Description
This article provides steps for troubleshooting Automated Device Enrollment issues with computers and mobile devices.
You can follow the general troubleshooting steps which covers many of main causes of Automated Device Enrollment failure or look at the steps for the specific scenario you are encountering (some of these steps overlap with the general steps).
General Troubleshooting Steps
Check the items below. If you make changes to one of these items wipe the device and then try re-enrolling in the Setup Assistant to see if the issue remains.
Check the MDM Push Certificate expiration in Jamf Pro under Settings > Global > Push Certificates > MDM Push Notification Certificate and if needed renew the certificate: Renew MDM Push Notification Certificate.
Verify the Automated Device Enrollment token is not expired or experiencing any syncing errors in Jamf Pro under Settings > Global > Automated Device Enrollment > Instance Name.
If there is an error or it is expired, renew the token: Automated Device Enrollment Integration
Verify the device is assigned to Jamf Pro MDM Server in Apple Business Manager or Apple School Manager.
Verify the device is assigned to a PreStage in Jamf Pro.
This can be seen under Scope on a PreStage enrollment with a checkbox, or you can look in Jamf Pro under Settings > Global > Automated Device Enrollment > Instance Name > Devices and filter by Serial Number. Under the PreStage Enrollment Category we should see the PreStage that the device is assigned to.
Verify the SSL certificate settings and certificates within the PreStage Enrollment.
For on-premise Jamf Pro instances using the Built-In CA for the Tomcat SSL Certificate:
If the certificate is expired, it needs to be renewed for successful enrollment.
Ensure there is an anchor certificate showing in the PreStage enrollment under Certificates.
For Cloud hosted or on-premise Jamf Pro Instances with a 3rd party SSL certificate:
If the certificate is expired, it needs to be renewed for successful enrollment.
Check the Certificate payload on the PreStage enrollments and make sure there is not an anchor certificate.
If there is an anchor certificate it needs to be removed or create a new PreStage for devices to be assigned to that doesn't have an anchor certificate.
For computers - Is there a large number of configuration profiles and/or enrollment packages that are deployed in the PreStage? If so, remove the profiles and packages to see if the same issue is present.
Create a new PreStage (do not clone) with a minimal configuration. Meaning:
Fill out the information in the General page but do not modify anything at or below Enrollment Customization. Don't add any configuration profiles, packages, certificates, etc.
If the new PreStage results in a successful enrollment, we can either add additional options to the new PreStage and test again or remove options from the previous PreStage to determine what is the issue.
Test enrollment on a Hotspot or alternate network. Hotspot is preferred as there isn't any blocked ports or addresses by default.
Test User-Initiated Enrollment to confirm if that aspect of enrollment works.
Specific Issues
Devices are listed as assigned-pending sync in the PreStage Enrollment
In Apple Business Manager or Apple School Manager, ensure the device is listed as assigned to the Jamf Pro MDM Server.
Unassign and 10 minutes later reassign the device to the Jamf Pro MDM Server as a troubleshooting step.
This issue correlates with steps 2-4 and 7 under the General troubleshooting steps above.
macOS device skipped Automated Device Enrollment
This issue correlates with steps 2-4 and 7-9 in the General troubleshooting steps above.
After the Setup Assistant is complete on the device that skipped enrollment run through these steps:
Ensure Do Not Disturb is turned off in System Preferences/System Settings and that the device has a network connection.
Open the Terminal app for the desired computer and enter the following command:
sudo profiles renew -type enrollmentand enter the password for the local account.If nothing happens:
Manually check the Notification Center for the enrollment prompt (especially if this is being performed while screensharing)
Run the following command:
sudo profiles show -type enrollmentIf there is no output to the show command:
Un-assign the device in Apple Business Manager or Apple School Manager
Wait 5 minutes or Jamf Pro to sync.
Re-assign the device in Apple Business Manager or Apple School Manager.
Wait 5 minutes for it to sync.
Ensure the device shows as assigned to a PreStage Enrollment and then try the profiles command again.
Click Details on the Device Enrollment window that appears in the upper right-hand corner of your screen.
Follow the prompts to install the necessary profiles in System Settings.
If this results in a successful enrollment, we may want to test a few more computer enrollments using the PreStage to ensure this was a one time event.
This can happen most commonly when there is a network issue during enrollment or a device was turned on and connected to the network prior to it being assigned to a PreStage Enrollment.
“Your credentials are either missing or wrong. Try again” error
This message relates to the “Require Credentials for Enrollment” checkbox for devices or the “Require Authentication” checkbox for computers in the PreStage.
Ensure the LDAP connection is configured correctly: LDAP Directory Service Integration
Ensure the account that is being used to authenticate has enrollment privileges: Jamf Pro User Accounts and Groups
iOS Devices or AppleTVs Skipping Automated Device Enrollment
This issue correlates with steps 2-4 and 7-9in the General troubleshooting steps above.
Wipe the iOS device/AppleTV to go through the Setup Assistant again to reattempt the enrollment.
If you cannot reset the device from Settings > General > Transfer or Reset > Erase All Content and Settings, reset the device from recovery mode.
After enrollment devices aren't communicating with Jamf Pro
MDM communication
What do the pending commands look like? Is there a pending or recently completed Network configuration profile that was installed?
Restart the device.
If the command is pending, try cancelling said command.
If it's completed check to ensure network connectivity.
Try switching networks to see if the rest of the commands kick off.
Did we utilize the Migration Assistant or an iCloud backup?
Migration Assistant notoriously does not work well with enrolled devices due to the MDM Profile. If using the Migration Assistant with macOS, do not do a Time Machine Restore. Manually Transfer the Users files is the easiest path forward.
For an iOS device that transferred data in the Setup Assistant using an iCloud backup, see: Restoring an iCloud Backup to an iOS device during Automated Device Enrollment
For macOS only:
Is 'Allow Jamf Pro to perform management tasks' checked in the device record under Inventory > General > Edit.
If no: check the box, enter in management account information (it doesn't have to match under Settings > Global > User Initiated Enrollment > macOS), and click Save.
Check to see if MDM commands will process. If not, re-enroll.
What status is reported on the device record under Inventory > General > MDM Capability?
If No: re-enroll the device.
Jamf Binary communication (macOS only)
What are the results from running
sudo jamf reconlocally in Terminal on the computer?If there is a successful inventory, more information is needed regarding how the device is not communicating.
If the result is "Command not found" or "Device Signature Error", we will need to re-enroll the device (or use Self-Heal if MDM communication is successful) but it can be helpful to try and find what caused that error in the first place.
Device Signature Error usually boils down to a policy that touches or modified the Jamf Keychain item. Check a copy of the jamf.log on the machine under /var/log to see what policies completed.