Shops that refurbish Macs have a problem: when a Mac already used by an organization is sold to a shop (with the shop later wanting to refurbish and resell the Mac), the shop asks that the device be removed from Apple Business Manager or Apple School Manager. In this situation, the device is typically released from management. However, if a Mac is sold without being released, the enrollment record will be found: the new user will be prompted (and potentially forced) to enroll in an unknown MDM when a new OS is installed upon setup.

To avoid this, shops need a way to check to see if the Mac is configured for auto enrollment to MDM. Enrollment is based on the Mac’s serial number, and Apple doesn’t provide an external way to query for specific serial number in order to check if they are enrolled in DEP. This can either cause end customer issues or require the user to check DEP status themselves as a final check. A much better way to deal with enrollment is to resolve the issue before it happens, i.e., to know if the Mac is enrolled before even touching it.

Thanks to the work of Pepijn BruienneJesse Peterson, and Victor Vrantchan in 2015, there is an interesting way to go about doing this (see this forum for more info). If you set the serial number of the Mac in question in a virtual machine (VM) such as VMWare Fusion and boot, the VM will use this serial number and check if it is enrolled in DEP/has a DEP enrollment record.

This process can be tedious and time consuming, so I created a script that does it for you. The checkdep script…

  1. Reads in a list of serial numbers
  2. Sets the serial number in a VMWare Fusion VM of macOS
  3. Starts up the VM
  4. Uses SSH to remotely log in to the VM
  5. Runs the command to check the serial number
  6. Prints out if that serial number is enrolled and the enrollment record

Requirements

Setup

  1. Install Catalina in a VM by dragging the Catalina Installer to the VMWare icon
  2. Name the VM “Catalina”. Follow the steps to install the VM
  3. Create an admin user and log in
  4. Install VMWare Tools
  5. Optional: Create a snapshot so you can go back to a clear configuration as needed
  6. On the host Mac running the VM (not in the VM itself), create an SSH key by opening Terminal, running keygen, and answering the questions (when asked for a password, leave blank)
tcadmin@mdscentral-6 ~ % ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/tcadmin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/tcadmin/.ssh/id_rsa.
Your public key has been saved in /Users/tcadmin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/bQU+vN9LxaFlB/IFAWnlRgoVv0B+Jtwhg1C/B0pPwk tcadmin@mdscentral-6.local

4. Open the .ssh/id_rsa.pub key and copy it:

tcadmin@mdscentral-6 ~ % cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7WtECboXU9/8u+Nj2euF1FQOs5DsqWz6EWbqiL6bq0FP0WNGO61o0xjHEsp4KdkmTJZX/Vlv+vSg0zun6V1KfzB9A9pg1mTjSXIK5fDTBHVRYjQijYFkYbG2+NOKckgsHruNJC6RwLiCVfwvTvf+jOZcUe1Csn9oIVdmBDL+JbXPEHMGYkVueCXWHEDy7EZSp7NdmJT1MuoNSz0fyTA+zTqg/VZeMIT5w2dHYaxP9NSonuEvN9Q+WyxbizhJk62O6si125xHRP1js24daCePIfdsyXrIZvH2SHd9k6IyKgDDZTQavR9YjpK/mBEiOQ4gwTKV6S17rmAmyrziaC/SvU3nZc6A2MEI30zJTaGvzYC9pS5b5OH8BSmxBomu5CJb8XYRJdfEXqNPnOdNXibFU83J0U2zGWkdtHZAfWRwgQVpFj+uP33zRJeM5zG/9zZbmmH9JGWTiKhHLhkPtfejaeOTpddpEGLvDFpOVpNQvm8z8H80hIB8o2yWbcjjrTus= tcadmin@mdscentral-6.local

5. In macOS running on the virtual machine, create an ssh folder and a file named “authorized_keys” as the root user:

#get a root shell
sudo su -
#<enter admin password>

#create the ssh directory and set correct permissions
mkdir ~/.ssh
chmod 700 .ssh

