MDM receives 'Checkout' from DEP enrolled device


#1

Hello all !

MDm Protocol document about Checkout command :

In iOS 5.0 and later, and in macOS v10.9, if the CheckOutWhenRemoved key in the MDM payload is set to true, the device attempts to send a CheckOut message when the MDM profile is removed.
In macOS v10.8, the device attempts to send a CheckOut message when the MDM profile is removed regardless ofthe value of this key (or its absence).If network conditions do not allow the message to be delivered successfully, the device makes no further attempts to send the message
Source : https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf

Generally ‘Checkout’ message is received when User removes MDM Profile , however in case of DEP devices , end users will not be able to remove MDM profile. Also only way of removing MDM Profile is sending remove command over the air. In my case, MDM did not send any remove profile command , but randomly MDM profile is removed and Checkout message is posted to MDM.

Has any one experienced this behavior?


#2

it is also possible to terminate the management relationship with the device by responding to a device request with a 401 unauthorized. You can try checking your web server logs to see if this is the cause of the problem.

Terminating a Management Relationship

You can terminate a management relationship with a device by performing one of these actions:

• Remove the profile that contains the MDMpayload. An MDM server can always remove this profile, even if it does not have the access rights to add or remove configuration profiles.

• Respond to any device request with a 401 Unauthorized HTTP status. The device automatically removes the profile containing the MDM payload upon receiving a 401 status code.