@bpstuder this resolves it for us 
Thanks so much for the post!
https://support.apple.com/guide/apple-configurator-2/revive-or-restore-a-mac-with-apple-silicon-apdd5f3c75ad/mac
@bpstuder 's solution is the way to go until Apple get's this fixed.
It seems Apple does some iCloud verification on the account creation step and this is what fails - because there's still some local token or key or something left (even though the Mac isn't iCloud locked).
Absolutely outrageous that this is an issue. I'm having the same problem. Trying Larry's solution now.
I have been playing around with the m1 and found that at least in my environment i am able to re-image these off the recovery drive with no issues. But what I have found is we have been using logon in the dep process to start. I have found that however you reimage one of these iot seems like the fist account that logs on needs admin rights.
We have been running the dep process and it finished up just fine. has the user log off and back on and starts the encryption. Right now all looks good Mac works properly and is properly managed. All look great.
And then a reboot. And the mac stars complaining that there is no admin account for recovery to set the start up drive. Took me a while to realize that the account that the process makes at login to the jamf/enroll is created as a standard user. This causes a admin issue on reboot. What i have found that restoring admin rights before rebooting sets the admin account up properly.
Just seems like apple is making it harder on enterprises now.
Used the @bpstuder instructions and it did fix this issue for me. I did notice that it wanted me to activate the Mac before I could continue with the restore. It hadn't done that the last few times i tried to restore it
Just got an M1 Air for testing and had 11.1 and DEP/ABM, sure enough got hit with this
I dropped down to Terminal (click on background, Command+Option+Control+T) and the user is created (as admin with Secure Token) and /var/db/.AppleSetupDone is set so I just powered off and back on and was able to log in, while not ideal and has caveats* it means a remote user that has one dropped shipped doesn't need to do anything special besides turn off and on after attempting account creation.
*Caveats mainly are that things that Setup Assistant does after account creation are not done: Siri, Hey Siri, TouchID, Screen Time, Location Services, etc...
A more complete solution for this:
M1 Mac process for erasing: thanks to @bpstuder for the inspiration
- Shut down computer (You can just continue pressing the power button until the device powers off)
- (after waiting until the machine is indeed shut down) Hold the power button through startup chime then the "Continue holding for startup options..." When you see "Loading startup options..." you can now release the power button, it will coast on its own from there.
- Select Options (Gear icon)
- Hit the Continue button below
Recovery (assistant) will load:
(5a.) If this is your first time wiping the machine and/or no user has been created you will see Recovery in the menu bar and will need to do the following: (if the menubar item says Recovery Assistant skip to (5b.) below)
I. Click on the Utilities Item in the menu bar
II. Click the Terminal option in the drop down menu
III. When Terminal loads type: resetpassword
IV. Hit the return key
V. Select the password utility window
VI. (Now the menu bar item will have changed to Recovery Assistant) select Recovery Assistant
VII. Select Erase Mac
VIII. Select Erase Mac
IX. Select Erase Mac one last time (Wait for Reboot)
X. Select Language and Hit Arrow (bottom right) to continue
XI. At the Activate Mac screen Select the wi-fi icon in the upper right and enter your wi-fi credentials (ignore if hardwired)
XII. Once connected to a network successfully you will see the message "Your Mac is activated."
XIII. Hit the Exit to Recovery Utilities Arrow
XIV. Select Disk Utility and hit continue
XV. Secondary Click (right click) on the "Untitled" APFS Volume under the Internal section, and select Rename
XVI. Realize that "Yes, indeed you are not crazy!" Apple's own utility left you in the lurch for naming the drive back to "Macintosh HD" for no known reason. Now name this APFS Volume whatever you please with reckless abandon! But seriously, mac admin OCD dictates "Macintosh HD" (once renamed) hit the return key.
XVII. Exit Disk Utility via the red button in the upper left corner or using the menubar item Disk Utility >> Quit Disk Utility.
