iPads non-compliant after ADE enrollment: Hexnode UEM app not installing and Phone app shown as blocklistedSolved

Hello @melora ,

The “Devices Managed by Apple Configurator 2” entry in Apple Business Manager is not a separate cloud MDM server. It is a default placeholder used when devices are added or prepared using Apple Configurator.

The Apple ID/email mismatch is usually not the cause of ADE communication issues. The Apple Business connection with Hexnode UEM depends on the valid ADE server token file, not whether the visible email addresses match.

For iPads showing under the Apple Configurator placeholder, use this flow:

1. In Apple Business, assign the iPads to the Hexnode MDM server.
2. In Hexnode UEM, go to Apple Business/School Manager > Automated Device Enrollment > Devices and sync all the devices.
3. Confirm that the devices show as Assigned in Hexnode.
4. Wipe the iPads.
5. During setup, connect the iPad to Wi-Fi. After activation, it should display the Remote Management screen and download the Hexnode management profile.

Seeing the normal Apple setup screens at first is expected. The Remote Management screen appears only after the iPad reaches activation and can contact Apple’s servers.

Ah, now I got cleared with the enrollment but it still stays non-compliant because the Hexnode UEM app is missing. I checked the policy and the app is under Required Apps. Also, these iPads need cellular.

During setup I only see options to transfer cellular from another iPad, use a QR code, or set it up later. Previously the cellular profile was handled as part of the deployment flow.

For the eSIM part, you can either configure it during setup using the carrier QR code or skip it temporarily and push it after enrollment.

To push the eSIM after enrollment:

1. Go to Manage > Devices.
2. Select the iPad.
3. Open Actions > Network > Update eSIM.
4. Enter the SM-DP+ server URL provided by the carrier.
5. Send the action to the device.

For the Hexnode UEM app not installing, check the VPP license status first. If all available licenses for the Hexnode UEM app are already assigned, the app cannot be deployed to additional devices.

Recommended checks:

1. In Apple Business Manager, acquire or transfer enough licenses for the Hexnode UEM app to the same VPP location token that is synced with Hexnode.
2. In Hexnode UEM, go to Admin > Apple Business/School Manager > Apple VPP and run Sync.
3. Confirm that the Hexnode UEM app shows available VPP licenses under the Apps section.
4. Retry the app installation.

Also make sure the Required Apps policy contains the correct Hexnode UEM App Store/VPP app, not a web app entry with a similar name. If an app allowlist is configured, the correct Hexnode UEM app should be added there as well.

It worked, but the remaining problem was compliance. The Compliance Information section showed the Phone app under Blocklisted apps, even though Phone was already in the allowlist. A Scan for Apps completed successfully, but the device was still marked non-compliant.

If the Hexnode UEM app is installed correctly and the required/allowlisted app configuration is correct, run a device inventory refresh and re-evaluate compliance.

Use these actions:

1. Go to Manage > Devices and select the affected iPad.
2. Run Actions > Scanning and Monitoring > Scan device.
3. If app inventory is stale, also run Scan for Apps.
4. After the scan action succeeds, reopen Device Summary > Compliance Info and check the listed reason.

If Data Protection is the only failed compliance item, verify whether the device has a passcode. iOS data protection compliance can fail when no passcode is configured. For shared or loaner iPads where passcodes are intentionally not used, disable the Data Protection requirement in the relevant iOS compliance policy.

For the case where the built-in Phone app is incorrectly reported as blocklisted even though it is allowlisted, a fresh Scan device action should update the compliance state once the app compliance evaluation is corrected. In this scenario, the affected iPads were marked compliant after running the scan.

Regards,
Simon Scott
Hexnode UEM