Single machine is not fully DEP enrolling while others like it do complete.

jason_roberts
New Contributor II

Hello All,

What I did that appears to have broken this one machine:
I was using this one student machine to create a new bootable external hard drive to be used in order to restore the ASR image. Naturally, the machine installed MacOS, booted to the external, and then tried to enroll. I thought "No, I don't want to enroll this time" since I was just creating a clean boot image. So I went into the "PreStage Enrollment Config" that this machine was assigned to and uncheck it's serial number. This allowed me to boot the machine a second time and not be grabbed by the PreStage so I could continue to customize my boot image - Good.
Once stratified, I used the boot image to restore the ASR image onto the local hard drive and re-checked the machine with it's corresponding PreStage.
The Machine booted and did the normal "There is a configuration for this machine" thing and it created the new user and logged into the desktop like normal.
However, I noticed that the machine was not completing enrollment and the computer name in JSS was remaining "DEP - C02SXXXXXQWM" and not changing to the FLastname - C02SXXXXXQWM convention set by a policy triggered by enrollment. "Sudo jamf" indicated it didn't have the binary. and that is where the machine stays. Nothing more... no Self-Service loaded or Profiles inside System Preferences.

What I have tried:
Since we have been moving away from an old server over the past four months, we still have the old server up and running.
First, I unchecked the serial number from the "Student PreStage profile" the machine was governed by on the new JSS so that it would become unassigned.
Next, I went to Apple School Manager and pointed the serial number to the old JSS so that Apple would not direct the machine to the new JSS anymore. I "refreshed" the DEP Enrollment Program profile (if you will) and watched the "Computers Assigned" count drop one machine - as expected.
Next, I went back to Apple School Manager and re-assigned the serial number back to the new JSS and clicked "refresh" once again - the "Computers Assigned" counter increase one machine - also as expected.
Next, I went back into the "Student PreStage profile" to reclaim the serial number, expecting to find the machine serial listed again but unchecked. However, it WAS checked despite the option "Automatically assign new devices" is left uncheck in all of our PreStage profiles.
Lastely, I tried enrollment again after reformating the hard drive and ASR restoring from any bootable external and the same thing happens. A computer ID is created in JSS but the machine doesn't fully DEP enroll, deploy Self-Service, or add the MDM Profile or JAMF binary to the machine.

In summery, I was most worried that I broke the server from being able to DEP enroll any and all machines but so far based on my testings, it is only this one machine that misbehaves.

Thoughts on this? I have hundreds of other machines to turn my attention to and this particular MacBook Air can sit on a shelf but I'm one that needs to figure things like this out otherwise "I'm proud of something I raised to adulthood but it now has that one little thing that annoys you."

Thank you for taking the time to read all of this... hope my situation comes through correctly.

1 ACCEPTED SOLUTION

jason_roberts
New Contributor II

SOLVED
We even tried upgrading to the latest Jamf Pro and still had this problem with only the one machine.

The solution was to record the UDID from the partially enrolled computer record and search for that UDID under mobile devices.
There was a record sitting there with "No Name".
I deleted that mystery mobile device record and the partial computer record and re-enrolled again from a fresh image and everything went smoothly... each PreStage configuration I tried worked smoothly.

Credit goes out to Geoff Root (Engineer).

View solution in original post

9 REPLIES 9

cpdecker
Contributor III

This may not be very helpful, but for what it's worth during our most recent refresh in April/May, we had this exact thing happen on about 10% of machines with Sierra (10.12.x). Never saw a pattern with it except that it seemed to hit multiple machines all at the same time (e.g., set up 20 machines from 8 to 10 am, then have 5 machines in a row w/ the problem at 10:30 am).

PreStage enrollment would appear successful, but the hostname in JAMF Pro would show "DEP - Serial Number", Self Service would never be installed, and the JAMF Binary was not available via CLI.

We could fix this by reimaging the machine and trying again, or by using the QuickAdd package (although be aware that you will probably still get notifications from OS X requesting that you enroll using DEP, and, since we were blocking access to profiles in system preferences, this was a pain for us).

I hope this is helpful information in some way. Best of luck and please report back if you determine the problem!

jason_roberts
New Contributor II

Support is recommending that I upgrade from 9.98 to 9.101 (or something) or the new Jamf Pro. They had me try a new PreStage with no additional settings, accounts, etc.
....... undecided.
I'm going to play a bit more... after doing one heck of a cold backup of the server first.
Then report back.

nnewport
New Contributor III

I may be wrong on the version, but I thought 9.98 had issues with DEP if you used the account payload in your PreStage Enrollments. We were running into that issue randomly and had to update the JSS to fix it. We also had issues similar to cpdecker with the devices showing up as DEP - SerialNumber. Usually a reimage worked for us as well. Once we upgraded, the DEP process did become a lot more consistent. However, we still have certain models that will not even receive the DEP configuration. That issue seems to be limited to specific hardware and since they will never get the configuration, I don't think that relates to your issue.

wesleya
Contributor

We definitely had performance issues with 9.98 and DEP too. Upgrading to 9.101 was certainly worthwhile, but I would be tempted to roll up to 10 at this point.

jason_roberts
New Contributor II

SOLVED
We even tried upgrading to the latest Jamf Pro and still had this problem with only the one machine.

The solution was to record the UDID from the partially enrolled computer record and search for that UDID under mobile devices.
There was a record sitting there with "No Name".
I deleted that mystery mobile device record and the partial computer record and re-enrolled again from a fresh image and everything went smoothly... each PreStage configuration I tried worked smoothly.

Credit goes out to Geoff Root (Engineer).

sburt
New Contributor III

Seconded on having seen this happen where Computers show in Mobile Devices. Glad to hear we're not alone, but would love to see this get isolated.

sbrennan
New Contributor III

Just happened to me last week, first time I have ever seen this issue.

MLBZ521
Contributor III

I ran into this same issue a few weeks ago. Thankfully it's only happened on one machine so far.

Meant to +1 after someone on the MacAdmins Slack linked me to this page, but forgot. So, here's a bump for more visibility.

dhorsfall
New Contributor

I know this is a few years old, but somehow it came up first in Google. 

This appears in this case at least to have been an interrupted setup process, where the computer was suspended or internet dropped or something during setup - User could see a small subset of the profiles, but Jamf would not check in. 

fixed by renewing the enrollment profile - 

sudo profiles renew -type enrollment

and after a few mins the machine setup began. 

I'm glad this is rare, but putting this here for the next person who might run in to it - heck, it might even be me again!