How to Configure Automated Device Enrollment
Device Enrollment: Best Practices and Considerations
This article aims to walk through common questions regarding ADE as well as some workflows.
Note: ADE is a very broad tool that can produce a variety of issues with many different resolutions. This will cover the most common issues, but the information covered here may still apply to your specific issue even if it is not listed here.
Table of Contents
- Before continuing
- Problem: Device(s) are not seeing the Remote Management screen / Error: "Enrolling with management server failed"
- Enrollment Error: "A server with the specified hostname could not be found"
- ADE Token Error: "Bad status response[400]: Error retrieving DEP account: could not retrieve DEP account (error establishing DEP session [403 Forbidden]: token_rejectedForbidden)"
- Problem: Device stuck at Remote Management screen
- ADE Token Error: "error establishing DEP session [403 Forbidden] FORBIDDEN. Please verify your Automated Device Enrollment Server and try again!"
- ADE Token Error: "...T_C_NOT_SIGNED. Please verify your Automated Device Enrollment server and try again!"
- ADE Token Error: "...[400 Bad Request]: oauth_problem_adviceBad Request"
- ADE Token Error: "Could not read MIME header from file."
- Additional Note - Service Interruptions
Before continuing
The ADE process is very specific in terms of workflow and what order the steps are performed in. If things are not performed in a specific sequence, it can result in the device not properly enrolling via Automated Device Enrollment, which occurs in the Apple first-time-setup wizard (aka Setup Assistant).
Before setting up a device via Setup Assistant, we recommend you account for the following:
- If using ABM/ASM, ensure the device is assigned to the proper MDM server in ABM/ASM with an assigned or pushed status prior to powering on (more on ADE statuses here).
This can be done by viewing the Automated Device Enrollment Devices section in:
Policies > (Policy with ADE configured) > Integrations & Settings > Automated Device Enrollment
For steps on checking MDM server assignments in ABM/ASM and how to assign devices in ABM/ASM, please refer to our ADE Configuration guide for additional steps on assigning MDM servers. - If using Apple Configurator, ensure the configurator app itself is properly set up according to the applicable documentation.
With that covered, this is the ideal workflow when preparing a device for Automated Device Enrollment:
- In Addigy, the device has the "assigned" status (Note: the Scan Now button will force a re-scan of the device's status)
- Plug the device into a charger, assuming it is a mobile device like a laptop, phone, or iPad.
- If the device was already in use, wipe the device. If it is a new device, power it on
- Note: For macOS devices that have already been setup, you may be able to retroactively enroll the device via ADE by using the command discussed in this article:
Overview: Using the 'sudo profiles renew -type enrollment" Command
- Note: For macOS devices that have already been setup, you may be able to retroactively enroll the device via ADE by using the command discussed in this article:
- Once at the "hello" screen, proceed to the WiFi setup and connect to a network.
- Proceed through Setup Assistant - you should see the Remote Management screen which will enroll the device once completed
Problem: Device(s) are not seeing the Remote Management screen / Error: "Enrolling with management server failed"
If you have one or multiple devices not enrolling through ADE, it is important to account for the following:
- Ensure the ADE token in Addigy is not expired or giving any errors. This token can be found on the Policy's ADE settings page by going to:
Policies > (Policy with ADE configured) > Integrations & Settings > Automated Device Enrollment- If the token is expired, you can follow this guide for steps on how to renew it.
Renewing an Automated Device Enrollment Token
- If the token is expired, you can follow this guide for steps on how to renew it.
- Ensure the device shows up in the ADE devices as "assigned". More information on how to verify this can be found in the "Before Continuing" section above.
- Ensure the network that the device is connected to is functioning properly
Note: If the device was previously stuck at the Remote Management screen, if the device is restarted it can skip the Remote Management screen and sometimes Setup Assistant as a whole. If this occurs, please refer to our KB on the sudo profiles renew command which can help enroll the device into Addigy. Overview: Using the 'sudo profiles renew -type enrollment" Command
Enrollment Error: "A server with the specified hostname could not be found"
This error can be caused by multiple factors, one of the biggest being time. This error can occur if a device setup is done before the Apple servers can finalize registration to an MDM server.
For troubleshooting this, we recommend following the below steps (very similar to the above):
- In Addigy, the device has the "assigned" status (Note: the Scan Now button can help speed up the assignment process)
- Plug the device into a charger, assuming it is a mobile device like a laptop, phone, or iPad.
