Restoring user from TimeMachine during SetupAssistant after Automatic Device Enrollment does not enable it for User Channel MDM management

Originator:michalm.mac
Number:rdar://FB9682567 Date Originated:2021-10-06
Status:Open Resolved:
Product:macOS Product Version:12.0 Monterey Beta 8 21A5534d
Classification:Incorrect/Unexpected Behavior Reproducible:Always
 
There are two features in macOS SetupAssistant which do not play well with each together: Remote Management (Automatic Device Enrollment) and Migration Assistant (restoring Mac from TimeMachine backup). This problem is applicable to all versions of macOS but this feedback was tested specifically against macOS 12.0 Monterey Beta 8 21A5534d.

There are multiple problems related to these features. In this feedback I am going to illustrate the TimeMachine restore only of the user account files together with Automatic Device Enrollment.
There is a second feedback FB9682501 dealing with the problem of restoring all files.

# Prepare the scenario

First we need to create a Time Machine backup we are going be using later.

1. If the Mac is in the Apple Business Manager, use the MDM to remove cloud/DEP profile from the ABM so no Automatic Device Enrollment occurs during SetupAssistant
2. Mac has the latest version of macOS Big Sur installed and it is NOT enrolled in the MDM
3. Upgrade the Mac to the latest version of macOS Monterey. Currently Beta 8 21A5534d
4. Initiate the Erase All Content and Settings from System Preferences to get a Mac with fresh macOS Monterey state
5. Proceed through the macOS SetupAssistant
6. Personalizace the user account (wallpaper, data, apps, etc.)
7. Create a TimeMachine backup

Prepare the Mac for Automatic Device Enrollment.
We can use the same Mac from which we created the backup or a different one. It does not matter.

1. Assign MDM DEP/Cloud profile (+ other MDM features) to the Mac we are going to enroll via ADE.
  - Authentication during enrollment: Yes
  - Supervision: Yes
  - SetupAssistant panes to be skipped: NONE
  - Computer account: administrator
  - Managed administrator created by the MDM: NO
2. Initiate the Erase All Content and Settings to get a Mac with fresh macOS Monterey

# Steps to reproduce

Now we try to combine Automated Device Enrollment with Time Machine Restore during SetupAssistant.

1. Start the Mac with fresh install of macOS Monterey
2. Proceed through the macOS SetupAssistant
3. There is a Remote Management. Let it enroll the Mac into the MDM
4. There is a Migration Assistant pane. Use it to restore the Mac from the Time Machine Backup we created earlier
  - Restore only the files of the User account(s)
  - Enter the passwords of all users to be migrated
  - Let it do the migration
5. When macOS boots up log into the user account
6. Use MDM to issue any command through the User channel.

# Expected result

One of the users we migrated would be enabled for User Channel MDM management.

# Actual result

None of the users is enabled for User Channel MDM management. Device channel MDM management works.

# Workaround

1. Manually unenroll the Mac from the MDM.
2. Manually enroll the Mac into the MDM using the user account which you want to managed by the User Channel MDM management.

# Possible solution

Take this situation into account. During the migration of the user account allow the operator to select one account which is going to be managed by the MDM User Channel management.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!