XVIII. Select Reinstall macOS Big Sur and hit continue
XIX. Use the onscreen instructions to complete your regular scheduled programming of macOS installer.
(5b.) If you have created a user and recovery assistant is asking to "Select a user you know the password for" you will see the menubar item Recovery Assistant and can do the following:
I. Select Recovery Assistant from the Menu bar (no need to type in password if we are wiping this Mac anyways)
II. Select Erase Mac
III. Select Erase Mac
IV. Select Erase Mac one last time (Wait for Reboot)
V. Select Language and Hit Arrow (bottom right) to continue
VI. At the Activate Mac screen Select the wi-fi icon in the upper right and enter your wi-fi credentials (ignore if hardwired)
VII. Once connected to a network successfully you will see the message "Your Mac is activated."
VIII. Hit the Exit to Recovery Utilities Arrow
IX. Select Disk Utility and hit continue
X. Secondary Click (right click) on the "Untitled" APFS Volume under the Internal section, and select Rename
XI. Realize that "Yes, indeed you are not crazy!" Apple's own utility left you in the lurch for naming the drive back to "Macintosh HD" for no known reason. Now name this APFS Volume whatever you please with reckless abandon! But seriously, mac admin OCD dictates "Macintosh HD" (once renamed) hit the return key.
XII. Exit Disk Utility via the red button in the upper left corner or using the menubar item Disk Utility >> Quit Disk Utility.
XIII. Select Reinstall macOS Big Sur and hit continue
XIX. Use the onscreen instructions to complete your regular scheduled programming of macOS installer.
Just in Case
(Possibly like me you got an Intel Mixed up for an M1 in the moment, and the Recovery screens looked the same to you and you accidentally chose the new Erase Mac Feature)
If you accidentally went through the above process on and Intel Mac after pressing "command + R", and are at the flashing folder, you can restore by:
- Pressing and holding the power button (wait for the device to shut down)
- Power the device on by pressing the power button
- Hold
command option R
to enter recovery of the latest macOS version (at time of this post Big Sur)
- Select Wi-Fi and enter credentials (skip if hardwired)
- Follow the on-screen instructions as per usual
Is anyone else still experiencing this issue? For all of our laptops it's a 50/50 chance after the Remote Management screen if it goes to the Account Creation screen or right to the login screen without prompting to setup a user.
My previous support case with Jamf they pointed towards this post with no actual resolution. It's not fun to have to guide new remote employees through erase and install process especially if they aren't familiar with Macs.
It's been months now and still no update, adding hours onto our onboarding of new employees
@qward
- Are these M1 machines or are they Intel based Macs ( I have posted above in this thread very specific instructions on how to properly wipe an M1, if the method is the "older way" the issue you are describing seems to happen to us as well, as it seems if you do not Use Apple's "Erase Mac" feature, the encryption between the account setup window and the password on the user do not match, so basically whatever you type in seems to fail, if you even get that far in the process, we have experienced both being able to create the account without being able to login after and the account creation just straight up failing.)
- Intel macs, "older way" you can just boot to recovery as normal and delete the Macintosh HD Data Volume, and Erase the Macintosh HD volume, and fire away with installing the OS.
- Is the intention to get to the account setup screen? I only ask because most orgs wish to skip this part (if you are using Jamf Connect and you sign your packages and issue them at prestage, you can have the users land directly on the Jamf Connect login screen, after they login from the Jamf connect screen this will create the account and bypass Apple's Account setup screen all together, by checking the skip account creation box in Prestage Enrollments >> Account Settings Screenshot Below)
- You will need an Apple Developer account to get a signing certificate, once you get one you can setup Composer to use that certificate to sign packages created in Composer, By opening Composer, the going to Composer >> Preferences >> "check Sign With" and choose the Signing cert from Apple Dev account.
- You will only need to sign Custom Desktop deployments like the Images and Icons you deploy for Jamf Connect Login along with any scripts you may be including, such as if you choose the - Jamf Connect Notify.sh option, it is also important to set this as priority 1 as it will need to be installed before JamfConnect.pkg and JamfConnectLaunchAgent.pkg in order to have the apps recognize your custom settings.
- Jamf signs their apps already so JamfConnect.pkg does not need to be signed, nor does the JamfConnectLaunchAgent.pkg located in the Jamf Connect.dmg you download from the Jamf.com My Assets page, JamfConnectLaunchAgent is located in the resources folder.
- In order to kick off the Jamf Connect Notify.sh you also have to issue a config profile at prestage that looks something like the code below.
We set this up by creating a new Configuration profile >> Applications & Custom Settings >> Using com.jamf.connect.authchanger for the preference domain.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Arguments</key>
<array>
<string>-reset</string>
<string>-JamfConnect</string>
<string>-Notify</string>
</array>
</dict>
</plist>
3. If you do not want to skip the account creation you do not have to do so, I say why not let Jamf Connect Login handle that part, it's a super smooth experience for the end user.
