DEP Certificate Expiry, Re-enrol help required for 250 devices.

Solved
np2018
Conversationalist

DEP Certificate Expiry, Re-enrol help required for 250 devices.

Hi, 

 

We are currently experiencing an issue with an Expired DEP certificate and we are unable to re-enrol around 250 without factory resetting every IOS Device. We have tried re-enrolling using m.meraki.com however receive an error due to the expired DEP certificate already being installed, this appears to leave us with no other option than factory resetting all the devices to get them to re-enrol with DEP. 

 

Really looking for any way to re-enrol these devices without the need to factory reset every handset if possible,  this is going to be very time consuming and will cause allot of upset with our users.  Failing this then does anyone have any suggestions on how we can make this process easier. 

 

Note: the previous certificate was replaced around 7 months ago and we don't have a copy of this, we contacted apple to check if this can be recovered however they have advised it cannot. 

 

Thanks 

 

1 Accepted Solution
Stoffe
Here to help

Hi!

 

As far as i know, if there havent been any updates since my last try, the only option is to reset the ipads via Apple Configurator 2 (where you can bulk reset devices) and then run the setup assistant again, we had to put them in DFU (service) mode for this to work.

The thing is (if i remember correctly) that its during the assistant that a token gets created for the DEP and that is whats controlling the certificates and so on. This is not a limitation in Meraki MDM, but just how the DEP works. Please anyone correct me if im wrong but this was the case last summer when i had this exact problem. 

 

If your users are comfortable with it they can actually start the process themselves via iTunes on their computers and re-enroll with their accounts, this makes the step with Apple Configurator unnecessary. 

View solution in original post

8 Replies 8
Stoffe
Here to help

Hi!

 

As far as i know, if there havent been any updates since my last try, the only option is to reset the ipads via Apple Configurator 2 (where you can bulk reset devices) and then run the setup assistant again, we had to put them in DFU (service) mode for this to work.

The thing is (if i remember correctly) that its during the assistant that a token gets created for the DEP and that is whats controlling the certificates and so on. This is not a limitation in Meraki MDM, but just how the DEP works. Please anyone correct me if im wrong but this was the case last summer when i had this exact problem. 

 

If your users are comfortable with it they can actually start the process themselves via iTunes on their computers and re-enroll with their accounts, this makes the step with Apple Configurator unnecessary. 

MRCUR
Kind of a big deal

DEP re-enrollment requires a factory reset of the devices. 

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

This does not sound good.

 

Did you manage to renew the DEP certificate in the Meraki portal (I'm guessing not)?

 

If you load a new certificate instead of renewing you will be in a world of pain.

jhurley03
Conversationalist

Unfortunately, you have to factory reset them. I highly recommend making a note on your calendar to remind you to renew the certificate before it expires. A renewal takes about 5 minutes.

jared_f
Kind of a big deal

As states above, a wipe and re-enroll is necessary. If preserving user data is necessary have the user make a backup on their current device and restore it on a different device. This will allow the device to go through prestage enrollment and they will receive the fresh MDM profile. Then make a backup and restore on their original iPad.

Find this helpful? Click the kudos button. Thanks!
np2018
Conversationalist

Thanks everyone for the responses,  I just started with the company a few months ago so I'm not aware of the full story however I believe there were problems importing the renewal certificate so a new on had to be added. 

 

Looks like a factory resetting for re-enrol is our only option so we will just have to get started, we will try to use apple configurator/itunes backup and swap to different handsets as suggested to help make the task easier. 

Thanks for all your responses, much appreciated, calendar reminder set to renew next time.

 

It's not fun but has to be done. As stated before, make sure to set a reminder for renewal a week or so before the expiration date, invite a few colleagues in the reminder so that they can renew if you're on vacation. And, perhaps the most important part, just to make things easier (I was in your shoes, newly employed) DOCUMENTATION. Type down everything so that basically anyone can do it if need be. I started from scratch and had to figure everything out because the last guy had everything "in his head", no fun at all...

Good luck and send a message if you need too. /Chris

matt12345
Here to help

I know this is already solved, but just wanted to add. I accidentally renewed the certificate with the wrong apple ID account, and all our devices had this error 'x out of x devices are missing the certificate and need to be re-enrolled.'.

Thankfully, I was able to regenerate and upload into Meraki a certificate using the correct Apple account, and they all righted themselves. They were all fine in our circumstance because the original certificate was still valid.. so if you discover your mistake before the certificates expire, you might have luck if you regenerate it using the proper account... thought it was worth a mention.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels