Re-Enrolling a ‘locked down’ iPad in MDM
Unlike many of the articles on this site, this article is written for “IT people” and relates to technical subject matter.
Only follow the below info if suitable to your specific situation and you understand and accept all risk.
One of our clients that uses MDM had their Apple MDM push certificate expire. Usually this problem can be solved by just renewing the certificate within the grace period (30 days), but as the iPad had been off and powered down for more than 6 months some of their individual device identity certificate had also expired too. Meaning only some of the iPads were checking in properly with the MDM, even after we were able to renew the certificate.
This meant we had devices that were locked down with security settings, meaning we could not not reset and enroll them them manually, and we could not manage, unlock or wipe them with our MDM solution.
The solution ended up making use of apple DFU (Device Firmware Update) reset function. At the time of writing this article few online resources mentioned it and none as a solution to get back into a device that had lost connectivity with MDM. It also wasn’t as simple as just resetting the device, as we also encountered delays and challenges getting the devices to enroll after. Below is documentation on what worked for us, in the hopes it will help someone out there who encounters the same issue or one similar.
1. First things first, get physical possession of the iPads, a computer running iTunes and a good quality cable, ideally an official one.
2. Plug the iPad into the computer, ignore any prompts.
3. Press and hold the lock and home button for until the screen turns off, keep holding the home but release the lock button, the screen will stay off.
4. Assuming your timing was right (if you see an apple logo you need to try again) the device will now be in DFU mode,
you know this worked but you’ll get a message in iTunes, saying the following:
5. Press ok and follow the prompts to Restore and Update the ipad.
6. This will take awhile, and be patient, if the update fails, reboot the ipad and try again, or try with a different cable. This seemed to happen sporadically with some iPads.
7. The hope is after the reboot your device will re-enroll, with no more work. However for us we first had to do a few more steps.
8. Delete the device from Microsoft Intune / Microsoft Endpoint Manager, and unassign the device from Apple Business Manager.
9. Perform a Microsoft Intune / Microsoft Endpoint Manager enrollment sync with Apple Business Manager, this only happens once every 24 hours. There is no complete status for the sync, you just have to wait up to 15 minutes.
10. After at least 30 minutes, reassign the device in Apple Business to Intune and then perform another enrollment sync.
7. Give it another 30 minutes just to be safe and make sure everything is up to date.
8. Reboot iPad and the iPad should re-enroll as expected. If not try performing a normal ‘erase all settings’, and confirm the device is definitely assigned to the right MDM server and Intune has had time to pickup the changes from Apple Business Manager.
Things to Remember:
- Most MDM solutions only ‘Sync’ with Apple Business Manager every so often, for intune this is a 24 hour wait unless you locate the enrollment sync button.
- Only renew your APNS / Push certificate with the Apple ID that first created it, changing the cert is the same as letting it expire and will break communication with all your iPad.
- You may need to update the enrollment profile with any change (so the modification date is different, before that change is picked up by Apple Business Manager.
- Be patient, a lot of the changes are not real time, and can take more than 30 minutes before they ‘start working’.
- Set multiple reminders in your team to renew your Apple Certificates (APNS, VPP, etc) before the 12 month expiry hits, Ideally renew it at 10 months to always give your team adequate time to get it sorted.