Using Powershell to Assign iOS devices to DEP profile

Hello fellow admins!

As you can guess from the title, this post is dealing with a SCCM/Intune hybrid environment scenario. If you are in a hybrid environment you have probably noticed that using Apple DEP is a bit different than just using the Portal app on the phone. With that said, if you happen to be lucky enough to be able to delegate the mobile device management to another group. Then you will have probably also noticed that you can't limit security permissions below full admin if you want them to be able to assign devices to DEP.
Well have no fear, here is a nifty bit of powershell that you can setup to run on a schedule (hint: think CI). This handy script will lookup mobile devices and then assign them. Basically it does what this dialog does.


Now to the nitty gritty.

First off I recommend you familiarize yourself with the MSDN technical documentation for the method UpdateProfileIDForDevices, however what this documentation doesn't tell you is where the heck does RequestEnrollmentProfileId come from. Well you are in luck as I did a brief bit of digging and found you can get it from the WMI class SMS_MDMCorpEnrollmentProfiles, however be careful if you have more than one DEP enrollment profile. My script is based on the assumption that you only have one profile.

Once you have the RequestEnrollmentProfileID you can continue with your work. The WMI method UpdateProfileIDForDevices is found in the SMS_MDMCorpOwnedDevices WMI class. It takes two bits of information, the enrollment profile that we already found and the device serial number.

Finding the serial number(s) is actually easier than you might think. You can get them from WMI and only get the ones that haven't already been assigned. Here is the WMI query for you, however you will have to replace $ProfileID with the value of RequestEnrollmentProfileID.
select * from sms_mdmcorpowneddevices where (requestenrollmentprofileid is null or requestenrollmentprofileid <> '$ProfileID') and (DeviceType = '8')

Now you can throw those results in a loop and call the method and away you go. You now have a way to automate all that goodness.

Here is the script in its full glory. Enjoy!

$SiteServer = "SomeServer"
$SiteCode = "SomeCode"

$EnrollmentProfile = Get-WmiObject -Namespace "root\sms\site_$SiteCode" -Class SMS_MDMCorpEnrollmentProfiles -ComputerName $SiteServer
$ProfileID = $EnrollmentProfile.ProfileId

$MobileDevices = Get-WmiObject -Namespace "root\sms\site_$SiteCode" -Query "select * from sms_mdmcorpowneddevices where (requestenrollmentprofileid is null or requestenrollmentprofileid <> '$ProfileID') and (DeviceType = '8')" -ComputerName $SiteServer

If ($MobileDevices.Count > 0)
{
foreach ($md in $MobileDevices)
{
    $md.SerialNumber
    ([wmiclass]"root/SMS/site_$($SiteCode):SMS_MDMCorpOwnedDevices").UpdateProfileIdForDevices($ProfileID,$Md.SerialNumber)
}
}

Comments

  1. UnknownOctober 26, 2017 at 10:22 AM

    Hello again, looking at incorporating this, couple questions.
    So listing the SiteServer and SiteCode I get. For the ProfileID are we pulling the string listedon the created Enrollment profile?
    For example:
    $EnrollmentProfile = Get-WmiObject -Namespace "root\sms\site_$SiteCode" -Class SMS_MDMCorpEnrollmentProfiles -ComputerName $SiteServer
    $ProfileID = 4F9808DF-8C58-41F1-A38F-9C97BFE579F9.ProfileId

    ReplyDelete
    Replies
    1. hiway65nNovember 7, 2017 at 2:41 PM

      Yes it is the profileid of the DEP profile you are assigning to DEP devices.

      Delete
  2. UnknownNovember 3, 2017 at 1:51 PM

    Any thoughts on why the script does not work if I include...If ($MobileDevices.Count > 0)

    I can see multiple devices listed after running...
    Get-WmiObject -Namespace "root\sms\site_$SiteCode" -Query "select * from sms_mdmcorpowneddevices where (requestenrollmentprofileid is null or requestenrollmentprofileid <> '$ProfileID') and (DeviceType = '8')" -ComputerName $SiteServer

    ReplyDelete
    Replies
    1. hiway65nNovember 7, 2017 at 2:45 PM

      If the query is returning results then I'm not sure why it wouldn't be working. However you might try
      $MobileDevices.Count -gt 0
      sometimes powershell gets a little particular on compares.

      Delete

Post a Comment

Popular posts from this blog

Intune Hybrid - NDES Cert Issue

As many of you who might be running a SCCM/Intune hybrid scenario for MDM will have learned. There are a few to many certificates in use between NDES, Intune, Wifi Profiles, VPN profiles, and well anything else that may have a cert buried in it. We had an instance were the NDES wasn't handing out the certs for WiFi and VPN profiles. However it was handing out the base communication certificate so phones could sync correctly. This was one of those head scratchers on our park, but if you know where to look it makes sense. Problem is (at least in my opinion) there is a lack of useful documentation and the logging leaves a little to be desired. Therefore, I'm going to give a bit about our journey and hopefully help some of you folks out if you run into something similar. When we were notified of this issue, we started to look at the usual logs, you know CRP.log NDESPlugin.log those types of things. First thing you will notice is that the CRP.log will show the same message ove...
Read more

Stuck @ "Waiting for user logon"

This may or may not be something that you would commonly see in your environment. We only see it occasionally but it used to be a pretty common problem. One of my teammates found a technet forum post that addressed this specifically. Pretty interesting read if you are fighting this issue on a particular client. https://social.technet.microsoft.com/Forums/en-US/1569e1e2-91bc-435d-8998-beb817d5b453/waiting-for-user-logon?forum=configmanagergeneral Here is the meat and potatoes of the forum discussion. $CITask = get-wmiobject -query "select * from CCM_CITask where TaskState != ' PendingSoftReboot' AND TaskState != 'PendingHardReboot' AND TaskState != 'InProgress'" -namespace root\ccm\CITasks if ($CITask -ne $NULL) { $CITask | remove-wmiobject -Whatif $CITask | remove-wmiobject } ELSE { "CCM_CITasks is empty. Nothing to do" }
Read more

Triggering a software update install via Powershell

Howdy Folks This post is a holiday slice of pie. Today we focus on triggering update(s) that are deployed to a machine. Now for the pie filling. Triggering an update scan on a client: ([wmiclass]'ROOT\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}') Trigger install of all updates: ([wmiclass]'ROOT\ccm\ClientSDK:CCM_SoftwareUpdatesManager').InstallUpdates() Here is a nice addition if you only want to install specific update(s) you just have to modify the select statement: ([wmiclass]'ROOT\ccm\ClientSDK:CCM_SoftwareUpdatesManager').InstallUpdates([System.Management.ManagementObject[]] (get-wmiobject -query 'SELECT * FROM CCM_SoftwareUpdate' -namespace 'ROOT\ccm\ClientSDK')) If you would like to see if there are updates applying, if true they are running: $CCMUpdate = get-wmiobject -query "SELECT * FROM CCM_SoftwareUpdate" -namespace "ROOT\ccm\ClientSDK" if(@($CCMUpdate | where { ...
Read more