-
Notifications
You must be signed in to change notification settings - Fork 366
DEP auto assignment
Starting with v1.3.0 MicroMDM supports DEP auto-assignment.
When not using this auto-assignment feature you need to place all of the serial numbers you want to assign to a DEP profile into the "devices" key of the DEP profile json file that is then uploaded to MicroMDM (which, in turn, assigns them on Apple's DEP servers):
$ cat /path/to/dep-profile.json
[snip]
"department": "Engineering",
"devices": ["C01234ABC567"]
}
$ mdmctl apply dep-profiles -f /path/to/dep-profile.json
Defined DEP Profile with UUID E89A6389E5AAABCD8238072A0C76D3862
This workflow continues to work fine. However it means that if you add new devices to the DEP portal for your MDM server you have to manually go back to add the serials to the profile and re-apply it.
Now MicroMDM supports automatically assigning new (and only new) devices to the DEP profile itself. It does this by matching devices against an auto-assignment filter. Currently only one filter is supported — the * filter which matches any and all devices. The way we enable auto-assignment is associating a DEP profile UUID with the auto-assignment filter. By far the easiest way to do this is when you apply the DEP profile itself:
$ mdmctl apply dep-profiles -f /path/to/dep-profile.json -filter='*'
Defined DEP Profile with UUID E89A6389E5AAABCD8238072A0C76D3862
Saved auto-assign filter '*' for this DEP profile
(Note: the * is single-quoted in the command to avoid matching files/shell globbing.)
The above is a convenience for taking the DEP Profile UUID that Apple generates to associate with the filter automatically. You could also do this manually, if you wanted:
$ mdmctl apply dep-autoassigner -filter='*' -uuid E89A6389E5AAABCD8238072A0C76D3862
saved auto-assign filter '*' to DEP profile UUID 'E89A6389E5AAABCD8238072A0C76D3862'
newly added DEP devices will be auto-assigned to the above profile UUID
(Note: the default filter is the * filter here, unlike above, so you can omit this switch if you like.)
MicroMDM listens to the DEP "added" event for auto-assignment. This means that devices that are added to the MicroMDM MDM instance in the ABM/ASM/DEP portal are auto-assigned. This is triggered by manually assigning devices in the portal or by having an an automatic MDM assignment in the portal (for e.g. new purchases incoming to your DEP account). Specifically MicroMDM does not, yet, support re-assigning any existing devices in your MicroMDM instance nor will it "back"-assign any other devices. Only newly added devices.
You can also list and remove auto-assigners. The typical get and remove options to mdmctl work as expected:
$ mdmctl get dep-autoassigners
Filter DEP Profile UUID
* E89A6389E5AAABCD8238072A0C76D3862
$ mdmctl remove dep-autoassigner -filter='*'
removed DEP profile associated with filter '*'
$ mdmctl get dep-autoassigners
Filter DEP Profile UUID
(Note: again the default filter is *, so you can omit the -filter switch if you like.)
You may see some warnings and errors with DEP assignment and device updates. Most of them are innocuous and can be ignored:
warning: no existing device for DEP device update: C01234ABC567
This means we received a DEP device "update" from the Apple DEP service but this device doesn't exist in our database. We update the database for this device anyway, so this is just a warning for you.
warning: re-adding existing DEP device: C01234ABC567
This means we received a DEP device "addition' from the Apple DEP service but the device is already in our database. We update the database for this device anyway, but this is just a warning. Usually this is just a device that has DEP-enrolled more than once. But this could also be a device that went from a normal MDM enrollment to a DEP enrollment, for example.
warning: DEP device unassigned: C01234ABC567
This means the device was unassigned from the MDM server. We update the device status in the database but do not remove the device from MicroMDM. If the device is added back to the DEP profile you'll also likely get the above warning, too.
Need to force a DEP sync for testing the auto-assign (or any other DEP operations?). Try the Sync Now API endpoint:
$ curl -v -u micromdm:$APIKEY -X POST https://mdm.example.org/v1/dep/syncnow
There appears to be some oddities when assigning device serials from one MDM server to another in the ABM/ASM/DEP portal. When re-assigning a serial number it appears that instead of generating an "added" event (which MicroMDM will use to auto-assign serial numbers) Apple instead generates a "modified" event — even if that MDM server has never seen the device before. Because these are "modified" events the auto-assigner won't work on those serials. This appears to be some issue with the ABM/ASM/DEP portal.
As a workaround it's been discovered that if you add a step in between your assignment on the Apple portal you can get it to successfully generate your "added" events for auto-assignment. This involves either unassigning the serial numbers from DEP or re-assigning your serial numbers to another MDM server before then finally reassigning to your MicroMDM server to get them to be "added" devices.