Troubleshooting Deployment Enrollment (DEP) for macOS by Viewing the Activation Record
Deployment Enrollment is part of Apple Business Manager and Apple School manager and provides a way for Macs (and iOS devices) to get some initial configuration when first starting up the device. This configuration is hosted by Apple and used by the Mac during the setup assistant. However, if the Mac doesn’t receive the enrollment record, or gives an error, it can be difficult to troubleshoot. Viewing the record can help troubleshoot enrollment issues.
How DEP works
On any Mac that has the OS newly installed (like a new Mac or a reinstalled macOS), the macOS Setup Assistant will download the activation record and prompt the user to allow Remote Management.
There is an in-depth look at the activation record on the MicroMDM wiki.
Showing the Activation Record
On a Mac that has an activation record, you can view the activation record by running the following command in Terminal:
sudo profiles show -type enrollment
If there is an activation record, it will be printed:
M-C07XH97ZJYVW:~ tcadmin$ sudo profiles show -type enrollment
Password:
Device Enrollment configuration:
{
AllowPairing = 1;
AnchorCertificates = (
{length = 872, bytes = 0x30820364 3082024c a0030201 02020900 ... 1b70eb29 e243dfba }
);
AwaitDeviceConfigured = 1;
ConfigurationURL = "https://mdscentral.local:8443/mdm/enroll";
IsMDMUnremovable = 0;
IsMandatory = 1;
IsMultiUser = 0;
IsSupervised = 1;
MDMProtocolVersion = 1;
OrganizationAddress = "34 W. Chicago Ave, STE A, Naperville, IL 60540";
OrganizationAddressLine1 = "34 W. Chicago Ave";
OrganizationAddressLine2 = "STE A";
OrganizationCity = Naperville;
OrganizationCountry = USA;
OrganizationEmail = "support@twocanoes.com";
OrganizationName = "Twocanoes Software";
OrganizationPhone = "630 555 1212";
OrganizationSupportPhone = "630 555 1212";
OrganizationZipCode = 60540;
SkipSetup = (
Appearance,
AppleID,
Biometric,
Diagnostics,
DisplayTone,
Location,
Payment,
Privacy,
Restore,
ScreenTime,
Siri,
TOS,
FileVault,
iCloudDiagnostics,
iCloudStorage,
Registration
);
}
You’ll notice that it doesn’t print the entire AnchorCertificates, and that is an import piece of information to know. To see the AnchorCertificates, output to a file by adding the output flag:
sudo profiles show -type enrollment -output activationrecord.txt
The file “activationrecord.txt” now contains the full activation record:
M-C07XH97ZJYVW:~ tcadmin$ sudo profiles show -type enrollment -output activationrecord.txt
M-C07XH97ZJYVW:~ tcadmin$ cat activationrecord.txt
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowPairing</key>
<true/>
