "profiles renew" command actually works on a logged in mac, you should see a Notification Center pop-out from the right side of the screen informing you to enroll the computer. If you don't see this notice in Notification Center then most likely something else is wrong with the computer's ASM/ABM related settings - whether that be on your or Apple's end of things.