Restoring entire Mac from TimeMachine during SetupAssistant breaks Automatic Device Enrollment

Originator:michalm.mac
Number:rdar://FB9682501 Date Originated:2021-10-06
Status:Open Resolved:
Product:macOS Product Version:12.0 Monterey Beta 8 21A5534d
Classification:Incorrect/Unexpected Behavior Reproducible:Always
 
There are two features in macOS SetupAssistant which do not play well with each together: Remote Management (Automatic Device Enrollment) and Migration Assistant (restoring Mac from TimeMachine backup). This problem is applicable to all versions of macOS but this feedback was tested specifically against macOS 12.0 Monterey Beta 8 21A5534d.

There are multiple problems related to these features. In this feedback I am going to illustrate the TimeMachine restore of all files together with Automatic Device Enrollment.

# Prepare the scenario

First we need to create a Time Machine backup we are going be using later.

1. If the Mac is in the Apple Business Manager, use the MDM to remove cloud/DEP profile from the ABM so no Automatic Device Enrollment occurs during SetupAssistant
2. Mac has the latest version of macOS Big Sur installed and it is NOT enrolled in the MDM
3. Upgrade the Mac to the latest version of macOS Monterey. Currently Beta 8 21A5534d
4. Initiate the Erase All Content and Settings from System Preferences to get a Mac with fresh macOS Monterey state
5. Proceed through the macOS SetupAssistant
6. Personalizace the user account (wallpaper, data, apps, etc.)
7. Create a TimeMachine backup

Prepare the Mac for Automatic Device Enrollment.
We can use the same Mac from which we created the backup or a different one. It does not matter.

1. Assign MDM DEP/Cloud profile (+ other MDM features) to the Mac we are going to enroll via ADE.
  - Authentication during enrollment: Yes
  - Supervision: Yes
  - SetupAssistant panes to be skipped: NONE
  - Computer account: administrator
  - Managed administrator created by the MDM: NO
2. Initiate the Erase All Content and Settings to get a Mac with fresh macOS Monterey


# Steps to reproduce

Now we try to combine Automated Device Enrollment with Time Machine Restore during SetupAssistant.

1. Start the Mac with fresh install of macOS Monterey
2. Proceed through the macOS SetupAssistant
3. There is a Remote Management. Let it enroll the Mac into the MDM
4. There is a Migration Assistant pane. Use it to restore the Mac from the Time Machine Backup we created earlier
  - Restore all data. (Users, Apps, Other Files and System Files)
  - Enter the passwords of all users to be migrated
  - Let it do the migration
5. When macOS boots up log into the user account
6. Use MDM to issue any command through the device channel.

# Expected result

At least the device channel MDM commands work. When the Mac gets the Apple push notification it successfully checks in with the MDM and executes any MDM commands it wants it to do.

# Actual result

Device channel MDM commands do not work. Mac gets the Apple push notification but when it tries to connect to the MDM there is this error:

error	11:58:04.571723+0200	mdmclient	[ERROR] MDM_Connect: Unable to create MDM identity from persistent reference: -25304 (The specified item is no longer valid. It may have been deleted from the keychain.) for profile: Device Manager (6eff7eec-f566-41d6-bf11-0ee5799b2488:b1759c0f-9d45-4e81-82dd-c2d408a3620a)\

# Workaround

If user does NOT chose to restore the "System Files and Folders" from the TM backup, device channel MDM commands work.

# Possible reason

When migration assistant restores the "System Files and Folders"  from the TM backup it overwrites the system keychain. The results is that Mac is missing the necessary TLS client certificate to authenticate with the MDM thus failing to connect and retrieve any commmands or queries.

# Possible solutions

A. Take the possibility of this situation into account. Migration Assistant launched during SetupAssistant could merge the System keychain containing MDM-related items with the System keychain from the backup.

B. Warn the user what is going to happen = Mac with the enrollment profile installed but broken MDM configuration.

C. Remove all configuration profiles (even the enrollment profile) and make the user to enroll the Mac again. Perhaps reuse existing Automatic Device Enrollment notification system. (profiles renew -type enrollment)

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!