fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

ADE enrollment profile not assigned to devices, blocking enrollment

Open ddribeiro opened this issue 9 months ago • 0 comments

Fleet version: 4.64, 4.65 (possible earlier versions) Web browser and operating system: macOS 15

💥  Actual behavior

3 Fleet customers have reported several of their Macs did not display the Remote Management screen during the macOS Setup Assistant as expected. The Macs were correctly assigned to the Fleet server in Apple Business Manager and synced to Fleet as expected.

After going through the Setup Assistant, we had the customers run sudo profiles show -type enrollment to see what enrollment profile was assigned to the device. The computers return null.

One customer was able to reach out to Apple for support. They were told that the last action taken for one of the affected devices was a Remove Profile request. They did not see any Assign Profile requests from Fleet for that device.

Fleet support was able to resolve the issue for affected hosts by modifying the enrollment profile for the team the hosts are assigned to. The change in enrollment profile would've caused Fleet to assign a new profile for all hosts in that team.

🧑‍💻  Steps to reproduce

  1. In Apple Business Manager, assign your host to your Fleet server.
  2. Observe the host gets populated into Fleet via the ABM sync.
  3. Power on the host and connect it to the internet. Proceed through the Setup Assistant. When this issue occurs, the computer will not show the Remote Management screen. It will not enroll into Fleet during the Setup Assistant.
  4. Once the computer is set up, run sudo profiles show -type enrollment to retrieve the enrollment profile that Apple has assigned to the host's serial number. In situations where this issue occurs, the response will be null instead of the JSON contained in the enrollment profile.
  5. To resolve, modify the enrollment profile for the team the host is assigned to. Wait ~1 minute, then run sudo profiles show -type enrollment again. The command should return the new enrollment profile.

🕯️ More info (optional)

  • I believe the customers were using a mix of the default enrollment profile and a custom one uploaded to Controls > Setup experience > Setup assistant. In all situations, the issue was resolved by modifying the enrollment profile (removing the existing one or uploading a new one).
  • I was not able to find anything in the logs for these customers that indicated Fleet attempted to assign the profile (@ksatter please keep me honest on this). Likewise, there were no errors related to profile assignment.

ddribeiro avatar Apr 03 '25 18:04 ddribeiro