Jamf Nation Community

@jwojda We purchase all our Macs directly through Apple so they are added to DEP as soon as they ship which means they have been assigned to a particular PreStage for at least a week before we get our hands on them.

The particular issue I'm seeing is that when they are connected to wifi for the first time, they don't see the particular PreStage enrolment. If you click the Back button, connect to wifi again, and click continue, they successfully see the PreStage enrolment.

Have you refreshed your DEP token?

Which size 2016 MacBook Pro's are you using also touch or non touch?

I've seen similar issues with 10.12, 10.12.1 and 10.12.2. The 2016 MacBook Pro's exhibit different behavior than even 2015 machines with variations of 10.12.

You can see a video of what I'm talking about here

https://cultureamp.wistia.com/medias/gaiq4f540s

We're seeing this exact problem, too. We've seen it with existing DEP machines plus new 2016 machines, and have seen it for at least a couple of weeks. Initially we thought it was because we're mid-switch from Meraki to JAMF, but with the arrival of new machines that were never tied to Meraki for DEP, we ruled that out.

Two of my colleagues did a call with JAMF support on Monday, and they were stumped. They asked us to capture system logs off of a successful enrollment and off of one of the misbehaving ones for comparison; since the call, none have failed. We have another batch arriving today, though, so fingers crossed.

The problem seems to happen less on a wired connection than on wireless, but has happened for us on both. We've tested on multiple networks to rule out LAN/ISP config trouble.

We are seeing it as well. all our machines are setup on wired connections as our wireless is only available once the machine is enrolled due to certificates. I not been able to try your work around as systems are in remote office due to our assumption DEP would just work like it always has. Will try your work around tomorrow and get back to you. I wonder... is this a JAMF issue or a DEP issue.

I'm seeing this same exact issue on a number of computers both on wired and wireless. I've tested on multiple networks, so I know it isn't a network issue. Sometimes we can go back and connect to wifi a second time and the prompt shows up, but not always. Has anyone found a solution to this?

I'm having this same issue...anyone figure it out?

Bump

This is s a consistant behaviour if the computer is not connected to a network. User can bypass the Pre-Stage setup and just create an account with Admin privileges and the JAMF binary never gets installed. Seems like a big hole in this process.

even after connecting to the network....and waiting hours sometimes it still will not pick up the prestige. This is very irritating.

Obligatory "I have the same issues too!"
I can see the Serial Numbers in DEP as enrolled in our JAMF server, and on JAMF when I go to the "Device Enrollment Program" section I can see the Serial number listed there assigned with the appropriate PreStage. However, when I boot the MacBook it does not get the DEP prompt.

Has anyone made any progress with these devices? I spoke to both Apple and JAMF, and still don't have a solution. Apple says this is something happening on the MDM side of things.

So as it turns out, this was happening on devices that had the incorrect time after going through the MacOS setup wizard. Why the time is off I have no clue..

That being said, if you go into the settings once you hit the desktop, uncheck automatically set time, fix the time, then set it back to automatic - then open up terminal and type: sudo profiles -N it will prompt you to accept the DEP profile again. Accepting that worked, and all was enrolled in the JSS..

So there you have it - check the time ;)

@jaymckay - have you found a way to check/fix the time during the setup?

@jackhcurtis - I haven't... i think it can happen when a computer's battery is drained so low that the internal clock also turns off. I'm sure there are other reasons as well. I haven't seen it too many more times, but when I do, I just quickly run through the setup, reset the time, then run that command. Alternatively, you can run through the setup, reset the time, then re-image and hand off to the user.

I'm seeing this occasionally as well. If I reinstall the OS DEP picks it up but was wondering if there was a better way to get it to recognize DEP..

I've seen this issue, mostly related to network latency. If you need to kick off DEP manually the command has changed to:

profiles renew -type enrollment

Seeing an issue akin to this today. Mac Mini that picked up its DEP enrollment via Wi-Fi once today but not before multiple failures this morning and now seeing failures this afternoon (failures meaning the setup assistant offering the migration assistant prompt instead of configuration by my mdm).

If I run the command profiles show -type enrollment then I can see all the details of the prestage that my Mac should have picked up, but didn't. I am not seeing any blocked communication on the firewall except NTP traffic to Apple which always ages out.

Running the `profiles show -type enrollment command doesn't do anything fast.

I'm having the same problem as @nigelg here. On a couple test machines I've given up on the PreStage enrollment to create the first admin user with SecureToken, so after running SA and creating that user manually I'm sitting at the desktop waiting for the DEP popup with no luck.
profiles show -type enrollment shows me the PreStage Enrollment settings that aren't being deployed but there's no jamf binary and no MDM profile, user-accepted or otherwise.

I'm having this same exact issue. 10.13.5 and Jamf 9.101. Fairly easy to duplicate the issue when using wifi and the Remote Management prompt is a lot more reliable when using ethernet. Apple has mentioned network latency and I saw that mentioned in a comment above. I'm not having any issues with iOS devices (iPads) getting the Remote Management prompt, only macOS. Anyone figured this out yet?

I too have been having issues getting the Remote Management screen to appear during setup with a wireless connection. Using ethernet has solved the issue for now but I've got several hundred machines to setup at the end of the year so I'm still troubleshooting the issue.

