Posted on 04-26-2019 10:17 AM
Hopefully someone can help me answer this. Despite my best efforts I haven't been able to find one.
We have a fully functional DEP setup with Prestage Enrollments working for macOS. We were a little late to the party with DEP so we're still working on getting all of our devices enrolled. On occasion we'll run across a machine that didn't get picked up by our bulk import of machines into the Apple School Manager for DEP enrollment and have to enter it manually.
If we completely erase the machine AFTER entering the computer into the Apple School Manager, it works every time without fail.
If however, we miss the DEP enrollment and add it to ASM after the machine has been erased, we have to erase the machine again even if the setup assistant has not completed running.
Obviously a computer that has already been completely setup will need to be erased again, but if the Setup Assistant is not complete, it seems like you should be able to restart the computer, or step back all the way to the beginning of the setup assistant (All the way back to the Region selection).
This is a concern because we've had a few machines ordered that I did not have advance knowledge of (a hazard of our institutional arrangement unfortunately). I've had a couple techs tell me about these machines before they have been unboxed and I was able set them up in ASM and Jamf without issue, but in every single case I had to tell the tech to erase and reinstall the OS - on a brand-new, never powered on (since it left the factory) machine.
I understand that during the setup assistant downloads an activation record at some point that that tells the machine whether or not it has a DEP record but my question is this: At what point does the setup assistant download that record, and is there any possible way to force it to re-check that record without erasing the machine again?
Solved! Go to Solution.
Posted on 04-26-2019 10:35 AM
"and is there any possible way to force it to re-check that record without erasing the machine again?"
in regards to that part of the question, as long as the computer is in your ASM (or ABM) & configured for DEP you can run the following command. it will prompt DEP level enrollment & install the correct profiles, in this case, your jamf profile. Granted you don't get the 'prestage' enrollment at setup utility but it does work, a force re-check & enrollment w.o erasing the machine. This is Apple Native CLI Tool.
sudo profiles renew -type enrollment
in terminal - for more info on this (what i've pasted below is just pertaining to the command i shared above, much more to it.
man profiles
profiles(1) BSD General Commands Manual profiles(1)
NAME
profiles -- Profiles Tool for macOS.
SYNOPSIS
profiles verb [options]
DESCRIPTION
profiles is used to install, remove, list, or otherwise handle various
profile types on macOS.
Note that the command parameters have changed starting in version 5.0 of
this tool, but the older options are still valid and can also be used.
Use the man profiles.old(1) page to view the old parameters. These older
style options will not be updated to provide support for some of the
newer profiles tool features, so it's suggested you move to use the new
parameter structure.
To prevent unintended installations, profiles containing certain payloads
(specifically com.apple.Safari) will require a manual verification even
when running as root.
VERBS
Each command verb is listed with its description and optional individual
arguments. Most commands use the -type option to determine which kind
of profile should be used in the command. For those commands, if no type
is specified, the default will be to use the configuration profile type.
renew -type profile_type -identifier identifier -output output_path
For configuration profiles, renews any certificates for the
specified profile. For Device Enrollment Program (DEP)
enrollments, retry to obtain the device enrollment configura-
tion, and re-enable the user notification if enrollment wasn't
completed.
PROFILE TYPES
enrollment
A device enrollment program (DEP) or mobile device management
(MDM) enrollment profile or feature.
Posted on 04-26-2019 10:33 AM
In my experience, once the machine has internet (after an erase & install) and goes through the setup pages to connect to wifi this is when DEP kicks in.
Posted on 04-26-2019 10:35 AM
"and is there any possible way to force it to re-check that record without erasing the machine again?"
in regards to that part of the question, as long as the computer is in your ASM (or ABM) & configured for DEP you can run the following command. it will prompt DEP level enrollment & install the correct profiles, in this case, your jamf profile. Granted you don't get the 'prestage' enrollment at setup utility but it does work, a force re-check & enrollment w.o erasing the machine. This is Apple Native CLI Tool.
sudo profiles renew -type enrollment
in terminal - for more info on this (what i've pasted below is just pertaining to the command i shared above, much more to it.
man profiles
profiles(1) BSD General Commands Manual profiles(1)
NAME
profiles -- Profiles Tool for macOS.
SYNOPSIS
profiles verb [options]
DESCRIPTION
profiles is used to install, remove, list, or otherwise handle various
profile types on macOS.
Note that the command parameters have changed starting in version 5.0 of
this tool, but the older options are still valid and can also be used.
Use the man profiles.old(1) page to view the old parameters. These older
style options will not be updated to provide support for some of the
newer profiles tool features, so it's suggested you move to use the new
parameter structure.
To prevent unintended installations, profiles containing certain payloads
(specifically com.apple.Safari) will require a manual verification even
when running as root.
VERBS
Each command verb is listed with its description and optional individual
arguments. Most commands use the -type option to determine which kind
of profile should be used in the command. For those commands, if no type
is specified, the default will be to use the configuration profile type.
renew -type profile_type -identifier identifier -output output_path
For configuration profiles, renews any certificates for the
specified profile. For Device Enrollment Program (DEP)
enrollments, retry to obtain the device enrollment configura-
tion, and re-enable the user notification if enrollment wasn't
completed.
PROFILE TYPES
enrollment
A device enrollment program (DEP) or mobile device management
(MDM) enrollment profile or feature.
Posted on 04-29-2019 05:32 AM
@Hugonaut - That command is as close to perfect for my needs as I could have hoped for. Thanks very much!
Posted on 04-29-2019 06:41 AM
this usually works for me:
sudo profiles -N
Posted on 04-29-2019 07:07 AM
you're welcome @acb95978 glad I could help!