Perform the following steps in the event that an Apple device is unenrolled from JumpCloud MDM and needs to be re-enrolled with its device record preserved.
Preserving the device record ensures that re-enrollment will retain all JumpCloud associations originally on the device prior to unenrollment.
While this article outlines the best method of retaining the device record, there are many variables in this process and there is no guarantee the device record will be retained.
Identify Apple Devices that are Not Enrolled in JumpCloud MDM
To identify devices that have been unenrolled from JumpCloud MDM and need to be re-enrolled, filter your list of devices.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices. A list of all of your devices display.
- To identify macOS devices that are not enrolled in JumpCloud MDM, click filter by and select the following filters:
- device OS: Mac
- MDM status: not enrolled
- To identify iOS / iPadOS devices that are not enrolled in JumpCloud MDM, click filter by and select the following filters:
- device OS: iOS
- MDM status: not enrolled
Re-Enroll MacOS devices into JumpCloud MDM
To re-enroll an Apple Device into JumpCloud MDM, the MDM enrollment profile must be distributed to the device and installed interactively by an end user with administrative permissions.
- To create and apply an MDM enrollment policy to machines that are not enrolled in JumpCloud MDM, complete the following steps in Create a Mac MDM Enrollment Policy.
If the device is active in the JumpCloud portal, but not enrolled in JumpCloud MDM, end users working on the device should complete MDM enrollment using the Mac MDM Enrollment Policy.
If the device is inactive in the JumpCloud Portal but is known to be in active use by end users, then the MDM enrollment policy is not a candidate for MDM enrollment, and an MDM enrollment profile must be manually distributed and installed on the device.
Enroll Devices with Automated Device Enrollment
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > MDM, then click the Apple tab.
- (Optional) If you leverage Mac Zero-Touch Experience, temporarily disable User Authentication in the Zero-Touch Experience settings.
- In the Automated Device Enrollment Configuration section, click Configure MacOS. The Mac Zero-Touch Experience screen displays.
- Scroll down to Step 4 User authentication, and disable user authentication.
- Click Save.
- In the Automated Device Enrollment Configuration section, click Configure MacOS. The Mac Zero-Touch Experience screen displays.
This feature automatically binds the user account to the device that was used during the ADE enrollment process. If this account differs from the existing account on the device, then the user binding state associated with the device may be inadvertently modified.
- Run the following command on the device:
sudo profiles renew -type enrollment
You can run the command in different ways:
- If the devices are active in the JumpCloud Admin console, run a JumpCloud command (run as root).
- In the devices are offline, run the command locally using the Terminal.
- To allow JumpCloud to automatically enroll your device, on your Mac device go to System Preferences > Privacy & Security, and click Allow.
- A message displays asking to confirm JumpCloud’s management of your device. Click Enroll.
- For macOS versions 13 and later, browse to System Settings > Privacy & Security > Profiles.
- For macOS versions 12 and earlier, browse to System Preferences > Profiles.
- Proceed through the rest of the prompts to complete the enrollment process. By proceeding with an Automated Device Enrollment, the enrollment profile will be locked on the device and all entitlements will be restored for supervision state on macOS version 10.15.
Make sure you are not trying to complete enrollment during a remote desktop session. Apple prevents enrollment from commencing over remote desktop connections.
Manually Enroll Devices
To manually download, distribute, and install a JumpCloud MDM enrollment profile on a device:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > MDM, then click the Apple tab.
- Download the MDM enrollment profile from the JumpCloud admin console.
- In the APNs Configuration for MDM section, click Download Profile. The file
profile_jc.mobileconfig
should appear in your Downloads.
- In the APNs Configuration for MDM section, click Download Profile. The file
This profile is unique per organization but not per device and can be used to enroll any device into an organization's configured MDM.
- Distribute the MDM enrollment profile to end users working from inactive devices.
- Find and distribute the downloaded MDM enrollment profile, named
profile_jc.mobileconfig
to end users working on inactive devices.
- Find and distribute the downloaded MDM enrollment profile, named
The profile can be attached to an email, sent via an attachment on a messaging platform, or transferred via a removable USB drive. The size of an enrollment profile is very small, less than 10 KB.
- Install the MDM enrollment profile.
- On a Mac device that has the JumpCloud agent installed, but has been unenrolled from JumpCloud MDM, double-click on the MDM enrollment profile. This will queue the profile for approval in System Settings.
- Based on your macOS device version, continue the steps in the following sections.
Install MDM Enrollment Profile on macOS 13 Ventura Devices
- Go to System Settings > Privacy & Security.
- Scroll down to the Others section and click Profiles.
- Double-click on the MDM Enrollment Profile to complete the enrollment process.
You must have Administrator role permissions to approve the profile.
After approving the MDM Enrollment Profile, the device will be re-enrolled in JumpCloud MDM and receive all of the profiles associated with, it including the JumpCloud default profiles for the Agent, Remote Assist, Tray App, and MDM.
Install MDM Enrollment Profile on MacOS 12 Monterey & Earlier Devices
- Go to System Settings > Profiles.
- Find the staged MDM Enrollment profile and click Install. After prompted, enter your account credentials from an account with administrator privileges.
- Successful enrollment will be indicated by the subsequent delivery of the remaining configuration profiles.
Re-Enroll an iOS or iPadOS Device into JumpCloud MDM
To re-enroll an affected iOS or iPadOS device back into JumpCloud MDM, follow the steps outlined in the help articles:
- Add Personal Apple Devices to MDM with User Enrollment
- Add Company-Owned Apple Devices to MDM with Device Enrollment