- If the device was already in use, wipe the device. If it is a new device, power it on
- Once you are met with the "hello" screen (the very first screen of Setup Assistant), leave it there for ~5 minutes
- Proceed to the WiFi connection screen and connect to WiFi
- Proceed to the Remote Management screen and leave the device there for ~10-15 minutes
- Proceed through Remote Management and check if the error persists
If this does not work, it may be that Apple has not fully processed the device assignment to your MDM server in ABM/ASM. With that, waiting about an hour to ensure Apple's servers can finalize the assignment and provide Addigy with the necessary information has been seen to help.
ADE Token Error: "Bad status response[400]: Error retrieving DEP account: could not retrieve DEP account (error establishing DEP session [403 Forbidden]: token_rejectedForbidden)"
The cause of this error is a little ambiguous, but thankfully troubleshooting it is typically straightforward.
What we recommend doing when this error occurs is to renew the ADE token. Even though the token may not be expired, a renewal typically fixes this error.
For steps on renewing this token, please take a look at our Renewing an Automated Device Enrollment Token article.
Problem: Device stuck at Remote Management screen
Note: It is best to avoid restarting the device if possible. It can skip the remote management screen as mentioned in the Problem: Device(s) are not seeing the Remote Management screen section of this article.
If you are using the Await Device Configured ADE setting (configured in the policy) in conjunction with pre-stage installation items via priority deployments, this could be a possible cause.
For example, if you configure something like Microsoft Office to install during the ADE process, it will delay the management process due to its size. However, large install files should not cause the device to become stuck - only prolonged.
If the device is stuck for somewhere upwards of an hour, there is likely an item being deployed to your policy that is causing the setup to get stuck. You will want to specifically look at Smart Software with a priority of less than 1 (such as 0.5).
If you cannot find what item this is, please do not hesitate to reach out to the Addigy support team and provide us with the following information:
- Affected device's serial number
- The policy name that is configured with ADE
ADE Token Error: "error establishing DEP session [403 Forbidden] FORBIDDEN. Please verify your Automated Device Enrollment Server and try again!"
This error states that Addigy's request to ABM/ASM was received, but the ABM/ASM server refused to accept it.
When this happens, the first thing you want to check out is the ABM/ASM user that created this MDM server. If the user is deactivated or the authentication is changed for the user (e.g. the password changed), this could be why the error is occurring. Generally, you just want to make sure the user can log in to ABM/ASM without any issues.
If you have verified the user is good to go, the next thing to try is to renew the MDM server token. Steps on how to renew the token can be found here: Renewing an Automated Device Enrollment Token
If the above steps do not help, you may need to create a new MDM server.
ADE Token Error: "Could not read MIME header from file."
This error is very similar to the issue above this section. You will want to try downloading the MDM server token from a different ABM/ASM user than what was previously used.
If you do not have another user, you will want to create a new with ample permissions one and try from there.
Once you have the token redownloaded, you can renew or remove the existing token.
If downloading the token from a different does not help, please contact our support team and attach the MDM server token (p7m file) to the ticket.
ADE Token Error: "...T_C_NOT_SIGNED. Please verify your Automated Device Enrollment server and try again!"
This error is triggered when Apple updates its ABM/ASM terms and conditions. For more information on this, please reference the following article:
Apple Business / School Manager Terms and Conditions Update
Once you have verified that the terms and conditions have been signed, navigate back to the ADE settings within your Addigy policy and select Retry Sync. You may need to retry several times (7+) before the error goes away.
ADE Token Error: "...[400 Bad Request]: oauth_problem_adviceBad Request"
This is a fairly common error. Typically, renewing the server token will solve the issue and restore connectivity. You can check out how to renew the token here: Renewing an Automated Device Enrollment Token
Additional Note - Service Interruptions
With both the ADE Token (MDM Server) and the enrollment process, there is a chance of temporary service interruptions with Apple or Addigy services. This can usually be attributed to a temporary interruption due to upgrades in software or servers.
If the contents of this article do not help, please check the below status pages to verify if there are any known interruptions active at this time.
Apple System Status: https://www.apple.com/support/systemstatus/
For Apple, verify that the following services are green:
- Apple Business Manager or Apple School Manager
- Device Enrollment Program
- iOS Device Activation
Addigy System Status: https://status.addigy.com
For Addigy, verify that the following services are operational:
- Addigy MDM Service
- Addigy Cloud Interface