Troubleshooting tips for errors occurring during Apple Configurator enrollment
Apple configurator is a popular tool used for enrolling corporate Apple devices. The following are the troubleshooting tips to resolve the possible errors that may occur during different stages of Apple configurator enrollment process.
Preparing the device
The first step to perform Apple Configurator enrollment is to prepare the device either directly or by creating a blueprint. Blueprint contains all the policies that has to be applied to the device. After creating a blueprint, apply that to the devices that has to be enrolled. We have collected some of the common problems that occur while preparing the device and have given proper resolution.
-
Unable to verify the server's enrollment URL. A server with the specified hostname could not be found.
Reason:
This message is shown on Apple Configurator when the MDM server is not reachable from the network you have connected the mac machine which is running Apple configurator or the host URL you have given in the apple configurator is incorrect.
Resolution:
- Check if the server is reachable to the Mac machine running Apple configurator. You can do this by entering the MDM server URL in your browser and try if it is reachable.
- Also, ensure that the host URL you have entered in Apple configurator is the same as the URL given in Apple configurator.
-
Unable to verify the server's enrollment URL. Unable to load, Code: 4xx, Description: unauthorized.
Reason:
This error message comes while preparing the blueprint or when directly preparing the device.
Resolution:
- Ensure if the URL entered in the previous step is correct by verifying it with the URL in the Apple configurator tab of the MDM server.
-
The device is not connected (or) The device is no longer connected.
Reason:
The USB cable gets unplugged from the device during enrollment.
Resolution:
- Ensure that the USB cable(s) are not unplugged/loose.
- Use only original USB cables purchased from Apple.
-
Unable to skip the prompt Enter Apple id & Password while configuring blueprint.
Reason:
If you have enabled the setting Add devices to Apple Business Manager or Apple School Manager while preparing the blueprint or preparing the device directly.
Resolution:
- Ensure if the setting Add to Apple Business Manager or Apple School Manager is unchecked while preparing blueprint or while preparing the device.
-
Fetching trust anchor certificates from MDM server.
Reason:
While configuring the blueprint, the screen gets stuck on fetching trust anchor certificates or if the certificates are not fetched.
Resolution:
- You can click on Next as this step does not affect the blueprint creation.
-
Pairing is prohibited by a policy on the device.
Reason:
If you want to enroll your device once again, but the restriction Allow iTunes pairing and other USB connections is applied in MDM server (or) the setting Allow devices to pair with other computers is unchecked in the Apple configurator while enrolling previously.
Resolution:
- When Allow iTunes pairing and other USB connections is applied - Remove the restriction from the MDM server and perform enrollment.(or) If you have enrolled via ABM previously, download the supervision identity certificate from MDM server, install it in keychain and use it in Apple configurator enrollment for the organization.
- When Allow devices to pair with other computers is unchecked - Use the same mac to do the enrollment which you have used previously or else factory reset the device in recovery mode.
-
Update the device to a newer system version to prepare it.
Reason:
This happens only if the device doesn't match the OS requirements.
Resolution:
- Only the devices which are above iOS version 11 can be enrolled via ABM. The device needs to be upgraded to iOS 11 manually and then it has to be added to DEP/ABM/ASM via Apple Configurator. Refer this to know the list of iOS devices supporting iOS 11.
-
Provisional enrollment failed. [MCCloudConfigErrorDomain - 0x80EF(33007)]
Reason:
If the device is unable to contact the ABM server, this error occurs.
Resolution:
- Check whether there is any error in the Wi-fi profile distributed to the device. Also ensure if there is proper network connectivity.
- Factory reset the device and proceed until the Wi-Fi configuration step. Prepare the device using Apple Configurator and follow the steps for adding it to ABM.
-
Provisional enrollment failed - Network Communication error.
Reason:
This happens if there is a network error while accessing Apple servers or MDM server or if the device is already present in the ABM/ASM portal and have enabled the Add devices to Apple Business Manager or Apple School Manager portal while preparing the blueprint or preparing the device .
Resolution:
- Check if the device is available in the server titled Devices added by Apple Configurator 2 or is assigned to a different server in the ABM portal. It is recommended to enroll devices through ABM.
