Apple Device Enrollment Program

When a new DEP enrolled machine powers on for the first time, the macOS Setup Assistant will launch as usual. After specifying the region, keyboard layout, and establishing an Internet connection, the Remote Management screen will appear. Please note, this process will only trigger when Setup Assistant is running.

The remainder of the Setup Assistant process remains largely similar to that of machines which are not enrolled in DEP. User account creation enforces strong passwords, 8 or more characters and non-repetitive characters.

When Setup Assistant completes, the macOS Desktop will load. The following window will appear and display the installation progress of UVM software.

You may encounter an issue in which the Remote Management screen reports that it is contacting the enrollment server, but hangs on this screen indefinitely.

Under normal circumstances, the Remote Management process of contacting the enrollment server should take less than 2 minutes. If you’re experiencing longer wait time or hanging, check the possible causes below:

1. Communication issues – One possible source of this is is that the Mac client is having trouble getting a response from the UVM’s MDM server, either from network problems or server problems or even issues with the client itself. The simplest solution is just to power off and try again.
2. Device has been enrolled in UVM MDM previously – Another possible cause of this is when a device has been previously enrolled in UVM’s MDM, and tries to enroll again, such as after an erase/reimage. You can try powering off and trying enrollment again, but if it persists contact saa-mac@uvm.edu to have the previous device record removed from the MDM’s inventory.

The absence of the Remote Management screen will occur as a result of either of the following:

1. The device is not DEP enrolled. If Setup Assistant checks in with Apple to see if it should hook up with an MDM, Apple will reply “No.”
   • Check with the Techstore to make sure the device serial number was properly registered with Apple.
   • If it has, remember that it may take a couple of days for Apple to do their part and associate the serial number correctly with our MDM. Normally this should be finished before ordered devices are delivered, but if one is purchased directly from in-stock products, you may be using it before it has had time to fully register.

2. There was no network connection when running Setup Assistant. If Setup Assistant can’t communicate with Apple, it wont know to enroll the device with an MDM.

If Setup Assistant is run without an Internet connection the Remote Management screen will not appear, the machine will not be MDM enrolled, and it will not have any UVM software or settings. To ensure the device is managed properly, do either of the following solutions:

1. Manually enroll the machine in MDM by visiting https://casper.uvm.edu/enroll from the device you wish to enroll. Once enrolled, the installed MDM profile will need to be manually approved. Approve the MDM profile in System Preferences –> Profiles.
   
2. Respond to the “Device Enrollment” notification – if the device is not manually enrolled in our MDM, the user should eventually see a notification prompting them to enroll their device. If they click “Skip”, the notification goes away, but will return again.
   

The “post-setup” software install window should appear after a user is logged into their Desktop for the first time. However, there are several reasons why this window would not appear.

1. Device did not MDM enroll – One possibility is the overall enrollment process failed.

   • Verify the MDM profile exists in System Preferences -> Profiles.
   • If it does not exist, reimage the machine or manually in MDM and approve the MDM profile.
2. Not network connected, or software server is not reachable –  Managed Software Center must have been installed during the MDM enrollment process, there has to be a network connection, and the Managed Software Center server must be reachable. The LaunchAgent that spawns this window will quietly wait in the background until all these conditions are met.
   • Verify the machine is connected. Wired connections may need to be netregged,. If using Wireless, verify that the machine is connect to UVM (not UVM Guest)
3. Enrollment policies failed to execute, or are still in the process of executing – This window also only appears after all the components required for it to run have finished downloading. If you breeze quickly through Setup Assistant, you may finish it before everything has had a chance to install.
   • Give it a few minutes to ensure all content necessary for this process has been installed on the machine.
   • Check the log file in “/Users/${USER}/Library/Logs/UVM/DEPsetup.log”
   • Reboot the machine to re-launch the LaunchAgent
4. It’s actually fine – It may not show up because it doesn’t need to.
   • The device may have been pre-imaged by ETS prior to delivery to the primary user.
   • Check for the presence of “/Applications/Managed Software Center.app”. If this exists, the machine should be managed.