<key>AnchorCertificates</key>
<array>
<data>
MIIDZDCCAkygAwIBAgIJAPaH/gI0JsBgMA0GCSqGSIb3DQEBCwUAMCgxCzAJ
BgNVBAYTAlVTMRkwFwYDVQQDDBBtZHNjZW50cmFsLmxvY2FsMB4XDTIwMDUy
MTEzNTcxNloXDTIyMDgxOTEzNTcxNlowKDELMAkGA1UEBhMCVVMxGTAXBgNV
BAMMEG1kc2NlbnRyYWwubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCaEGs8doiQsC06NVbjC0Pxn+dGrpApdwrSRq2SHNuw2ra7QS+c
UfqG3Oqc2p/FJjlZVy73nSvHMzWz4b91ekSZ0DdKkdFoJpvYI5BhXEfTPL4a
sBj01gYvclbzvEDhikufiLllTXWJpBejjSEB2OL3P24eus+uLLzoAJ+JzL5E
zcBdZdVE//HahyGGLkZ/8i+QfIbP/x1B8PVXqt+zPphFPHUmJjqEyriFLBs6
/kqjZ/bpO3yPUh57XcwYEeSMLTqMXN62Wh64gVfaXAS2qCENjCC7jSs4pXni
1xaUu0hky1BrNt4DYj0f7jyz6JzSo0s15FxhP2K7iEcugXls/2wXAgMBAAGj
gZAwgY0wCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4E
FgQU45mRDSHakiAJDn0qWPGfaTGi61cwHwYDVR0jBBgwFoAU45mRDSHakiAJ
Dn0qWPGfaTGi61cwDgYDVR0PAQH/BAQDAgWgMBsGA1UdEQQUMBKCEG1kc2Nl
bnRyYWwubG9jYWwwDQYJKoZIhvcNAQELBQADggEBACABUl2MND9gW9QlL7Ju
UUNMLQGeRWBAm+iFxGf92xlMkZp84/vMlpYhg9YGTnaiV/nj+D61l2VQ/vZ0
bUFjfQ0STfhDdlSvnULTvtiw5mmBlEM4Vu0YMGuDP2d7VJFxljtl+8jgnlJU
v87Ts7Zd77zyjJmRbGrNDrx4heNhHmjpXI8YlRdDxf3JtNqyMCn9euPNqLMz
JTGhkIY2RRaouGT7KBSgjuKzkNVTgTlSUYAdi8FA2eDh6PjdfToH59Wt+2PJ
yYGhTB869Pp8kMc9Y26ZA5Msir2mUccyjjM7FR2N2oeE2crjCeC2oTDdfkXF
TxfEZ0sO7m+EG3DrKeJD37o=
</data>
</array>
<key>AwaitDeviceConfigured</key>
<true/>
<key>ConfigurationURL</key>
<string>https://mdscentral.local:8443/mdm/enroll</string>
<key>IsMDMUnremovable</key>
<integer>0</integer>
<key>IsMandatory</key>
<true/>
<key>IsMultiUser</key>
<false/>
<key>IsSupervised</key>
<true/>
<key>MDMProtocolVersion</key>
<integer>1</integer>
<key>OrganizationAddress</key>
<string>34 W. Chicago Ave, STE A, Naperville, IL 60540</string>
<key>OrganizationAddressLine1</key>
<string>34 W. Chicago Ave</string>
<key>OrganizationAddressLine2</key>
<string>STE A</string>
<key>OrganizationCity</key>
<string>Naperville</string>
<key>OrganizationCountry</key>
<string>USA</string>
<key>OrganizationEmail</key>
<string>support@twocanoes.com</string>
<key>OrganizationName</key>
<string>Twocanoes Software</string>
<key>OrganizationPhone</key>
<string>630 555 1212</string>
<key>OrganizationSupportPhone</key>
<string>630 555 1212</string>
<key>OrganizationZipCode</key>
<string>60540</string>
<key>SkipSetup</key>
<array>
<string>Appearance</string>
<string>AppleID</string>
<string>Biometric</string>
<string>Diagnostics</string>
<string>DisplayTone</string>
<string>Location</string>
<string>Payment</string>
<string>Privacy</string>
<string>Restore</string>
<string>ScreenTime</string>
<string>Siri</string>
<string>TOS</string>
<string>FileVault</string>
<string>iCloudDiagnostics</string>
<string>iCloudStorage</string>
