Highlighted
Enthusiast
Enthusiast

Prevent Personal Macs

We are trying to figure out a way to prevent personal macs from entering our environment. With that said, according to some folks, putting the DEP only device constraints into our environment will have the following impact: If a mac needs to re-enroll, we will have to factory reset the OS for it to re-enroll and get all of the settings, profiles, apps...etc.           Surely we are not the only ones that think that having to factory reset a device is not an acceptable troubleshooting step and should only need to be performed when ALL other options have been exhausted. ????? Please tell me someone has figured this out!
Labels (1)
0 Kudos
1 Reply
Highlighted
VMware Employee
VMware Employee

BethC​ -- Yes, if you configure the environment for registered devices only, then from an Apple perspective you essentially prevent devices that are not Apple Business Manager synced (and/or pre-registered).   ​If you unenroll a device, it should still be "registered' and you can then re-enroll via the Hub (although it will no longer be enrolled through Apple Business Manager).   

That said, there are a few macOS nuances that lead folks to doing wipe/reloads:

  1. Unlike iOS, macOS has no concept of managed data separation.   This means if you were to send an "enterprise wipe" to macOS in order to re-enroll, the apps could be removed but not necessarily any of the data created by the user using those apps.   Additionally, since macOS is inherently multi-user, the Enterprise Wipe does not remove the local user account in macOS and therefore doesn't trigger the Setup Assistant.  
  2. The only supported way to trigger the Setup Assistant to go through automated enrollment with Apple Business Manager is to wipe/reload.   You used to be able to trigger SetupAssistant with some scripting (though been awhile since I've tried), but depending on what you're trying to do (such as wipe/redeploy to the same user) you could end up with some unexpected consequences with user account and home folder collisions and whatnot.

To answer your last question, generally speaking wipe/reload should be your last resort when troubleshooting macOS.   You should be able to gather hub logs (for hub functionality), a sysdiagnose (preferably with the Apple GSS debug profile downloaded/enabled from developer.apple.com) for general macOS functionality (mdmclient, appstore, storedownloadd, etc), and details from the "troubleshooting" tab in the device details view.

I hope that helps point you in the right direction!

0 Kudos