We have begun using Twocanoes Xcreds, replacing NoMAD Login AD. In the process, we are also attempting to discontinue implementing a common local administrator account with a known password. This type of setup was demonstrated in a session at JNUC this year (although their example used Jamf Pro and Jamf Connect, not Jamf Pro and Xcreds... the principles should be the same though.)

However, despite repeated attempts, I cannot reliably get the bootstrap token to escrow automatically at first interactive login, as I'm led to understand is supposed to happen. I can manually log in as a user on the system, then open Terminal, su to the Jamf Pro-created admin account, and initiate a sudo profiles install -type bootstraptoken, and it escrows without incident.

I have to imagine it's SOME combination of settings that I don't have configured properly, but I don't know what.

I currently have:

• In "User-Initiated Enrollment:"
  • "Username" is set to <admin user name>
  • "Password" is set to <admin password>
  • "Create Management Account" is unchecked
• In "PreStage Enrollments:"
  • In "General"
    • Make MDM Profile Mandatory is checked
    • Allow MDM Profile Removal is unchecked
    • Prevent user from enabling Activation Lock is checked
  • In "Account Settings"
    • Create a local Administrator account before the Setup Assistant is checked
    • Username is set to <same admin user name as User-Initiated Enrollment settings>
    • Password is set to <same admin password as User-Initiated Enrollment settings>
    • Hide managed administrator account is checked
    • Make the local administrator account MDM-enabled is unchecked
    • Local user account type is set to Skip Account Creation

Is it something that I'm doing in the above that is causing my issues?