/
How to fix a broken or non-renewed MDM client

How to fix a broken or non-renewed MDM client

 

On Izzy Macs, the MDM client can sometimes break or not automatically renew correctly for a variety of reasons.    A functional/renewed MDM client is critical to the successful operation and management of an Izzy Mac.   REBUILDING THE COMPUTER WILL RESOLVE THE PROBLEM, but if you don’t wish to do that, it can usually be fixed by performing the following steps.

 

NEW NOTE (Jan 2026) – you no longer need to re-escrow the bootstrap token!

 

HOW TO: Update/renew the MDM Client Profile:

  1.  Reboot the computer and log into it with an account that has a Secure Token (usually um-support should be sufficient, but if the computer was a home build, use the account that the home system was built with.)   If you are unsure which accounts on the computer have a SecureToken, please reach out to the Mac Team and we will let you know which accounts will work for this process.

  2. Open the "Terminal" application and run this command and enter the account credentials when prompted:

                sudo profiles renew -type enrollment

     3.  A  “Device Enrollment” Notification prompt will appear under the clock.  When you see that, select “Update” under Options. 

NOTE:  If you are helping somebody do this over Bomgar or any remote session — the Notification prompt that should come up may be hidden for various reasons — if you click on the clock, the notification should show up underneath the clock. That notification is required to help you continue on with updating the enrollment!

 

     4.   After you click that “Device Enrollment” —> “Options” → “Update” button, System Settings should launch and you’ll get an “Update Device Enrollment” dialog box — click “Update” on that and enter the account credentials when prompted.

NOTE: If the system is a “home” build — after you click the “Update" button — the credentials it will ask for will be the user’s credentials — so use those.

    This should be the end of the first step.   However, there are a couple of caveats:

  • It may take a few attempts to get the notification or get the required “Update Device Enrollment” box. If you do not get them the first time, reboot and try again.

  • Clicking the “Update” button above may fail with a dialog box about a “different URL”. If you see that — you should stop here and schedule a rebuild of the computer with the user. If you do a rebuild, you do not need to follow these steps at all.

Once that finishes, if the computer has any outstanding OS updates, please install them.   After all of this is done, the setup bootstrapper may run – that is normal.  Just let it proceed until it finishes.



PLEASE CONTACT THE MAC ENGINEERING TEAM IN SLACK TO CONFIRM THE MDM RENEWAL WAS SUCCESSFUL.