Skip to main content
Matrix42 Self-Service Help Center

Troubleshoot DEP Enrollments failing with expired OTPs

  1. Last updated
  2. Save as PDF

Overview

In Silverback 25.0, we introduced with the authentication with the Self-Service Portal during Automated Devices Enrollments a third authentication mechanism. Since then, some customers have reported that they cannot enroll using the username and password option anymore. Unfortunately, the various explanations lead in different directions in terms of the actions that have been executed before this issue was reported. These include updating the Device Enrollment Program token, changing the Apple Push Notification certificate and making changes within the default profile, such as changing the user prompt text. In this article, we will describe several steps to help you narrow down and potentially resolve the issue.

Starting Point

At this stage, we assume that the user has attempted to enroll their device with the Device Enrollment Program, but has been unable to do so after entering their username and password on the authentication screen. After this, you went to the Silverback Logs and identified the entry 'This device has an expired OTP for the Device Enrollment Program' and the device has either been kept switched on or has been switched off.

In general and for now, we think the product code is working well as the issue is not reproducible in any of our environments. However, we assume something went wrong with assigning profiles earlier on, which is now causing an issue due to a migration scenario after updating to Silverback 25.0 or later and it's now time to perform some troubleshooting.

Step 1: Check Profile Assignment

  • Open your Silverback Management Console and login as an Administrator
  • Navigate to Admin
  • Select Device Enrollment Program
  • Press Devices
  • Review if the Profile Name for the affected device is currently empty

clipboard_e89c039c5c973d53f806d082f48e758fb.png

  • In this case, select the Device and use the Assign Profile button to assign your Default Profile or any other Additional Profile 
  • After assigning the profile, it might take up to minute until the profile is assigned at the Apple Business Manager
  • In the meantime, you can review your Logs, they should look like this:

clipboard_e78e565d594b38111ff5395fbaa5dd4b9.png

  • Navigate back to your Silverback Management Console
  • Press Refresh in the Devices table and the assigned profile should switch to your selected one

clipboard_e602f7039ce7ab436c14112a9c9b9331d.png

  • Now Factory Reset your device that failed with the enrollment error "This device has an expired OTP for the Device Enrollment Program"
  • In the meantime, proceed to Step 2 to check whether authentication using a username and password is possible in Silverback

Step 2: Check Authentication

  • Before you try the new enrollment, review your Activate Apple Location in the Device Enrollment Program section under General Settings 
    • https://silverback.imagoverum.com/activate/AppleActivate
  • With adding the following strings to the end of the URL, you can check either the Authentication with Username and Password or Username and OTP  
    • https://silverback.imagoverum.com/activate/AppleActivate?auth=1 (Digest = for Username and OTP)
https://silverback.imagoverum.com/activate/AppleActivate?auth=2 (Basic = for Username and Password)

For the current scenario, only the basic authentication is relevant, but you may want to test also the Username and OTP option.

  • Now, open your Browser in Incognito Mode
  • Open your adjusted URL for checking the authentication with Username and Password 
    • https://silverback.imagoverum.com/activate/AppleActivate?auth=2
  • You should see now a Login Message

troubleshooting_dep_05.png

  • Try to login with your Username and Password
  • When your credentials are correct, you will download a *.mobileconfig file
  • If the authentication is failing, review your credentials and try a login from the Self Service Portal with this credentials. If this keeps failing, review the Silverback Logs and consider to update your Cloud Connector if used. 

troubleshooting_dep_06.png

  • If the authentication was successful, you ensured that an authentication with username and password is in general possible in Silverback
  • After you have wiped your device, you can now try again an enrollment with your DEP device with using Username and Password
  • If the process is failing, proceed with the next chapter

Step 3: Create an additional profile and assign it to the device

  • From the Device Enrollment Section, navigate to Additional Profiles
  • Press New Profile
  • Enter a Name, configure additional settings, and ensure to select a Language and use Username and Password
  • Press Save and confirm with OK
  • Now, review the registered at Apple column in the overview
  • After some moments, press the refresh button inside the table
  • The status should switch from No to Yes
  • When it switched to Yes, navigate to Devices and assign this Profile to your device. If it does not switch, you most likely missed the Language configuration. Review the logs for additional information
  • Wait until the Profile is assigned to the device and perform a factory wipe and try the enrollment again 
  • If this is not successful, proceed with Step 4
  • If it is successful, assign now the Default Profile again to this device, wipe it and check the enrollment again
  • If this is still not successful, proceed with Step 4

Step 4: Use SSP as Authentication Method

  • In you reached this step, we simply recommend to switch the Authentication Method to the SSP, which leads users to the Self-Service Portal to enroll their devices as this enrollment method meets the latest security standards for the Device Enrollment Program and should be considered by everyone as the default method for the future. If this keeps failing, please get in touch with the support.