After a clean install of macOS Catalina, the device does not recognise that it is remotely managed. Instead after connecting to wifi (corporate or hotspot) it takes you to the usual setup steps for a brand new device, Transfer data, created local account etc...
I checked the status of the device in DEP assignments, it was still marked as "Assigned"
I then deleted the computer record from JAMF, no change on device however the DEP assignments table now reports "Unassigned"
Logged into Apple Business Manager and assigned device to JAMF MDM, no affect on device.
The device is essentially a new device and has no connection to our MDM, this is concerning because if the device was stolen we would have no way to track or manage the device and the thief could set the device up as their own. Even though the serial number is assigned to our MDM in Apple Business Manager and it appears as "Unassigned" in the prestage enrolments.
@djrory Have you tried erasing the Mac more than once and seeing if the failure repeats? There is a known issue with some fresh out of the box Macs failing to connect to the Apple server that does the MDM handshake. The suggested "fix" is to erase the Mac, re-install macOS and try again. That has worked on multiple Macs my org has encountered the problem on.
@djrory There are multiple AppleCare Enterprise cases open for this, so it's definitely got visibility and Apple engineering is working on it. When they'll have it fixed is anybody's guess.
As for what needs to be done in Jamf for a Mac that exhibits this behavior, that should be nothing besides what you initially did to prepare for the Mac go back through DEP/ADE. Since the problem is that the Mac never gets a connection to Apple's servers that do the MDM handoff, there isn't any change in the PreStage Enrollment state for the machine, so an erase and macOS re-install should be all you need.
@joecurrinkys So I had a co worker whose setting up new laptops do this today and terminal pulled up as the root user and it worked for him. I also tried it on a test computer and terminal pulled up as _mbsetupuser and I was unable to sudo. I'm not 100% why one was able to be root and another was not.
No luck, tried the method mentioned above but the device still goes to the regular setup process.
I have a feeling I am doing something wrong with the JAMF removal and assignment process.
I am doing the following...
1. Reinstall OS
2. Delete computer from JAMF
3. Unassign in Apple Business Manager
4. Assign in Apple Business Manager
5. Boot the computer
6. No "Remote Management" prompt, just regular setup process.
I'm seeing something similar but different in that it our DEP instance has, since some time this weekend, begun to some how push devices to our test server, which has not had an entry in our ABM for several years. Even running profiles show -type enrollment on existing machines is pulling down that they are pointed to the test server. I've tried removing devices from ABM and reassigning but 50/50 come back as unassigned and never pick up their prestage. This has by and large worked without issue for several years so it is a bit concerning. I've a case open with support but I will be contacting Apple today to open a case as well.
I too am seeing much more inconsistencies with DEP/ABM at the moment. Ive had three users this week get the management prompt, 1 of them hit next, setup and Jamf completely didnt recognize his computer as a managed machine once he got in. Had to do a full wipe to get it to work. Had another that failed at the management screen and had to do a wipe, and had another that never showed the management screen. That was resolved by running the -profiles command above to resolve it.
Found a workaround (which I hate to even think about, thanks Apple!) Restart and at the very first screen for language choose yours and hit CTLR+OPT+CMD+T to get the root terminal, then:
sudo profiles -N
Setup the keyboard and now the management screen appears. Guuuuh! So much for Zero IT touch :(
@Swesymphony you were likely getting that "profiles: missing profile identifier" because of a syntax error. The correct command is
profiles renew -type enrollment
I think I narrowed down my issue to a fault on my part for having a test database that was running old data (but still the active token) that was all "fine" until I'd changed the test databases URL to test something else. I'm thinking there was a race condition previously unnoticed because all devices were pointing at the correct production URL. I also think something happened to force ABM to resync on my production instance as there was a time stamp from Sunday morning to basically reset all of my devices into an unassigned state, though I'm not sure if that was an Apple, Jamf or user error.
Has anyone found that there are also issues with account creation having issues in addition to DEP not fully enrolling. Generally when I do a pre-enrollment and it succeeds, it appears in my jamf pro as macbook pro while when it fails, it will appear as DEP - Serial Number and all the information about the comptuer will be wrong like the Operating system. Deleting the entry and wiping the computer resolves but its a terrible onboarding experience for a new hire to have to wipe their machine. I had two users complete successfully on Saturday and Sunday without me, and then since monday all 4 new machines have these errors. Im wondering if there is a way to leverage the terminal to ensure a connection to the server before proceeding?
Command worked for me except for an M1 MacBook Pro running macOS 12.5 I had to execute that command AFTER going through Setup Assistant. Then I used the System Preference option to "Erase all Content and Settings" and then went through Setup Assistant again. This time around the Remote Management screen appeared in Setup Assistant. When the "profiles renew" command actually works on a logged in mac, you should see a Notification Center pop-out from the right side of the screen informing you to enroll the computer. If you don't see this notice in Notification Center then most likely something else is wrong with the computer's ASM/ABM related settings - whether that be on your or Apple's end of things.