erikng/2678570

## 2678570
We have noticed extremely inconsistent notifications with the following two tools that dates back to pre- macOS Sierra and up unto this latest beta. This is a debilitating bug for us as we are attempting to move our fleet to 100% DEP.

We are also tracking this on the AppleCare Enterprise side but do not feel like it is adequately being resolved (Enterprise ticket 100215613081)

Versions tested that are impacted:
10.11.6
10.12.0
10.12.1
10.12.2
10.12.3
10.12.4
10.12.5
10.12.6 beta 1, beta 2, beta 3 and beta 4

Older versions of macOS may be impacted as well but we gave up on trying to find when the regression began.

Reproduction Steps:
1. Configure a DEP-Capable MDM Server
2. Tie MDM server to deploy.apple.com
3. Assign a serial number of a macOS device to the MDM server
4. DO NOT assign this serial number a DEP profile in the MDM server.
5. Install one of the impacted macOS versions on the device
6. Go through the normal SetupAssistant
7. Once inside the desktop, open up terminal
8. Run /usr/libexec/mdmclient dep nag or /usr/bin/profiles -N (if available on the OS version). You will not receive an activation record and this is expected.
9. In the MDM server, assign a DEP profile
10. Re-run /usr/libexec/mdmclient dep nag or /usr/bin/profiles -N (if available on the OS version).

11. BUG HIT - user will not receive the enrollment notification prompt

Through working with the enterprise ticket there are two possible "workarounds" which are not working reliably enough for me to consider this fixed.

Workaround 1:
1. Run /bin/rm /Library/Keychains/apsd.keychain
2. Reboot machine
3. Re-run dep nag

Workaround 2:
1. Run /bin/rm /Library/Keychains/apsd.keychain
2. Run /usr/bin/killall apsd
3. Re-run dep nag

This was originally working but I have now run into a few test machines where this still does not result in the nag occurring.

In my original report, I noted this:
After installing the mdmclient debug logs profile and running `log stream --info --debug --predicate 'process contains "mdm"'` I have noticed the following messages:

ShouldEnroll(501) returned: no
PerformCloudConfigNotification: ShouldDisplay: no

I believe there is some mechanism on mdmclient that is believing (erroneously) that the notification should not be displayed. What that trigger is, I do not know, but as stated, this bug is extremely disruptive. We cannot adequately move to DEP because of this.

We desperately need this fixed on macOS Sierra. Waiting for macOS High Sierra will be extremely disruptive.
	We have noticed extremely inconsistent notifications with the following two tools that dates back to pre- macOS Sierra and up unto this latest beta. This is a debilitating bug for us as we are attempting to move our fleet to 100% DEP.

	We are also tracking this on the AppleCare Enterprise side but do not feel like it is adequately being resolved (Enterprise ticket 100215613081)

	Versions tested that are impacted:
	10.11.6
	10.12.0
	10.12.1
	10.12.2
	10.12.3
	10.12.4
	10.12.5
	10.12.6 beta 1, beta 2, beta 3 and beta 4

	Older versions of macOS may be impacted as well but we gave up on trying to find when the regression began.

	Reproduction Steps:
	1. Configure a DEP-Capable MDM Server
	2. Tie MDM server to deploy.apple.com
	3. Assign a serial number of a macOS device to the MDM server
	4. DO NOT assign this serial number a DEP profile in the MDM server.
	5. Install one of the impacted macOS versions on the device
	6. Go through the normal SetupAssistant
	7. Once inside the desktop, open up terminal
	8. Run /usr/libexec/mdmclient dep nag or /usr/bin/profiles -N (if available on the OS version). You will not receive an activation record and this is expected.
	9. In the MDM server, assign a DEP profile
	10. Re-run /usr/libexec/mdmclient dep nag or /usr/bin/profiles -N (if available on the OS version).

	11. BUG HIT - user will not receive the enrollment notification prompt

	Through working with the enterprise ticket there are two possible "workarounds" which are not working reliably enough for me to consider this fixed.

	Workaround 1:
	1. Run /bin/rm /Library/Keychains/apsd.keychain
	2. Reboot machine
	3. Re-run dep nag

	Workaround 2:
	1. Run /bin/rm /Library/Keychains/apsd.keychain
	2. Run /usr/bin/killall apsd
	3. Re-run dep nag

	This was originally working but I have now run into a few test machines where this still does not result in the nag occurring.

	In my original report, I noted this:
	After installing the mdmclient debug logs profile and running `log stream --info --debug --predicate 'process contains "mdm"'` I have noticed the following messages:

	ShouldEnroll(501) returned: no
	PerformCloudConfigNotification: ShouldDisplay: no

	I believe there is some mechanism on mdmclient that is believing (erroneously) that the notification should not be displayed. What that trigger is, I do not know, but as stated, this bug is extremely disruptive. We cannot adequately move to DEP because of this.

	We desperately need this fixed on macOS Sierra. Waiting for macOS High Sierra will be extremely disruptive.