Prevent users from skipping Automated Device Enrollment in macOS Ventura and later

      No Comments on Prevent users from skipping Automated Device Enrollment in macOS Ventura and later

While iPhones and iPads have always required internet connectivity to complete setup, Macs do not have this same requirement, allowing users to easily bypass Automated Device Enrollment (ADE).

Thankfully there is now a way to work around this limitation thanks to a new feature Apple added in macOS 13 Ventura.

Read on for the details…

macOS 13 Ventura

In macOS 13 Ventura released in 2022, Apple added a new feature to help address this problem.

macOS Ventura Internet Connection RequiredRequirement for internet access in Setup Assistant

The first time a Mac with macOS 13 or later is set up and connected to a network, it’s acknowledged as owned by an organization (Apple School Manager or Apple Business Manager). As long as the device remains registered to the organization, when the device is erased, Setup Assistant requires a network connection to proceed with future activations. The Mac computer requires Apple silicon or an Apple T2 Security Chip.

Unfortunately this feature only activates after a computer has been connected to the internet. This leaves a gap for brand new devices being setup for the first time.

Workaround

We work around this by having our warehouse DFU Restore every Mac, new or used, before shipping.

Performing a DFU Restore, even on new in the box Macs, accomplishes two goals:

  1. Our teammates never get an out-of-date Mac that immediately needs a Software Update. This helps contribute to a better overall onboarding experience.
  2. And more importantly for this post, Automated Device Enrollment / Remote Management cannot be skipped.

Why it works

The DFU Restore process, which erases the Mac and installs the latest release of macOS, includes an online activation of the computer with Apple’s servers. This is enough to enable the new feature!

Mac computers registered to an organization must connect to a network during Setup Assistant after being erased or reset.

Tradeoffs

This decision isn’t without tradeoffs of course.

  • It requires an extra touch to prepare a computer for shipping.
  • It requires an extra 10 minutes of time, although multiple computers can be DFU’ed at once to help offset this.
  • It will cost extra money if you outsource warehousing services.

All things considered, I still think it is worth it for the benefits outlined above. As a bonus it means our warehouse only needs to follow a single set of instructions for all Macs without consideration of if they are new or used.

Further reading:

 

Leave a Reply

Your email address will not be published. Required fields are marked *