- If you are unable to find the device, try connecting to a different network to enroll the device.
-
Failed to retrieve IMEI.
Reason:
This error occurs on Wi-fi only iPad where IMEI is not present in device.
Resolution:
- iPhone's IMEI number (which is required for enrollment in some cases), is automatically detected and the enrollment is completed. Since some iPad does not have an IMEI number this error is shown. Restore the device and try enrolling it again.
- Make sure that the configurator is updated to the latest version.
-
DMCTunnelErrorDomain - 0x36B2(14002)
Reason:
This happens if the device is already present in ABM/ASM portal and the device is assigned to any server in the ABM portal.
Resolution:
- It is recommended to retain the device in ABM and proceed with ABM enrollment instead of Apple Configurator enrollment.
- You can either un assign/release the device from ABM portal and then prepare the device using configurator.
Note: Once you have unchecked this setting, the devices will not be added in the ABM portal, the user can remove the device from management. If this setting is checked, the devices will be added to the ABM portal and cannot be removed from management after 30 days.
During device activation
There are few issues that may occur during device activation. We have explained those errors with proper troubleshooting tips below.
-
Profile installation failed.
Reason:
When the MDM server time and Secure Gateway Server time are not in sync with each other.
Resolution:
- Check if Central server time and Secure Gateway Server time are in sync with each other.
- Factory reset in recovery mode. Check this to factory reset in iPhone and iPod,iPad
-
Cancelled.
Reason:
If the SSL certificate used in MDM server doesn't match the Apple requirements, this issue occurs.
Resolution:
-
Request timed out.
Reason:
When the MDM server is unreachable to the device due to poor network connectivity.
Resolution:
- Ensure that the device can reach MDM server from the network used.
- Make sure that you can reach the Apple URL from the network you are trying to enroll the device.
- Check whether the DNS records are properly added for the server and its reachable from the network used.
- Go to Enrollment -> ABM/ASM enrollment -> Servers tab, modify and save the ABM token settings. Factory reset your device in recovery mode and try to enroll again. Check this to factory reset in iPhone and iPod,iPad
Note:
If you're using EC build above 2224.1, you should enable Tools and Remote control port (8443) for inbound traffic.
-
Invalid profile.
Reason:
The configuration for your iPhone could not be downloaded from organization name. This happens because of some errors in syncing ABM with MDM.
Resolution:
- Head to the server console,Enrollment -> ABM/ASM enrollment page and check whether any error is shown at the top. Resolve them.
- Factory reset your device in recovery mode and try to enroll again. Check this to factory reset in iPhone and iPod,iPad
While completing enrollment on the MDM console.
After activating the device, it marks the end of enrollment. Then we have to check the MDM console whether all the devices are enrolled. The following are the troubleshooting tips to the errors that occur during the final leg of enrollment.
-
Devices not linked under ABM tab.
Reason:
When devices are enrolled to ABM using Apple Configurator, the devices will be initially listed under Apple Configurator tab even though they are added to the ABM portal.
Resolution:
- The devices enrolled in ABM via apple configurator will be listed under Apple configurator tab. If you want the devices to be listed under ABM, then assign your ABM server in the portal and perform an ABM sync in MDM. The devices count will be updated after successful sync.
-
Apple configurator cannot access the Device Enrollment Program(DEP).
Reason:
You may encounter this error Apple Configurator 2 cannot access the Device Enrollment Program if there are network issues due to which https://mdmenrollment.apple.com is not reachable or when the Apple servers are down.
Resolution:
- Verify your network connectivity and try again after sometime.
-
Enroll devices not purchased from apple or authorized resellers.
Reason:
If you are trying to enroll devices not purchased from Apple or authorized resellers.
Resolution:
- Apple now allows adding iOS 11 or later, macOS 12.0.1 or later with Apple silicon or the Apple T2 Security Chip and tvOS devices not purchased directly from Apple or authorized resellers into ABM. Follow the steps given here to use Apple Configurator to add iOS devices, Mac devices and Apple TV devices to ABM.