Why "user cancelled enabling mdm for local user account" error?


We are using JSS 9.100.0 and I am having a difficult time getting VPP apps to install. Scenario: Notebook with 10.12.6 doing prestage enrollment. It finishes enrollment, and then starts installing packages based on a policy for the prestage. When I look at that machine in the management tab, it shows for Management Commands "user cancelled enabling mdm for local user account" for installing the VPP apps. I did not cancel anything. It was and is still in the process of installing packages for the policy the notebook fell under. This happens when logged into the local admin account that is created during prestage.

Any ideas on why this happens every time? It doesn't seem to matter whether the notebook is being set up via prestage policy or after installing the quickadd on the machine. I get that error for trying to install VPP apps.

Yes, I know about the "sudo jamf mdm -userLevelMdm" command, but like with so many people here have reported when using that command I usually get errors like the following:
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)




Update: I ended up erasing the machine and setting it up again with prestage enrollment and got the VPP apps to install.. Here are the two things I did different. I am not sure which of the two (or both) make a difference
1. In prestage enrollment settings, I checked the box for "allow the user to remove the MDM profile"
2. After saying to apply our JAMF configuration and selecting time zone, I waited. I waited with it at the login screen until JSS showed that all policies I have for the prestage enrollment had completed. Then I logged in with the local admin account created during prestage. It then immediately started installing our VPP apps.

Anybody out there encountered the same scenario, and which of the two things that I did made a difference for you? I really do not want to allow the user to remove the MDM profile.

New Contributor

Same thing. Most of the time erasing the device and starting over gets the apps the next time. Currently on a device I think I am on the fifth erase. Can't get beyond it. Wasting time. I have NOT done the checkbox thing. Thanks!

New Contributor

Same thing and no resolution yet. Not sure what the issue is, but I don't want to wipe and restart just to test. Anyone, including Jamf support have any updates?

New Contributor III

When I experienced this, it was due to having 2 local accounts on the computer. One came in with the DEP enrollment, and another was being added via a policy after that.

We also bind to AD, and once bound to the domain and somebody logged in, creating a mobile account in the process, all is good again.