VMware Workspace ONE Community
JordonC
Enthusiast
Enthusiast

Allow Re-enrollement for DEP Devices

We have an issue currently where we have 150ish users that will need to re-enroll their DEP IOS devices.  Are the end users given an option to un-enroll a DEP enrolled device and then re-enroll on their own?  I'm trying to let the end users accomplish this themselves at their own free time vs sending a mass delete device and force them to re-enroll.
Labels (1)
Reply
0 Kudos
11 Replies
AbrahamSanchez
Contributor
Contributor

It's been a while but I believe if you un-enroll a DEP device, the user will not be able to re-enroll without enabling lost mode I believe. The device basically becomes a brick. You can easily test it with one device.  
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

just have them wipe the device and set it back up again un-enrollment of a dep device is not recommended among other things the mdm profile will be removable if re-enrolled without wiping
Reply
0 Kudos
AbrahamSanchez
Contributor
Contributor

I agree with Stephen.  We do the same here.
Reply
0 Kudos
JordonC
Enthusiast
Enthusiast

Thanks for responses.  Was trying to avoid them wiping their devices.  Im assuming you have restore from backup disabled if your telling your DEP users to Wipe their devices? 
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

yes we cannot risk data from one user going to another user
Reply
0 Kudos
LukeDC
Expert
Expert

If you enterprise wipe a DEP device, it will remove MDM control. You can then use the Hub to enroll again and it will still be supervised.
Reply
0 Kudos
LukeDC
Expert
Expert

The lost mode thing was a bug and should be gone now.
Reply
0 Kudos
RicardoPachecoR
Enthusiast
Enthusiast

DEP is separate from AirWatch enrollment. When devices are properly assigned, DEP directs iOS devices to an MDM solution, AirWatch, IronMobile, JAMF,etc.

If your Apple DEP configuration in AirWatch has ' Lock MDM Profile'  Enabled AND you need to do this because your APN certificate expired, I am pretty sure you need to do a device wipe in order for the new certificate to be installed to the device. When the Lock MDM Profile is enabled, a user cannot remove the Device Management profile, meaning it cannot be un-enrolled.

For any situation, I always go with Erase All Content and Settings on Corporate Owned devices.

At setup, the device will check with Apple. If device is in DEP, it will be directed to your AirWatch OG, as configured. The device will receive your AirWatch DEP profile and assignments.

Make sure that you MDM server certificate and your VPP token are not expired.
Reply
0 Kudos
LukeDC
Expert
Expert

Even with lock enabled, an enterprise wipe from the console will remove it. Done it many times to avoid wiping my test devices and keep it supervised, but not enrolled.
Reply
0 Kudos
RicardoPachecoR
Enthusiast
Enthusiast

The feedback provided was for the user to perform the action without having the console admin do the work. As a console admin, that is a different story. Keep in mind the APN certificate was included as one of the reasons why I suggested the steps above. With an expired APN certificate, an enterprise wipe will not work.
Reply
0 Kudos
JordonC
Enthusiast
Enthusiast

Thanks for all the feedback everyone.  APNS certificate is fine.  The main reason for the re-enrollment is because of an issue with the organization group the users are in.  its a long story but support wants all the users to re-enroll to correct the issue.  Im trying to figure out something that isn't too disruptive and they could do on their own like through the self service portal.  Trying to avoid them doing a device wipe because currently restore from icloud is disabled because it messes with the DEP enrollment process with previously enrolled devices.  Its looks my best option is to enterprise wipe all the devices and email everyone in that Organization Group instruction on how to enroll manually through the web. 
Reply
0 Kudos