When does macOS check for DEP Enrollment?

acb95978
New Contributor II

Hopefully someone can help me answer this. Despite my best efforts I haven't been able to find one.

We have a fully functional DEP setup with Prestage Enrollments working for macOS. We were a little late to the party with DEP so we're still working on getting all of our devices enrolled. On occasion we'll run across a machine that didn't get picked up by our bulk import of machines into the Apple School Manager for DEP enrollment and have to enter it manually.

If we completely erase the machine AFTER entering the computer into the Apple School Manager, it works every time without fail.

If however, we miss the DEP enrollment and add it to ASM after the machine has been erased, we have to erase the machine again even if the setup assistant has not completed running.

Obviously a computer that has already been completely setup will need to be erased again, but if the Setup Assistant is not complete, it seems like you should be able to restart the computer, or step back all the way to the beginning of the setup assistant (All the way back to the Region selection).

This is a concern because we've had a few machines ordered that I did not have advance knowledge of (a hazard of our institutional arrangement unfortunately). I've had a couple techs tell me about these machines before they have been unboxed and I was able set them up in ASM and Jamf without issue, but in every single case I had to tell the tech to erase and reinstall the OS - on a brand-new, never powered on (since it left the factory) machine.

I understand that during the setup assistant downloads an activation record at some point that that tells the machine whether or not it has a DEP record but my question is this: At what point does the setup assistant download that record, and is there any possible way to force it to re-check that record without erasing the machine again?

1 ACCEPTED SOLUTION

Hugonaut
Valued Contributor II

"and is there any possible way to force it to re-check that record without erasing the machine again?"

in regards to that part of the question, as long as the computer is in your ASM (or ABM) & configured for DEP you can run the following command. it will prompt DEP level enrollment & install the correct profiles, in this case, your jamf profile. Granted you don't get the 'prestage' enrollment at setup utility but it does work, a force re-check & enrollment w.o erasing the machine. This is Apple Native CLI Tool.

sudo profiles renew -type enrollment

in terminal - for more info on this (what i've pasted below is just pertaining to the command i shared above, much more to it.

man profiles
profiles(1)               BSD General Commands Manual              profiles(1)

NAME
     profiles -- Profiles Tool for macOS.

SYNOPSIS
     profiles verb [options]

DESCRIPTION
     profiles is used to install, remove, list, or otherwise handle various
     profile types on macOS.

     Note that the command parameters have changed starting in version 5.0 of
     this tool, but the older options are still valid and can also be used.
     Use the man profiles.old(1) page to view the old parameters.  These older
     style options will not be updated to provide support for some of the
     newer profiles tool features, so it's suggested you move to use the new
     parameter structure.

     To prevent unintended installations, profiles containing certain payloads
     (specifically com.apple.Safari) will require a manual verification even
     when running as root.

VERBS
     Each command verb is listed with its description and optional individual
     arguments.   Most commands use the -type option to determine which kind
     of profile should be used in the command.  For those commands, if no type
     is specified, the default will be to use the configuration profile type.

     renew      -type profile_type -identifier identifier -output output_path
                For configuration profiles, renews any certificates for the
                specified profile.  For Device Enrollment Program (DEP)
                enrollments, retry to obtain the device enrollment configura-
                tion, and re-enable the user notification if enrollment wasn't
                completed.

PROFILE TYPES

     enrollment
             A device enrollment program (DEP) or mobile device management
             (MDM) enrollment profile or feature.
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

View solution in original post

5 REPLIES 5

rhoward
Contributor

In my experience, once the machine has internet (after an erase & install) and goes through the setup pages to connect to wifi this is when DEP kicks in.

Hugonaut
Valued Contributor II

"and is there any possible way to force it to re-check that record without erasing the machine again?"

in regards to that part of the question, as long as the computer is in your ASM (or ABM) & configured for DEP you can run the following command. it will prompt DEP level enrollment & install the correct profiles, in this case, your jamf profile. Granted you don't get the 'prestage' enrollment at setup utility but it does work, a force re-check & enrollment w.o erasing the machine. This is Apple Native CLI Tool.

sudo profiles renew -type enrollment

in terminal - for more info on this (what i've pasted below is just pertaining to the command i shared above, much more to it.

man profiles
profiles(1)               BSD General Commands Manual              profiles(1)

NAME
     profiles -- Profiles Tool for macOS.

SYNOPSIS
     profiles verb [options]

DESCRIPTION
     profiles is used to install, remove, list, or otherwise handle various
     profile types on macOS.

     Note that the command parameters have changed starting in version 5.0 of
     this tool, but the older options are still valid and can also be used.
     Use the man profiles.old(1) page to view the old parameters.  These older
     style options will not be updated to provide support for some of the
     newer profiles tool features, so it's suggested you move to use the new
     parameter structure.

     To prevent unintended installations, profiles containing certain payloads
     (specifically com.apple.Safari) will require a manual verification even
     when running as root.

VERBS
     Each command verb is listed with its description and optional individual
     arguments.   Most commands use the -type option to determine which kind
     of profile should be used in the command.  For those commands, if no type
     is specified, the default will be to use the configuration profile type.

     renew      -type profile_type -identifier identifier -output output_path
                For configuration profiles, renews any certificates for the
                specified profile.  For Device Enrollment Program (DEP)
                enrollments, retry to obtain the device enrollment configura-
                tion, and re-enable the user notification if enrollment wasn't
                completed.

PROFILE TYPES

     enrollment
             A device enrollment program (DEP) or mobile device management
             (MDM) enrollment profile or feature.
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

acb95978
New Contributor II

@Hugonaut - That command is as close to perfect for my needs as I could have hoped for. Thanks very much!

tsylwest
Contributor

this usually works for me:

sudo profiles -N

Hugonaut
Valued Contributor II

you're welcome @acb95978 glad I could help!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month