With the release of iOS 13 last night, new Terms and Conditions were released.
This is an annual update, however your MDM might not have responded as expected.
See below for some more details.
Why worry about the new Terms and Conditions?
Agreeing of this new Terms and Conditions is an annual activity now for those of use with ABM/ASM/DEP account.
It’s a big deal too, which is why Apple email “Program Administrators” in advance:
At the end of the email, there is the following link: https://support.apple.com/en-gb/HT203063.
The article is worth a quick read, especially the bullet point items at the end.
The below items is one of the more impactful to us Apple Admins:
In Apple School Manager, Apple Business Manager, and the Device Enrollment Program, you can’t assign new devices to your MDM server, even if you have selected the option to automatically assign new purchases to a specific MDM server.https://support.apple.com/en-gb/HT203063
How does the MDM know?
If you see the the last bullet point within the Apple article:
Your MDM server might report an error message like “403 T_C_NOT_SIGNED” when communicating with Apple’s device management servers.https://support.apple.com/en-gb/HT203063
This is the response that MDM servers were looking for, whilst the ABM/ASM/DEP account has Terms and Conditions to be agreed.
This has been the norm for awhile now, so much that some MDM’s even have UI elements for when an attached ABM/ASM/DEP account has Terms and Conditions to be agreed (the below two images have been are from Jamf Pro & was added around Jamf Pro 10.12.0).
To be proactive, we’re aggregating all our Jamf Pro logs to an SIEM, from which alerts are triggered via events & calls are generated on our ticketing system where applicable, (at JNUC 2019 we’re talking about this some).
So, we were expecting to receive tickets for Customers which had ABM/ASM/DEP Terms and Conditions to be agreed. This shows in Jamf Pro’s logs as:
[llmentProgramDeviceHelper] - 403 The organization has not accepted latest Terms and Conditions of the program
Instead we were hit with another log message:
[ntInstanceSyncCommService] - com.jamfsoftware.jss.objects.streamlinedenrollment.service.DeviceEnrollmentProgramException: An error occurred during oauth token refresh
Which, triggers a different alert for us:
So, what changed?
The issue is that, since the new Terms and Conditions were released & up to the time of writing, Apple is returning “403 FORBIDDEN” instead of the expected “403 T_C_NOT_SIGNED”.
Which, depending on the MDM, can have some repercussions.
In Jamf, you’ll see an alert like the following within the affected Device Enrollment Program instance within Jamf Pro.
Accepting the Terms and Conditions will then clear the above error with Jamf Pro.
However, there have been reports that whilst some other MDM’s are reporting a similar error & are also requesting that the DEP token is recreated, (which should not be needed).
Well, there is something here that needs to be amended.
Either Apple could change the current response to “403 T_C_NOT_SIGNED” or might make a change to this message going forward.
And, if Apple does change the response to the expected “403 T_C_NOT_SIGNED” over the weekend, then Monday we’ll have tens of new alerts!
Not sure if that’s an incentive for any Apple folks reading this to revert to “403 T_C_NOT_SIGNED” & cause me some work or not.