iOS/iPadOS/macOS MDM status incorrectly shows automatic for manually enrolled devices that have been synced from ABM

[ddribeiro]

Fleet version: Tested and observed on Fleet 0.0.0-SNAPSHOT-07cbead

Web browser and operating system: iPad OS 18.3

---

💥  Actual behavior

An iOS device that gets enrolled to Fleet manually, but is synced to Fleet from ABM, will incorrectly show On (automatic) under MDM status. This implies that the device is supervised and could have a non-removable MDM enrollment profile when that is not the case.

This was reported by customer-deebradel who attempted to enroll an iOS device, but the “Remote configuration” screen did not appear during the Setup Assistant. They manually enrolled the device, but were confused about the actual management status/capabilities, as Fleet reported it as On (automatic) when they knew it was enrolled manually.

🧑‍💻  Steps to reproduce

1. Start with an iOS/iPadOS device that is not assigned to any MDM server in Apple Business Manager. Be sure to delete any previous records associated with that device from your test Fleet server.
2. Turn on the device and set it up. You should proceed through the Setup Assistant without enrolling in Fleet through ADE.
3. After the iOS device is set up, download a BYOD iOS/iPadOS for any team on your test Fleet server but do not install it yet.
4. Assign the test device to your Fleet server in ABM. Wait for the ABM sync to happen so you see the device in Fleet.
5. Now, install the BYOD enrollment profile that you downloaded in step 3. The device should enroll to your Fleet server.
6. Observe the device reports On (automatic) under MDM status. This is incorrect as the device was enrolled manually.

🕯️ More info (optional)

customer-deebradel confirmed the device in question was not supervised by sending a DeviceInformation MDM command with the IsSupervised query. The host responded with:

<key>IsSupervised</key>
 <false/>

More info in this Slack thread.

[getvictor]

Related issue for macOS: #24400

[marko-lisica]

Hey @ddribeiro, I'm trying to understand what the customer was trying to do exactly.

This was reported by customer-deebradel who attempted to enroll an iOS device, but the “Remote configuration” screen did not appear during the Setup Assistant.

Is this a bug as well? Was host in ABM when they tried to enroll?

What's the use case to manually enroll host that is in ABM already? Because they weren't able to get "Remote management" screen when host is wiped?

[ddribeiro]

@marko-lisica

Is this a bug as well?

Possibly a bug, but I think it's more likely to be caused by a network issue where the device activated with Apple but was unable to find an ABM assignment. In my experience with other MDMs, these issues are rare but do happen from time to time.

Was host in ABM when they tried to enroll?

Yes, the host was in ABM, assigned to Fleet, and synced to the Fleet server.

What's the use case to manually enroll host that is in ABM already? Because they weren't able to get "Remote management" screen when host is wiped?

That's what happened in this case. Unlike macOS hosts, iOS devices must be wiped to complete an ADE enrollment. Since this was a new device without any data on it, the customer would ideally wipe the device and attempt another ADE enrollment.

However, there might be some real-world examples where a device is assigned to Fleet in ABM after it's already been set up and established (maybe during an MDM migration), and it would be undesirable to erase the device to ADE enroll it. Some organizations might prefer a manual enrollment in this case, but Fleet would still show the MDM status as On (automatic).

[noahtalerman]

Hey @ddribeiro is this other issue, #24400, about a Mac showing up as "automatic"?

[ddribeiro]

@noahtalerman I haven't tested with Mac yet, but I can. Based on that issue #24400, it seems like this is the same issue.