pdf icon
Category Filter

Troubleshooting tips for errors occurring when enrolled via ABM/ASM

Enrollment via ABM eases the role of the IT admin by providing bulk out of the box enrollment. Here are some of the common errors that happen during different stages of this enrollment.

ABM portal errors

  1. After logging in to the Apple Business Manager (ABM) portal, you are unable to view the Add MDM Server button.

    The option to add MDM servers is available only when you have the Device Manager role assigned to you. Make sure the administrator has assigned the Device Manager role to you. Also, check if the admin has agreed to Apple's terms and conditions. To learn more about role management and the difference between roles in ABM and other Apple Deployment Programs, refer to Roles in ABM user guide.

Syncing ABM with MDM

  1. MDM server is not able to contact ABM to sync devices.

    Check if mdmenrollment.apple.com is allowed along with other domains and ports listed here. Also, verify the availability of the required Apple services.

  2. You encounter the error "Technician removed from ABM server".

    If the technician who created the ABM server is removed from the MDM console, a new technician must be assigned to the ABM server in order to continue enrolling devices via ABM.

    • To assign a new technician, in the Apple Enrollment tab, click on Servers and click on Modify Settings under Action for the respective server.
    • In the pop-up window, click on Modify without modifying any settings. This will assign the currently logged in user as the owner for the server.

Technician Removed

  • When you are unable to perform sync in ABM server.

If you have not accepted the terms and conditions in ABM server, sync will fail. Go to ABM portal and accept all the terms and conditions. Wait for sometime and perform the sync once again.

During device activation

The following page will appear, when there is any error in enrollment during device activation.

Click on Back and go to the previous page, click Next, wait for sometime till it redirects you to the error page. Note the error and check for the error in the below mentioned errors.

  1. Request timed out.

    Reason:

    When the server is unreachable to the device due to poor network connectivity.

    Resolution:

    • Ensure that the device can reach MDM server from the network used.
    • Make sure that you can reach the Apple URL from the network you are trying to enroll the device.
    • Check whether the DNS records are properly added for the server and its reachable from the network used.
    • Go to Enrollment -> ABM/ASM enrollment page -> Servers tab,modify and save the ABM token settings. Factory reset your device in recovery mode and try to enroll again. Check this to factory reset in iPhone and iPod,iPad.

    Note:

    If you're using EC build above 2224.1, you should enable Tools and Remote control port (8443) for inbound traffic.

  2. Configuration of the profile cannot be downloaded.

    Reason:

    This issue happens when you cannot reach the MDM server from the network used.

    Resolution:

    • Ensure that you can reach the MDM server from the network used.
    • Make sure your proxy/firewall allows this connection properly. If you are using Secure Gateway server, ensure its server time is in sync with MDM server's time.
    • On the server console, Go to Enrollment -> ABM/ASM enrollment page and check whether any error is shown at the top. Resolve them.
    • Factory reset your device in recovery mode and try to enroll again. Check this to factory reset in iPhone and iPod,iPad.
  3. Invalid profile or HTTP - 403 Forbidden.

    Reason:

    The Configuration for your iPhone could not be downloaded from organization name. This happens because of some errors in syncing ABM with MDM.

    Resolution:

    • Head to the server console,Enrollment -> ABM/ASM enrollment page and check whether any error is shown at the top. Resolve them.
    • Factory reset your device in recovery mode and try to enroll again. Check this to factory reset in iPhone and iPod,iPad.
  4. Cancelled.

    Reason:

    If your enterprise SSL certificate does not satisfy the requirements, then this error happens.

    Resolution:

    • If you are using Enterprise SSL certificate, ensure it satisfies the requirements mentioned here.
  5. The cloud configuration server is unavailable.

    Reason:

    If no MDM server is assigned to a Mac in the ABM portal and the Mac hasn’t been synced in the MDM server, attempting to enroll it through ABM using a terminal command will result this error.

    Resolution:

    To resolve this error, follow these steps:

    • Login to the ABM portal and assign the Mac to an MDM server.
    • In the MDM console, navigate to Enrollment > Enroll through ABM/ASM, select the assigned server, and perform a sync.
    • Once synced, enter the enrollment command in the device’s terminal. The device should now enroll successfully.

MDM console errors

  • Why are my devices not listed under Apple Business Manager (ABM) tab when I add the devices to ABM using Apple Configurator?

    When devices are enrolled to ABM using Apple Configurator, the devices will be initially listed under Apple Configurator tab even though they are added to the ABM portal. On reset, the device gets listed under ABM. 

  • Even after successful sync, the device is not listed in the MDM server under Enrollment -> Apple -> Apple Enrollment (ABM/ASM) -> Devices.

    Check if the device has been enrolled in the MDM server using an enrollment method other than ABM. Remove the device from management, reset the device and sync again with the server. The device is listed on under Enrollment -> Apple -> Apple Enrollment (ABM/ASM) -> Devices.

Forbidden Errors

The following are the 2 cases of Forbidden errors encountered:

  1. Server Deleted in ABM/ASM :

    If the ABM/ASM server associated in MDM console, is deleted from ABM/ASM portal, forbidden error occurs. To resolve this error,delete the server from the MDM console and create new one.

  2. Using Load Balancer :

    An ABM/ASM sync error will be encountered if a Load Balancer is used. If that is the case, all outgoing request to ABM (mdmenrollment.apple.com) must be routed through the same outgoing IP as ABM sync is a series of operation and if IP address changes in between, Apple will invalidate and send error.

Restoring Data

  • Error after migrating data between Mac devices enrolled via ABM

    Apple does not support migration with ABM devices and migration through Time-machine will break ABM enrollment. Hence migrating data from an old Mac device to a new one will result in new certificates in the key-chain getting restored with old certificates, consequently leading to loss in connection with MDM server. In these scenarios you can back up the data to an external drive, and re-enroll the device.

  • Users are unable to transfer data from old iPhone to new iPhone.

    Users won't be able to migrate data using peer-to-peer transfer in iOS devices during ABM/ASM enrollment.This is because Apple does not support Quick transfer for ABM enrolled devices. However, users can transfer data using iCloud or Finder or iTunes.

Jump To