Thursday, March 30, 2023

"We all rejoiced when Apple released knowledge-base article HT210060 (Use Apple products on enterprise networks) as it has helped to clarify which internet hosts devices need to access. It isn't always a straightforward discussion to get this access enabled, and even when the changes have been implemented, it isn't always working the way we expect. How do we troubleshoot issues with these hosts in a way that provides the network and security team the information they require, and what sort of behavior on-device would lead us to suspect that access is not configured correctly?"

Apple Documentation

Use Apple Products on Enterprise Networks

https://support.apple.com/HT210060

If your Mac and iOS clients aren’t getting APNs

https://support.apple.com/HT203609

About macOS, iOS and iTunes server host connections and iTunes background processes

https://support.apple.com/HT201999

Microsoft Documentation

Microsoft 365 network connectivity overview

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-networking-overview?view=o365-worldwide

Assessing Microsoft Network Connectivity

https://docs.microsoft.com/en-us/microsoft-365/enterprise/assessing-network-connectivity?view=o365-worldwide

Microsoft Networking Partner Program

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-networking-partner-program?view=o365-worldwide

Conference Presentations

Daniel MacLaughlin - MDM Not Working? Was it the proxy? It's always the proxy!

https://www.jamf.com/resources/videos/mdm-not-working-was-it-the-proxy-its-always-the-proxy/

Brad Chapman - APNS and MDM: a technical Update

https://www.jamf.com/blog/apns-and-mdm-a-technical-update/

https://www.youtube.com/watch?v=cHcX3QOrV5Q

Brad Chapman - A Push Odyssey: Journey to the Center of APNS

https://www.youtube.com/watch?v=Z-Lg9uBbmfk

Tools

Two Canoes Push Diagnostics

https://twocanoes.com/products/mac/push-diagnostics/

Jamf Environment Test

https://github.com/jamf/Jamf-Environment-Test

https://marketplace.jamf.com/details/jamf-environment-test/

Little Snitch

https://www.obdev.at/products/littlesnitch/index.html

Sunday, March 10, 2019

Automated Device Enrollment - remediation for incorrectly scoped machines

Zero-touch Automated Device Enrollment is what all the cool Apple kids are doing now - Jamf have been promoting this with their “There is no step 3” campaign and in this post-imaging world it’s a great way to get devices into the hands of the end user.

I gave a presentation at JNUC 2018 about what goes on under the hood when a device is going through Automated Device Enrollment. Since then I have had lots of folks approach me to try and work out why they have been having issues getting this to work so I figured I would try and put things into a blog post, if only so I can refer back to it when my brain forgets the correct syntax of the commands to run.

So the Mac boots and instead of seeing the Remote Management screen, the user instead gets presented with the migrate data screen !???

What went wrong. Assuming that you are not trying to use Migration Assistant as part of your Device Enrollment, this is when folks start shouting that “DEP is down” or “DEP is flaky and doesn’t work” - both of which can have merit in certain circumstances, but I have found that there is generally a more straightforward explanation.

Most issues with Automated Enrollment are due to the Mac not being scoped correctly when it first hit the network.

The serial may not have actually been allocated to your Apple School Manager, or Apple Business Manager account.
If it’s in there, it may not have been allocated to the MDM server.
If it’s correctly allocated to the MDM server, it may not have been allocated to however your MDM decides how it is going to be managed (In Jamf Pro, this is called a ‘prestage enrollment’)