Jump to content

Robert White

Members
  • Posts

    1
  • Joined

  • Last visited

  • Days Won

    1

Robert White last won the day on March 20 2023

Robert White had the most liked content!

Robert White's Achievements

Newbie

Newbie (1/14)

  • Conversation Starter

Recent Badges

1

Reputation

  1. I had several macOS laptops not getting an updated WIFI configuration profile. The affected devices weren't getting any Apple MDM profile updates at all. Config profiles that are issued direct from the server deployed properly, and all other filesets also deployed fine. In case you have something like this, I wanted to share. It saved me from erasing/re-provisioning several laptops and took a while to develop and test. This isn't an issue with FileWave, but an issue with Apple. I worked with FW support and the agent had me test a command to re-enroll the device [profiles renew -type enrollment]. Three hours later the Apple MDM command was executed and I was given an enrollment prompt to re-enroll the device which fixed the issue. What the heck Apple... Three hours? I've tested this on macOS Catalina, Monterey, and Ventura. Test this on something you can reset before trying on production. Important Note: All my test machines are intel processors. I need to check this on M series processors. It should work, but I've not validated M series at this time. If you are having a macOS client that is fully DEP enrolled and not updating it's Apple MDM deployed configuration profiles. You can run through this in 10 to 15 minutes. You can’t do it remotely as you need to enter Recovery Mode. You must have hands on the device and internet connection and if your device(s) have firmware passwords set, you need that too. Here you go. Please be comfortable in a terminal window before proceeding... Boot into Recovery Mode by holding Cmd+R Select Terminal Disable System Integrity Protection csrutil disable You will get a confirmation that System Integrity Protection is disabled. You need to reboot for changes to take effect. reboot and log in as an admin user Open a terminal window, sudo bash and run the below script to delete all configuration profiles. #/bin/bash! # Rob did this. 2023.03.15 rm -rf /var/db/ConfigurationProfiles/* mkdir /var/db/ConfigurationProfiles/Settings touch /var/db/ConfigurationProfiles/.profilesAreInstalled touch /var/db/ConfigurationProfiles/Settings/.profilesAreInstalled # warning... It runs in a second and reboots. Get ready to hold down Cmd+R # you could echo the commented out warning to prompt you to hold Cmd+R reboot Quick, it’s rebooting, hold Cmd+R to boot into Recovery mode Select Terminal Re-enable System Integrity Protection csrutil enable You will get a confirmation that System Integrity Protection is enabled. You need to reboot for changes to take effect. Reboot and log in again as an admin user You can check your enrollment status for kicks. Open terminal and sudo a shell so you can be root sudo bash and enter your password when prompted profiles status -type enrollment You’ll see the device is not enrolled. Enrolled via DEP: No MDM Enrollment: No Now you have cleared all configuration profiles on your device. You'll be prompted to re-enroll instantly, like the first time you connect a new laptop that's properly associated in ASM/ABM and you've prepped the DEP association in FileWave. profiles renew -type enrollment You will instantly be presented with an enrollment popup request. Follow the prompts and enter your enrollment credentials. Give it a few seconds or a minute and you can check to see all of your profiles installing. If you want to quality check and verify things are setup as they should be. Log in as an admin user and check your status on the client from a terminal sudo profiles status -type enrollment You’ll see you are enrolled Enrolled via DEP: Yes MDM enrollment: Yes (User Approved) You may or may not see this next line and I don’t see a difference in impact. MDM server: https://servername.something:20443/ios/mdm Check you status on FileWave admin it will show as Server only. But you want to see Fully Enrolled. Reboot and check again. Upon reboot, it will show as Fully enrolled. That’s it. You can pull of the whole process in 10 to 15 minutes if you are adept. Or you could wait a few hours for Apple to finally get with it and run the profiles renew -type enrollment command. But, I think given physical access, and unpredictability of Apple MDM, This is my new process. Good luck!
×
×
  • Create New...