<string>Registration</string>
</array>
</dict>
</plist>
Verifying the Certificate
To verify the SSL certificate, copy the “AnchorCertificates” base64 data convert it to binary using the xxd command:
pbpaste|base64 -D|openssl x509 -inform der -text
The certificate info will be output. Verify the Validity Dates are correct and the DNS matches the hostname in the ConfigurationURL in the profile. Also, macOS will consider a certificate invalid if the number of days for Validity is more than 820 days.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17764446540604555360 (0xf687fe023426c060)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, CN=mdscentral.local
Validity
Not Before: May 21 13:57:16 2020 GMT
Not After : Aug 19 13:57:16 2022 GMT
Subject: C=US, CN=mdscentral.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:10:6b:3c:76:88:90:b0:2d:3a:35:56:e3:0b:
43:f1:9f:e7:46:ae:90:29:77:0a:d2:46:ad:92:1c:
db:b0:da:b6:bb:41:2f:9c:51:fa:86:dc:ea:9c:da:
9f:c5:26:39:59:57:2e:f7:9d:2b:c7:33:35:b3:e1:
bf:75:7a:44:99:d0:37:4a:91:d1:68:26:9b:d8:23:
90:61:5c:47:d3:3c:be:1a:b0:18:f4:d6:06:2f:72:
56:f3:bc:40:e1:8a:4b:9f:88:b9:65:4d:75:89:a4:
17:a3:8d:21:01:d8:e2:f7:3f:6e:1e:ba:cf:ae:2c:
bc:e8:00:9f:89:cc:be:44:cd:c0:5d:65:d5:44:ff:
f1:da:87:21:86:2e:46:7f:f2:2f:90:7c:86:cf:ff:
1d:41:f0:f5:57:aa:df:b3:3e:98:45:3c:75:26:26:
3a:84:ca:b8:85:2c:1b:3a:fe:4a:a3:67:f6:e9:3b:
7c:8f:52:1e:7b:5d:cc:18:11:e4:8c:2d:3a:8c:5c:
de:b6:5a:1e:b8:81:57:da:5c:04:b6:a8:21:0d:8c:
20:bb:8d:2b:38:a5:79:e2:d7:16:94:bb:48:64:cb:
50:6b:36:de:03:62:3d:1f:ee:3c:b3:e8:9c:d2:a3:
4b:35:e4:5c:61:3f:62:bb:88:47:2e:81:79:6c:ff:
6c:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
E3:99:91:0D:21:DA:92:20:09:0E:7D:2A:58:F1:9F:69:31:A2:EB:57
X509v3 Authority Key Identifier:
keyid:E3:99:91:0D:21:DA:92:20:09:0E:7D:2A:58:F1:9F:69:31:A2:EB:57
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mdscentral.local
Signature Algorithm: sha256WithRSAEncryption
20:01:52:5d:8c:34:3f:60:5b:d4:25:2f:b2:6e:51:43:4c:2d:
01:9e:45:60:40:9b:e8:85:c4:67:fd:db:19:4c:91:9a:7c:e3:
fb:cc:96:96:21:83:d6:06:4e:76:a2:57:f9:e3:f8:3e:b5:97:
65:50:fe:f6:74:6d:41:63:7d:0d:12:4d:f8:43:76:54:af:9d:
42:d3:be:d8:b0:e6:69:81:94:43:38:56:ed:18:30:6b:83:3f:
67:7b:54:91:71:96:3b:65:fb:c8:e0:9e:52:54:bf:ce:d3:b3:
b6:5d:ef:bc:f2:8c:99:91:6c:6a:cd:0e:bc:78:85:e3:61:1e:
68:e9:5c:8f:18:95:17:43:c5:fd:c9:b4:da:b2:30:29:fd:7a:
e3:cd:a8:b3:33:25:31:a1:90:86:36:45:16:a8:b8:64:fb:28:
14:a0:8e:e2:b3:90:d5:53:81:39:52:51:80:1d:8b:c1:40:d9:
e0:e1:e8:f8:dd:7d:3a:07:e7:d5:ad:fb:63:c9:c9:81:a1:4c:
1f:3a:f4:fa:7c:90:c7:3d:63:6e:99:03:93:2c:8a:bd:a6:51:
c7:32:8e:33:3b:15:1d:8d:da:87:84:d9:ca:e3:09:e0:b6:a1:
