Now that 9.3 is released, how are we all getting the DEP program up and running?

chlaird
Contributor

I'm interested to hear how you all are using the DEP in 9.3. I've got it set up 'successfully' now, but I'm still getting errors when I try to enroll a device during the initial activation. Maybe we need to set up the prestage enrollment profiles a specific way?

I'd love to hear your success stories.

12 REPLIES 12

brushj
New Contributor III

This is partially why I have waited to start anything other than the initial enrollment. I wanted to see what others were doing. i have a meeting with an Apple engineer this afternoon to go over a lot of this stuff and see what they say because everything is supposed to be followed in such a specific order.

chlaird
Contributor

Awesome, if you find out anything interesting can you post it here? I'm meeting with the engineers on Wednesday, so I'm just gonna be poking around till then with a few test devices.

gitaum
New Contributor

Who is your apple engineer? I have been trying to set up an appointment for weeks and am getting the run around. I am also getting very vague answers about my very specific questions regarding DEP.

chlaird
Contributor

Sorry, but I don't actually know who we're meeting with yet! I think two engineers are coming for a completely different thing, but we plan on asking about this while they're here. We're about to increase our on-campus Mac population by about 2,000%, so they're coming in for logistics.

I'll post here everything I find out about the DEP though.

brushj
New Contributor III

We are getting a new engineer in north FL so that is one reason we were able to get him here. I plan on fully vetting him and will post back here after the meeting this afternoon.

roadrunner2348
Contributor

I was able to get it working just now. I wiped an iPad and it forced the MDM enrollment and I can't remove the MDM profile anymore. I initially had issues getting devices enrolled, I was getting the NSURL error 1012. I checked the console of the iPad using XCode and the URL was correct but I wasn't using the DNS name of the server. Once I created a DNS record, updated the JSS URLs and re-created the enrollment pre-stage it started working properly. If you guys have any questions about my setup just let me know.

Thanks,
Justin

John_Wetter
Release Candidate Programs Tester

We've been successfully using this in our sandbox for some time. The one thing to remember is to just get the PreStage set up and rolling and make sure the device is in DEP before you start anything. So, order of operations is important, but otherwise it is going quite smoothly.

chlaird
Contributor

I got it all set up in a sandbox today and it's running decently. Still a few bugs we're running into, so far.

On the Macbook side, things are mostly good. I've got prestage-enrollment and prestage-imaging set up, so I quickly got 5 macbooks imaged and added into the JSS. My only issue so far is that when I'm logged in as an admin account on the machine, I can still remove the MDM profile, even though on the JSS we did not check the box "Allow user to remove MDM profile". I get that admins can remove stuff, but I was hoping this would work in an enterprise environment where users are "admin" of their machines, but cannot remove our profiles (as we are owner). Maybe that'll never happen.

And, I still can't get an iPad enrolled. Prestage enrollment is set up, but I'm hitting two errors. On iPad Airs, it recognizes my organization and says it will install the config profile (mandatory), but immediately gives me"NSURLErrorDomain error -1012". On iPad 4th gens, it recognizes everything, but then just says it cannot install the profile because of a network error. I wonder if anyone else is seeing either of those errors.

andrew_stenehje
Contributor

I'm having similar errors to @chlaird with our test JSS. I'd be curious to know exactly what dns and url settings you had to modify to get it working, @roadrunner2348.

roadrunner2348
Contributor

All I meant was that I setup a DNS record for the server, and updated the JSS URL (Under Settings -> Global Management), previous to that I had clients connecting by IP address. When the iPad goes to grab the config from the JSS it doesn't like it when you try to connect by IP, at least it didn't in my case. If it helps get Xcode installed and plug the iPad in, and pull up the console, you can see the URL its trying to connect to. Also if you update any settings your going to have to wipe the iPad, it won't grab the news settings without reseting it.

joshuasee
Contributor III

I am also running into NSURLErrorDomain error -1012. To make matters worse, DEP enrollments worked initially, so I proceeded with adding devices to DEP, and am now unable to actually issue iPads. Are there any systematic troubleshooting documents available yet, or logs to check for more information on the nature of the NSURLErrorDomain error?

chlaird
Contributor

Oh goodness, this really brings me back a month. So many issues in between it's hard to remember what I've done. I remember a few things:

  1. Restore iPad using itunes and DFU mode -- once the ipad has the error, it's stuck in it until the ipad is restored.
    http://www.imore.com/tip-put-iphone-ipad-dfu-mode

  2. Make sure DNS is set up correctly.

Another, I installed the "Anchor Certificate" for my mobile-device prestage enrollment.
1. Settings > PKI > "Download CA Certificate"
2. Go into your prestage profile, click certificates, click edit, upload the cert you just downloaded.

  1. I just used this one the other day. There's a known issue with enrolling DEP ipads in 9.3. Try this fix, even though the error message doesn't match yours. It worked for me, and my error was different too https://jamfnation.jamfsoftware.com/article.html?id=365