- Jamf Nation Community
- Products
- Jamf Pro
- Not able to enroll a DEP Macintosh system using a ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not able to enroll a DEP Macintosh system using a Wi-Fi connection
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2018 06:20 PM
What do you do if you're not able to enroll your Macintosh systems using a Wi-Fi connection? Where I work, we have Wi-Fi connections available but the 'powers to be' refuses to allow DEP enrolled Macs to enroll into the JSS over the air. In other words, the network team will not issue the password to access the Wi-Fi.
I'm told I must use my Active Directory account and password. However, when the 'Choose Your Wi-Fi Connection' prompt appears during the enrollment process, the only option is to type in the password for the Wireless Router. That password will not be issued. My AD account password does not work at that prompt.
I can enroll any new DEP enrolled Mac from my home Wi-Fi, from a public library's Wi-Fi and from a community recreation center's free Wi-Fi with no problem.
Sure I can enroll the device by choosing "Other network" and selecting 'Connect via Ethernet'. But upper management wants Zero Touch Deployment to work OTA.
If you have a valid company network account and you are inside/on the network, you can use your AD account and password when selecting a Wi-Fi account.
Have you guys run into this situation? If so, what did you do to get around it? I'd like to resolve this issue by the end of this week. Thanks.
Labels:
- Labels:
-
Jamf Pro
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2018 06:38 PM
Are your network people using Network Access Control? Can't you pre add these devices to your NAC? What do you do with iPad Carts as those would be treated the same? We use a NAC and for self enrollment to the WIFI the users can authenticate as themselves. But for institutionally owned devices we pre register those Mac Book Pro's Like iPads. Your Windows devices with SCCM are pre-registered into your AD domain. You should be able to do the same with your Mac Book Pro devices. They might say that in windows we don't have to pre-register but they do with the Wifi and they use AD authentication for Wifi Via group Policy. The AD guys can create the profile in the JSS for you and not give you access to modify it. They would have total control of the profile with AD service account auth.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2018 08:20 PM
iOS as of a few versions ago supports username:password on the Wi-Fi during setup, only Apple could tell us why this is not supported on macOS during setup, it's a pretty big oversight on their part.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2018 09:33 PM
DEP enrolment over wifi for macbook, requires wifi authentication, theres two options.
- with wpa2 home, users will need a profile to install to authenticate to the wifi to allow enrolment
- with wpa2 enterprise, users will need to auth against their own wifi account fro the local admin account to allow enrollment.
Follow up to 1. is that its not very secure and it isn't helpful for tracking network usage, if a generic account is used. It would also have to be installed via USB.
follow up to 2. is the profile cant function until device is domain is joined. and a wifi connection is needed to do this step. So the user would need to pre authenticate the wifi using their credentials before, DEP process can be started.
For brand new devices, the recommended process would be to:
have the end user to create a specific admin account and password
have the end user to connect to the wifi using their user credentials over wpa2 entperise (via a radius nac configuration)
have the end user enroll the device manually, or via DEP (i prefer manually, the DEP prompt in my experience is not easily anticipated).
create a management account on the device through the enrolment process
push a wifi profile which allows for authentication of wifi from the login page.
enforce a reboot after enrolment is complete.
Instruct the user to login using their credentials after the reboot, and have a script to run to delete the generic user account they created upon first start up.
This will ensure the user can login against their Ad user, and their generic admin account is non existent after login.
you could later have the pre auth wifi profile to remove after X amount of days, but the end user will need to be aware of this, as they would then need to re-auth their wifi after login.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-21-2018 07:50 AM
Can you have the network team set up a "Guest WiFi" with access to the internet but not the internal network?
At that point, it would be treated the same as your home Wi-Fi, a public library's Wi-Fi and from a community recreation center's free Wi-Fi.
Once the enrollment is complete, you'd be able to connect to the internal network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2018 10:50 PM
yeah the guest method will work, but the downside will be that it wont domain join them straight away, as you will need to be on the internal network for this part.
