Device re-enrolls as a new one

expand collapsive

Hey all,

A quick question – why does the sudo profiles renew -type enrollment command enrolls the device as a new device in Hexnode?

N.B: The device is already enrolled in Hexnode with Apple DEP

All Replies

  • Participant

    Luuk

    Participant

    We have provisioned a few Mac devices months back. But, don’t know what happened. This one is unable to check in with Hexnode for a while.

    I saw a few posts on resetting the dep cache using the sudo profiles renew -type enrollment command. So I tried it. Yet, it initiated the enrollment as a new device instead of re-enrolling it in the portal.

    That’s however not a big deal! What frustrates me the most is, I had the filevault policy associated with the device earlier. As such, the decryption key was obtainable from the portal. Since the device is now enrolled as a new one, I cant find any decryption key shown in its device summary.

  • Participant

    johana

    Participant

    Okay. As far as I know, this command is used for initiating DEP enrollment from the terminal. It automatically installs the profile for the mdm server associated with it in the ABM account. If the device already has a profile installed on it I’m not sure if you can re-enroll the device using it.

  • Hexnode

    Catherine George

    Moderator

    Hi @luuk:

    I suppose, before re-enrolling a device, you may have to re-check the Re-enrollment Options applied to it.

    1. Log in to the Hexnode portal.
    2. Navigate to Enroll > Settings > Re-enrollment Options.
    3. Check for the option you have enabled on Device Status.

    When Enroll as a new device is enabled, an already enrolled device gets re-enrolled as a new one.

    The command sudo profiles renew -type enrollment triggers enrollment on a device added to your organization’s DEP account. But, if the above option remains selected on Hexnode, it is disenrolled and is added as a newly enrolled device. Resultantly, the older FileVault configurations for the device do not reflect on the portal.

    Currently, there will be two enrollment instances for the device, one as a disenrolled and the other as enrolled. You may fetch the FileVault Personal Recovery key for the disenrolled instance from the Reports tab. Among the Disenrolled devices (Reports > Device Reports > Disenrolled devices), search the device using its Serial Number. Click on the edit column icon to include the FileVault Personal Recovery Key. And, you can view it from there.

    Catherine George

    Hexnode UEM

  • Participant

    Anaya

    Participant

    A bit doubtful about that. @luuk had a FileVault policy associated with the device from Hexnode. What if I have a device already encrypted manually and not via Hexnode. What do I do with personal recovery key, if the device is enrolled first and foremost in Hexnode? Will that be displayed on the portal?

  • Hexnode

    Catherine George

    Moderator

    Coincidentally, @luuk @anaya both your queries lead to the same answer.

    Here’s is a workaround that will help you fetch the personal recovery key on the Device Summary for a device either encrypted before enrolling it or re-enrolled as a new one in Hexnode.

    1. Open the Terminal application on the Mac.
    2. Run the following command in Terminal:
      sudo fdesetup changerecovery –personal
      The new recovery key will be displayed in terminal.
    3. Open the Hexnode MDM agent app on the device and click SYNC.
    4. Next, log in to the Hexnode portal.
    5. Navigate to Manage > Choose the device > Actions > Scan Device.
    6. An option to decrypt the FileVault recovery key will be displayed under the Security Info of the device. (Device Info > Security Info > FileVault)
    7. Click Decrypt.
    8. The key will be displayed next to FileVault Recovery Key.

    Good luck,

    Catherine George

    Hexnode UEM