Troubleshooting Mac Device Enrollment

If Mac Device Enrollment is not performing as expected, you might need to troubleshoot issues or change settings.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

From the Main menu, go to Shared Services > Mac Device Enrollment.
From the Mac Device Enrollment Overview page, click Help .
Click Collect, and then click Download.
The file productname-support.[timestamp].zip downloads to the local download directory.
Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Tanium Mac Device Enrollment maintains logging information in the Mac Device Enrollment.log file in the \Program Files\Tanium\Tanium Module Server\services\Mac Device Enrollment directory.

Unable to enroll devices

There are several possible reasons why a user might not be able to enroll a device. If you are unable to enroll devices with Mac Device Enrollment, see the following information.

Problem	Solution
An individual user cannot enroll a device.	Check the user's setting for the IdP attribute mapped to the Allow Users to Enroll field in Mac Device Enrollment. To enroll a device, the value must be set to True. If the setting is set to False, the user cannot enroll a device. For more information, see Configure identity providers.
No users can enroll devices.	Check that the Apple Push Notification Certificate has been uploaded, and that it is not expired. Check the status of the APNS service on the Apple System Status website to make sure the service is available: https://developer.apple.com/system-status/.

Problem

Solution

An individual user cannot enroll a device.

Check the user's setting for the IdP attribute mapped to the Allow Users to Enroll field in Mac Device Enrollment. To enroll a device, the value must be set to True. If the setting is set to False, the user cannot enroll a device. For more information, see Configure identity providers.

No users can enroll devices.

Check that the Apple Push Notification Certificate has been uploaded, and that it is not expired.

Check the status of the APNS service on the Apple System Status website to make sure the service is available: https://developer.apple.com/system-status/.

Unable to find download request file or upload response file

You need to generate a new request file in the following situations:

You misplaced the Download Request file before you sent it to Tanium Support.
You are unable to upload the response file from Tanium Support because of the Unable to process Onboarding Response File without customer details error.

From the Main menu, go to Administration > Shared Services > Mac Device Enrollment.
From the Mac Device Enrollment menu, click Configuration.
For MDM Tenant, click Configure .
In Step 1: Tenant Information, click Generate Request File.
Complete the process described in Create a Tanium MDM Cloud tenant.

Uninstall Mac Device Enrollment

Mac Device Enrollment has multiple components and therefore uninstalling is a multi-step process that requires you to take action on the Tanium Server and on the devices enrolled with Mac Device Enrollment.

Contact Tanium Support

Before you begin the Mac Device Enrollment uninstall process, contact Tanium Support and let them know you plan to uninstall so that you can be disconnected from the Tanium MDM Cloud.

Remove and manage user devices

Device users are immediately impacted when you unistall the Mac Device Enrollment services. You must have a plan to manage these devices, including how you will remove device configuration profiles, enrollment profiles, and initial applications and plans to clearly communicate next steps to the device users.

Have a plan for communicating next steps to device users that will be impacted by the uninstall process.
Use Enforce to remotely wipe the devices. Wiping the device removes the enrollment profile and any other remaining data.
Use Enforce to remove devices from Mac Device Enrollment. For more information, see Enforce User Guide: Remove a device. After you remove a device, when the device next tries to contact Mac Device Enrollment, it will receive an error. This causes the device to delete all device configuration profiles.

Uninstall the Mac Device Enrollment service

Do not begin the uninstall process before contacting Tanium Support.

After Tanium Support notifies you that it is safe to proceed with the uninstall process, from the Main menu, go to Administration > Configuration > Solutions.
In the Content section, select Mac Device Enrollment and click Uninstall.
Enter your Username and Password and then click Submit.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.