30:dd:7e:45:c5:4f:17:c4:67:4b:0e:ee:6f:84:1b:70:eb:29:
e2:43:df:ba
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIJAPaH/gI0JsBgMA0GCSqGSIb3DQEBCwUAMCgxCzAJBgNV
BAYTAlVTMRkwFwYDVQQDDBBtZHNjZW50cmFsLmxvY2FsMB4XDTIwMDUyMTEzNTcx
NloXDTIyMDgxOTEzNTcxNlowKDELMAkGA1UEBhMCVVMxGTAXBgNVBAMMEG1kc2Nl
bnRyYWwubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaEGs8
doiQsC06NVbjC0Pxn+dGrpApdwrSRq2SHNuw2ra7QS+cUfqG3Oqc2p/FJjlZVy73
nSvHMzWz4b91ekSZ0DdKkdFoJpvYI5BhXEfTPL4asBj01gYvclbzvEDhikufiLll
TXWJpBejjSEB2OL3P24eus+uLLzoAJ+JzL5EzcBdZdVE//HahyGGLkZ/8i+QfIbP
/x1B8PVXqt+zPphFPHUmJjqEyriFLBs6/kqjZ/bpO3yPUh57XcwYEeSMLTqMXN62
Wh64gVfaXAS2qCENjCC7jSs4pXni1xaUu0hky1BrNt4DYj0f7jyz6JzSo0s15Fxh
P2K7iEcugXls/2wXAgMBAAGjgZAwgY0wCQYDVR0TBAIwADATBgNVHSUEDDAKBggr
BgEFBQcDATAdBgNVHQ4EFgQU45mRDSHakiAJDn0qWPGfaTGi61cwHwYDVR0jBBgw
FoAU45mRDSHakiAJDn0qWPGfaTGi61cwDgYDVR0PAQH/BAQDAgWgMBsGA1UdEQQU
MBKCEG1kc2NlbnRyYWwubG9jYWwwDQYJKoZIhvcNAQELBQADggEBACABUl2MND9g
W9QlL7JuUUNMLQGeRWBAm+iFxGf92xlMkZp84/vMlpYhg9YGTnaiV/nj+D61l2VQ
/vZ0bUFjfQ0STfhDdlSvnULTvtiw5mmBlEM4Vu0YMGuDP2d7VJFxljtl+8jgnlJU
v87Ts7Zd77zyjJmRbGrNDrx4heNhHmjpXI8YlRdDxf3JtNqyMCn9euPNqLMzJTGh
kIY2RRaouGT7KBSgjuKzkNVTgTlSUYAdi8FA2eDh6PjdfToH59Wt+2PJyYGhTB86
9Pp8kMc9Y26ZA5Msir2mUccyjjM7FR2N2oeE2crjCeC2oTDdfkXFTxfEZ0sO7m+E
G3DrKeJD37o=
-----END CERTIFICATE-----
Troubleshooting at the Setup Assistant
Issues with DEP are commonly discovered when Setup Assistant does not show the Remote Management option or shows an error. It is possible to open a terminal window when Setup Assistant is running, but since the only available user is _mbsetupuser, sudo cannot be used to run the command. To resolve this, boot into recovery and enable the root user:
- Boot to recovery by rebooting pressing command-R.
- Set a password for root (change Macintosh HD to the appropriate name of your macOS volume):
dscl -f /Volumes/Macintosh HD - Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root - Reboot by running the
rebootcommand.
When the setup assistant appears, press CTL + OPTION + CMD + T to open terminal and run the profiles command as root:
su
<Enter Root Password>
profiles show -type enrollment
This will show you the current activation record as the Setup Assistant sees it in the current state on that machine. It makes it ideal for troubleshooting.
Use MDS installed users instead of root
If you are using an MDS workflow and have created a user with an MDS workflow, that user is available to use to check the profile status. If the user name is “ladmin”, you could enter these commands to check the activation record:
su ladmin
<enter ladmin password>
sudo profiles show -type enrollment