Device re-enrolls as a new oneSolved

Participant
Discussion
3 years ago

Hey all,

A quick question – why does the sudo profiles renew -type enrollment command enrolls the device as a new device in Hexnode?

N.B: The device is already enrolled in Hexnode with Apple DEP

Replies (8)

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

Why do you have to run this command when the device is already enrolled in Hexnode? I doubt.

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

We have provisioned a few Mac devices months back. But, don’t know what happened. This one is unable to check in with Hexnode for a while.

I saw a few posts on resetting the dep cache using the sudo profiles renew -type enrollment command. So I tried it. Yet, it initiated the enrollment as a new device instead of re-enrolling it in the portal.

That’s however not a big deal! What frustrates me the most is, I had the filevault policy associated with the device earlier. As such, the decryption key was obtainable from the portal. Since the device is now enrolled as a new one, I cant find any decryption key shown in its device summary.

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

Okay. As far as I know, this command is used for initiating DEP enrollment from the terminal. It automatically installs the profile for the mdm server associated with it in the ABM account. If the device already has a profile installed on it I’m not sure if you can re-enroll the device using it.

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

@johana Sorry about that! That’s how I did it! I am pretty sure the profile was still there on the device when I ran it.

Does anyone know a way of generating the decryption key for my device?

Marked SolutionPending Review
Hexnode Expert
3 years ago
Marked SolutionPending Review

Hi @luuk:

I suppose, before re-enrolling a device, you may have to re-check the Re-enrollment Options applied to it.

  1. Log in to the Hexnode portal.
  2. Navigate to Enroll > Settings > Re-enrollment Options.
  3. Check for the option you have enabled on Device Status.

When Enroll as a new device is enabled, an already enrolled device gets re-enrolled as a new one.

The command sudo profiles renew -type enrollment triggers enrollment on a device added to your organization’s DEP account. But, if the above option remains selected on Hexnode, it is disenrolled and is added as a newly enrolled device. Resultantly, the older FileVault configurations for the device do not reflect on the portal.

Currently, there will be two enrollment instances for the device, one as a disenrolled and the other as enrolled. You may fetch the FileVault Personal Recovery key for the disenrolled instance from the Reports tab. Among the Disenrolled devices (Reports > Device Reports > Disenrolled devices), search the device using its Serial Number. Click on the edit column icon to include the FileVault Personal Recovery Key. And, you can view it from there.

Catherine George

Hexnode UEM

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

A bit doubtful about that. @luuk had a FileVault policy associated with the device from Hexnode. What if I have a device already encrypted manually and not via Hexnode. What do I do with personal recovery key, if the device is enrolled first and foremost in Hexnode? Will that be displayed on the portal?

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

@catherine-george Does that mean I cannot have the decryption key displayed on the new device summary page?

Marked SolutionPending Review
Hexnode Expert
3 years ago
Marked SolutionPending Review

Coincidentally, @luuk @anaya both your queries lead to the same answer.

Here’s is a workaround that will help you fetch the personal recovery key on the Device Summary for a device either encrypted before enrolling it or re-enrolled as a new one in Hexnode.

  1. Open the Terminal application on the Mac.
  2. Run the following command in Terminal:
    sudo fdesetup changerecovery –personal
    The new recovery key will be displayed in terminal.
  3. Open the Hexnode MDM agent app on the device and click SYNC.
  4. Next, log in to the Hexnode portal.
  5. Navigate to Manage > Choose the device > Actions > Scan Device.
  6. An option to decrypt the FileVault recovery key will be displayed under the Security Info of the device. (Device Info > Security Info > FileVault)
  7. Click Decrypt.
  8. The key will be displayed next to FileVault Recovery Key.

Good luck,

Catherine George

Hexnode UEM

Save