IOS, Apple Configurator, WiFi association and Failing MDM enrollment

While attempting to manage my first IOS cart, I ran into a catch-22. We were using VPP app distribution, so an MDM server was needed, but when I went through the “Prepare” phase of Apple Configurator, or reset the iPads when they returned to the cart, they would fail to enroll to the MDM.

No MDM, no software install.

Our campus WiFi network utilizes 802.1x authentication, so the Prepare / Reset workflow in Apple Configurator should look like this:

IOS Install -> 802.1x WiFi mobileconfig -> MDM Enrollment profile -> App Install

This was supposed to happen each time an iPad returned to the cart (to return it to a fresh state), but about 70% of the time the iPads would fail to re-enroll to the MDM.

With the help of our crackerjack wireless folk, I was able to track this down to an over-aggressive timeout within Apple Configurator when applying the MDM enrollment profile. It simply would die with the error that the server was unreachable before the WiFi connection had been established. No check-and-retry – just march straight to failure.

After consulting with our Apple SE, and him in turn consulting with an internal IOS deployment specialist, a hidden preference came to the surface:

defaults write EnrollmentProfileInstallationDelay 20

(or some other number of seconds – don’t exceed 120).

This is applied in the user scope, so no “sudo” is needed. I upped mine to 40 seconds, restarted Apple Configurator and tried again with a stopwatch in my hand. It appears that this is a timeout value, because there was no 40 second delay, but it DID allow it to wait longer for the WiFi association to occur, and now my devices appear to associate without issue.

Other admins appear to have worked their way around this by staging the mobileconfig profiles. First pass, apply the WiFi config. Second pass, apply the MDM enrollment. While this works for 1-to-1 deployments, if you have a classroom cart with iPads that need to be wiped upon return it takes a ton of involvement by the admin – you must Unsupervise the devices, then Prepare, and finally apply the MDM enrollment in the Supervise stage each time they have to be wiped.

Increasing the enrollment delay appears to solve this so the staged enrollment technique isn’t necessary.

Leave a Reply