Sunday, March 10, 2019

Automated Device Enrollment - remediation for incorrectly scoped machines

Zero-touch Automated Device Enrollment is what all the cool Apple kids are doing now - Jamf have been promoting this with their “There is no step 3” campaign and in this post-imaging world it’s a great way to get devices into the hands of the end user.



I gave a presentation at JNUC 2018 about what goes on under the hood when a device is going through Automated Device Enrollment. Since then I have had lots of folks approach me to try and work out why they have been having issues getting this to work so I figured I would try and put things into a blog post, if only so I can refer back to it when my brain forgets the correct syntax of the commands to run.

So the Mac boots and instead of seeing the Remote Management screen, the user instead gets presented with the migrate data screen !???



What went wrong. Assuming that you are not trying to use Migration Assistant as part of your Device Enrollment, this is when folks start shouting that “DEP is down” or “DEP is flaky and doesn’t work” - both of which can have merit in certain circumstances, but I have found that there is generally a more straightforward explanation.

Most issues with Automated Enrollment are due to the Mac not being scoped correctly when it first hit the network. 
  • The serial may not have actually been allocated to your Apple School Manager, or Apple Business Manager account.
  • If it’s in there, it may not have been allocated to the MDM server. 
  • If it’s correctly allocated to the MDM server, it may not have been allocated to however your MDM decides how it is going to be managed (In Jamf Pro, this is called a ‘prestage enrollment’)