The frustrating thing is that it was all working at the beginning of the year and I can't think of any environment changes that should be causing the issue. So far performing setup over the wireless works about 5% of the time.

I've seen this and other things occurring in DEP..

I solved a lot of my issues by swithching off 'network state change' triggers..

Just interferes with everything really.
SO, if you don't need it switch off!

Just received a new order of laptops today and powered one on to see if the batch came with 10.13 or or 10.14 and...no Remote Management notice. Just went through the normal setup screens as though it wasn't associated with our JAMF instance. I logged into Apple Business Manager and verified that the serial numbers were attached to our JAMF service yesterday. It was late in the day, so I powered the machine off and will try again tomorrow.

From what I'm reading though, some of this may be caused by Wi-Fi issues? Strange, because we have been setting up laptops from our previous order though yesterday and have not had a problem during pre-stage enrollment.

I haven't had this issue before, but other issues with MDM not managing the device after DEP. Got a ticket on it and working through it at the moment. Manual and non authenticated work fine.

I have a set time settings enrolment policy script set with my configuration, but I don't believe the device is hit with an enrolment profile, pre user authentication or not.

it does seem like time related. But perhaps it is also network security related, in regards to time, is the time protocol port blocked? could the standard time default addresses be blocked?

e.g. time.apple.com
time.asia.apple.com
time.europe.apple.com

.

seems like a minor/obvious thing to check - BUT is the PreStage Enrolment configured to auto apply for newly added devices or do you need to go to your JSS and manual select to enable the PSE for each device before you try to build?

Can't speak for anyone else, but ours is set to auto assign for new devices.

I leave the 'location services' splash on at statup.. just to be safe and ours run fine now.

We've had this issue too. It was pretty frequent (meaning, bad) with versions of 10.13 prior to 10.13.6 though it still happens sometimes there. Most reliable way we've found to get it working when it happens is to use Recovery to wipe the drive and reinstall the OS. Very annoying.

Same issue here as well. smh.

This is happening in our environment as well, with brand new machines right out of the boxes. We've been DEP enrolled for years, purchasing hardware directly through Apple - our MDM tokens have been recently refreshed, our JSS is set to auto-assign new devices, we've reinstalled OSes from Recovery, Pre-Stage enrollment is stating the device is assigned, and the MDM profiles still don't populate sometimes. Like many folks mentioned above, it could have to do with network latency but we're experiencing this on wired and wireless connections.

When all else fails, setting up the Mac like "normal", creating an administrator account, and running sudo profile -N in Terminal typically gets the profiles installed. In my experience, next steps vary from there but it's a good place to start if you're at wit's end. We've got 1000+ Macs in our environment and this issue is no fun to run into.

We have this issue periodically. I recreate the prestage enrollment profiles from scratch. Works every time so far.

@smithjw

The times I've seen this happen in our environment, once I've connected to wifi and don't see the Remote Management screen, clicking the 'Back' button, connecting to wifi again, and clicking continue, seems to allow the system to see the PreStage enrollment.

I just opened a case with them for this very issue. I tried recreating the prestage, tried switching from Ethernet to Wi-Fi and going back and reconnecting....It's just not taking it. The funny thing is that I have 4 that worked without a glitch and 4 that aren't playing along, no matter what I try. I've checked the serial numbers on the case against what's MDM having as well as what's in the scope list of the prestage.....

@totalyscrewedup Were you given a solution? I think I've tried everything you suggested.

@totalyscrewedup have you heard back at all? We have this same issue with all of our macs, not just a few, and have tried all the above suggestions.

Just adding in a 'me too' to this thread.

We've had a new shipment of iMacs for our student labs, all connected via ethernet. We went through 23 machines without a hitch, then set up the next batch of 10 machines and 4 of the 10 won't get the MDM screen. So instead, after the 'select keyboard' screen we get the 'Data & Privacy' screen.

I just went through setting one of these failed ones up manually and the 'time' certainly wasn't an issue as it had the correct time. I am now attempting an 'Internet Restore' to see if that triggers the screen prompt.

@totalyscrewedup did you get any resolution to this from your logged case with Apple?

EDIT:
UPDATE: So I tried removing a machine from our JAMF's Prestage Enrolment, then I unassigned it in Apple School Manager. I refreshed our Jamf Cloud server to confirm that the machine no longer showed up in the Scope list. I then once again Assigned it to our MDM Server in ASM. I then refreshed our Jamf server until it appeared in the Scope list and reassigned it to our Prestage Enrolment! Result: It still wouldn't see the MDM management acceptance screen. Straight to Data & Privacy after the select keyboard screen.

So then I tried the 'Internet Restore' option, erased the Drive and reinstalled macOS. After the long wait for it to install I was then able to see the MDM acceptance screen and the machine was enrolled as expected! I know this is not a great option for a lot of people, but hopefully it may help some others who only have a few machines failing to be DEP enrolled.

The one interesting thing that came out of this is one of our Network Engineers did a network trace on the machines, both a failing one and one that worked and he could see no difference whatsoever in the network traffic up until the screen after the Keyboard Select screen. It was only after I click on the 'Continue' button on the MDM acceptance screen, did he see any internet traffic. So this raises the question,
"How does the computer know that it can connect to MDM Server to be configured and managed? i.e. what is it actually telling it to bring up that screen, if there is no 'outside' network traffic up until that point?" I just said it was magic!