Redirecting devices removed from MDM back to Casper portal

  • 2
  • Question
  • Updated 5 years ago
  • Answered
I've set up a student SSID on my network with a captive web portal for AUP acceptance. I've also connected this to our JAMF Casper Suite.

What I want to do is this: have an SSID that student iPads connect to. I want to use the device's Casper enrolment status to determine whether the device gets access to the internet.

Right now, I can do the following:

If a device with no record in Casper connects to the SSID, it is correctly redirected to the Casper enrolment portal. I can enrol the device with no problems and then it can get access to the internet.

Next, I removed the Casper MDM profile from the iPad. I did not remove the device's record in Casper. This means there does exist a device record with the iPad's UDID and serial number but Casper knows that the MDM profile has been removed (i.e. the "enrolled status" is "no").

What I expected to happen: the next time I tried to access the Internet through the student SSID, I would be redirected to the Casper portal.

What actually happened: the device got free access to the internet.

Is there something I'm omitting to set here? This Aerohive YouTube video - https://www.youtube.com/watch?v=Xcgn55... - states at the end (@6:20) that, if a student removes the MDM enrolment profile, they will be redirected to the portal.

Thanks for any help.
Photo of Fraser Speirs

Fraser Speirs

  • 13 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 2
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes
Welcome to the community!

For those that don't know Fraser, he deployed the first 1:1 iPad school in the world and has a wealth of knowledge in the educational technology community! We are glad he's apart of the Aerohive family

His blog is a great resources (http://www.speirs.org)!
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
Ditto! Welcome to the HiveNation family, Fraser.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Hi Fraser! Welcome! Yes that's exactly the expected behavior - that we detect the profile was uninstalled and redirect them to the portal to re-enroll the device. What type of authentication do you have enabled on the SSID? If this isn't working as expected for you, please open a ticket with our support team - we need to take a closer look!!
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Sorry about that, I somehow missed the part where Fraser said Enrollment = no.
Photo of Fraser Speirs

Fraser Speirs

  • 13 Posts
  • 2 Reply Likes
Thanks Abby. The SSID had open authentication on it - the idea being that students could freely connect to that SSID and we would depend on their ability to enrol a device in Casper to govern their access to the internet (I'm not settled on that idea btw, just testing).

I'll file this with support and see what we can find. The devices were enrolled in such a way that Casper would be notified when the profile was removed.
Photo of Fraser Speirs

Fraser Speirs

  • 13 Posts
  • 2 Reply Likes
Logged as case #00044811 with support. Thanks.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Hi Fraser,

The Aerohive devices query JAMF by doing a live lookup to the JSS server. If the device with the removed profile is still in the JSS mobiledevices inventory, then Aerohive will continue to respect the JSS' perspective on things.

I have found in my testing that how you removed the profile from the device can have an impact. If the iPad on the network when you remove the profile and can contact the JSS, then the JSS inventory will be updated appropriately. But if the iPad is off network when the profile is removed or can not otherwise contact the JSS, then the inventory will not be updated at this time. Instead, you need to rely on the JSS' built-in scavenger settings to remove devices that have not checked in for awhile.

I believe that scavenger period can be adjusted in the JSS, but you should talk with JAMF support to discuss the implications of adjusting that setting.
Photo of Fraser Speirs

Fraser Speirs

  • 13 Posts
  • 2 Reply Likes
Some follow-up on this:

I have discovered that I was misunderstanding exactly *when* the Aerohive system does the Casper lookup.

In the procedure above, I was assuming that Aerohive was checking with Casper on every web access. This was wrong. I have discovered that Aerohive checks the enrolment with Casper when the device associates with the network.

So I did the following test:

1. Took an unenrolled device
2. Associated with our student SSID, which has MDM enrolment enabled
3. Attempted to access the internet and was, correctly, prompted to enrol.
4. Enrolled the device and got free access to the internet
5. Removed the MDM enrolment profile
6. Turned off WiFi in Settings
7. Turned on WiFi in settings
8. Reconnected to our Student SSID

The result was then as expected: the device was captured into the Casper enrolment portal.

I think this will work fine for us. Most of our devices go out of school every night and will have to re-associate with the network in the mornings, so any un-enrolled devices will be detected. For the devices that stay in school, our Student SSID is only available 8am-4pm M-F, so they too would have to re-associate at some point too.