DEP Forbidden Error

Description

On creating a DEP Association or from any other DEP synchronisation action, the following error may be observed: DEP error: Forbidden

The most likely causes are:

• Server SSL certificate change. Check Preferences > Mobile tab to ensure the server SSL certificate is not revoked or expired.
• A change to the external IP address of the FileWave Server. 

Apple store the external IP of the FileWave Server from the last successful contact.  If this differs at the time of a synchronisation , the action will fail and the DEP Server Token will need to be replaced.

The stored IP may be observed from the relevant DEP account:

• Apple Business Manager
• Apple School Manager

The Last Date and IP Connected may be seen from the Settings view; select the MDM Server and choose Edit.  

Requirements

• FileWave MDM DEP Certificate

Resolution

Forbidden error requires the token be replaced and not updated.

From FileWave Admin > Preferences > VPP & DEP:

1. Choose 'Download certificate' (requires fwadmin password) to save the certificate

From the relevant Apple DEP account Apple Business Manager or Apple School Manager:

1. Select 'Settings'
2. Highlight the MDM server from the list and choose Edit
3. Select 'Upload New...' and select the saved downloaded file from above
4. When prompted, select to download the DEP Server Token

From FileWave Admin  > Preferences > VPP & DEP:

1. Click 'Configure Accounts' (requires fwadmin password)
2. Select the Forbidden token and use the '-' button to remove that token
3. Select the '+' button to select the DEP Server Token downloaded from Apple
4. Run a DEP Synchronisation Full Sync (Hold down ALT(macOS), Option(Windows)), then select to synchronise (the name of the button will change)

At this stage synchronisation should now be successful.

If the DEP Server Token is currently configured in the Education tab of Preferences, this association will need to be removed prior to removing the DEP token, but may be re-added again afterwards.