#put the public key from the host mac to the authorized_keys file on the VM Mac
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7WtECboXU9/8u+Nj2euF1FQOs5DsqWz6EWbqiL6bq0FP0WNGO61o0xjHEsp4KdkmTJZX/Vlv+vSg0zun6V1KfzB9A9pg1mTjSXIK5fDTBHVRYjQijYFkYbG2+NOKckgsHruNJC6RwLiCVfwvTvf+jOZcUe1Csn9oIVdmBDL+JbXPEHMGYkVueCXWHEDy7EZSp7NdmJT1MuoNSz0fyTA+zTqg/VZeMIT5w2dHYaxP9NSonuEvN9Q+WyxbizhJk62O6si125xHRP1js24daCePIfdsyXrIZvH2SHd9k6IyKgDDZTQavR9YjpK/mBEiOQ4gwTKV6S17rmAmyrziaC/SvU3nZc6A2MEI30zJTaGvzYC9pS5b5OH8BSmxBomu5CJb8XYRJdfEXqNPnOdNXibFU83J0U2zGWkdtHZAfWRwgQVpFj+uP33zRJeM5zG/9zZbmmH9JGWTiKhHLhkPtfejaeOTpddpEGLvDFpOVpNQvm8z8H80hIB8o2yWbcjjrTus= tcadmin@mdscentral-6.local" > ~/.ssh/authorized_keys

6. In the VM Mac, open System Preferences and select Sharing. Set the Computer Name to “catalinavm” and turn on Remote Login:

7. You should now be able to see from the host Mac to the VM without a password. You may get prompted to trust the key. If so, type yes and press return:

mdscentral-6:~ tperfitt$ ssh root@catalinavm.local
The authenticity of host 'catalinavm.local (fe80::1409:3bdc:8485:6042%bridge100)' can't be established.
ECDSA key fingerprint is SHA256:BQVtYc0u/zzqQJJkWruuMCocGMNTAVQKrjBh4X+S5nE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'catalinavm.local,fe80::1409:3bdc:8485:6042%bridge100' (ECDSA) to the list of known hosts.
Last login: Wed Oct  6 14:47:28 2021 from fe80::caf:9219:650b:730c%en0

8. Shutdown the VM by selecting Shut Down from the Apple menu () — this is important to make sure all the settings get saved

9. Download the script for https://bitbucket.org/twocanoes/checkdep and run for usage:

Usage: ./checkdep.sh [-v] [-n <vm_hostname>] [-f <path_to_vmx_file>] [-r <path_to_vm_run_command>] -m <path_to_vm> <serial numbers>

10. To check a list of serial numbers, run like this:

./checkdep.sh -m "/Users/tperfitt/Virtual Machines.localized/Catalina.vmwarevm"  C07SERIAL01 C07SERIAL02 C07SERIAL03 C07SERIAL04 C07SERIAL04

You must specify the -m with a path to your VM and a list of serials to check, with a space in between each serial number. If you did not name the VM Mac Computer name “catalinavm”, specify the name with the -n option:

  ./checkdep.sh -m "/Users/tperfitt/Virtual Machines.localized/Catalina.vmwarevm"  C07SERIAL01 C07SERIAL02 C07SERIAL03 C07SERIAL04 C07SERIAL04

The other options are for non-standard configuration, such as VMWare Fusion not being installed in /Applications or the use of a custom vmx file.

11. When running successfully, a DEP record for each serial will print:

time  ./checkdep.sh -m "/Users/tperfitt/Virtual Machines.localized/Catalina.vmwarevm" C07SERIAL01 C07SERIAL02

searching for DEP records C07XXXXXXXXX C07XYYYYYYYY
------------------
C07SERIAL01 no DEP record found
------------------
C07SERIAL02 Device Enrollment configuration
Device Enrollment configuration: { AllowPairing = 0; AwaitDeviceConfigured = 1; ConfigurationURL = "https://enroll.mosyle.com/MDMServiceConfig/?og=dep&account=twocanoes"; IsMDMUnremovable = 1; IsMandatory = 1; IsSupervised = 1; MDMProtocolVersion = 1; OrganizationAddress = "34 W. Chicago Ave, STE A, Naperville, IL 60540"; OrganizationAddressLine1 = "34 W. Chicago Ave"; OrganizationAddressLine2 = "STE A"; OrganizationCity = Naperville; OrganizationCountry = USA; OrganizationEmail = "tperfitt@mac.com"; OrganizationMagic = twocanoes; OrganizationName = "Twocanoes Software"; OrganizationPhone = 6303059601; OrganizationZipCode = 60540; SkipSetup = ( Passcode, Registration, Restore, AppleID, TOS, Biometric, Payment, Zoom, Siri, Diagnostics, FileVault, iCloudDiagnostics, iCloudStorage, Privacy, Appearance ); }
------------------

real	0m50.305s
user	0m0.930s
sys	0m0.194s

Note: the command above was run with the “time” command (optional); it takes an average of 25 seconds for the full lookup of each serial number.