While trying to use DEP as part of the Apple Business Manager, I created an enrollment profile (https://developer.apple.com/documentation/devicemanagement/define_a_profile) and assigned this newly created profile to my iPhone serial number (https://developer.apple.com/documentation/devicemanagement/assign_a_profile). Note that this serial number was assigned to my MDM server.
Then I did reset the iPhone to get the initial Setup screens. After having configured the WiFi and a couple of other items, the management screen was displayed, as expected.
My MDM server is using a server certificate issued by a self-signed authority (this is a test, not a production operation). Unfortunately, I forgot to add the authority chain in the profile anchor_certs attribute. Therefore, the connection to the MDM server at the URL configured via configuration_web_url was impossible.
So I tried to update the previous profile, but did not find any Web service for that. So I have created a second profile (with the required authority certificates), unlinked the device from the first profile and linked it to the second one. Unfortunately, the iPhone seems to keep the definition of the first profile, even after various operations (restart, reboot). The only operation that did correct this issue was the iPhone restore once connected to a MacBook.
Is this a desired behavior? Is there any way to request the iPhone to query the enrollment profile again?
Once a device has downloaded its Device Enrollment Program profile it keeps that until the device is erased, and this is the intended behavior.
In some circumstances holding the power button and choosing "Start Over" will erase the device. It depends on what has been set up so far. Start Over will wipe when:
- There’s an AppleID signed-in, or
- The device has set a passcode, or
- The device has transferred data
After the device has been wiped, go through activation again and the latest DEP profile will be downloaded and applied.