- Just in case you are not using Jamf connect however the "Erase Mac" should still resolve your issue for M1 devices.
Hope this helps!
Just an FYI....I'm having this issue on an Intel based MacBook Air where the Computer Account creation failed. Don't think it's just the M1 having this issue. I am stuck with Microsoft Intune as our MDM. I was restoring from the cloud and not having the issue and was tired of the hours of installing it took so I created a thumb drive with 11.3.1 I believe and started having the account creation issue after wiping the drive to nothing and installing the OS. I would reinstall the OS, go through enrollment, get to account creation and it would fail and jump back and ask to create another account. The first account is there and you can make a second account and it goes through. Can reboot and login with the first account and delete the second one then but that screws with some scripts and stuff from Intune not running on the first account for some reason. I re-did the thumb drive with 11.4 and still having the issue. Going to try going back to reinstalling from the cloud again and see what happens.
Just to say I’ve been tracking this issue with Apple care for a year or so, it’s definitely not limited to M1 devices.
@Geissbuhler Thanks for the response
This is exclusively happening on the M1 laptops. We don't use Jamf Connect at all, our work flow is as follows and has been working until the M1's:
-Plug the laptop into ethernet/power
-Click through setup prompts, get to the remote management screen and continue
-Click next until it gets to the Account Setup page
-We enter in the employees full name, username and temporary password ourselves
-Continue with the prompts until it's logged in as that user
What is happening about 80% of the time now with the M1's:
-Plug the laptop into ethernet/power
-Click through setup prompts, get to the remote management screen and continue
- It goes to the Data and Privacy screen, and then right to the login screen of the MacBook with a blank username and password field
-At this point we can login with the management account we push to the computer through one of our policies
I would like to also point out this is for brand new laptops right out of the box from Apple
@qward
This was also happening to me, I had to create a new Prestage, and for whatever reason that resolved it for me. Not sure if that will do it for you, but it for sure worked for me. I can now use both Intel and M1 Macs in that prestage. I honestly just thought I set the original Prestage up incorrectly or that it was somehow corrupted, and did not associate these two things, might be worth a shot. However like @Cayde-6 it was not just M1 devices having this issue in my env.
I'm stuck with Intune and seeing it with using just Intune. Doing the erase feature from resetpassword seems to fix the issue. I have also been disabling FileVault before doing the erase and install fresh OS.
@Geissbuhler
It finally happened on an Intel machine for us and completely bypassed the Account setup screen. We did create a new prestage and tried using that. It did seem to work but then unfortunately the inconsistency came back where it still isn't prompting for account setup a majority of the time.
I have a ticket with Jamf and was told
"One thing we could try is to just have the Account Settings payload configured.
It will require that another admin account is created during enrollment, but the "Local User Account Type" is the important part.
Select to either have the local user created as an Administrator or Standard account and this normally forces the Account Creation screen."
Not really looking into adding another account this way but curious if any one else has tried this
@qward we've had this issue on big sur machines for a while now. We've been working with support.
its pretty intermittent, but affects about 50% of enrolling machines.
We've adjusted the prestage enrollment, removed the account settings, added back in, removed profiles, adjusted jamf settings, stopped check ins, removed all on enrollment policies. sometimes something we do helps some computers, but then others still are affected and it skips account setup.
Its suggested right now there might have been an undocumented big sur change. See if you can ask about the ticket under my name, as the support team have been working with us about a month or two trying various things, so might be able to throw some knowledge your way.
I have manage multiple environments and something I ran into was that if the battery is below 25% (I know that sounds insane) it was causing us issues as well, I only noticed it when we pulled some Macs that have been sitting a bit on a shelf. This was on intel machines both Catalina and Big Sur.
Catalina Machines would fail 99% of the time with the "Error Retrieving Activation Record” but the Big Sur Machines would bomb out during account creation, seemingly getting further than the Catalina machines. Just throwing that one out there as well in case it helps anyone.
Charged them up and they were all good. Had to wipe them of course.
Does anyone have a reliable fix for this?
We are seeing the same - about 50/50 (sometimes less successful) Pre Stage enrollments - failing on the 'Creating Computer Account' bit. We need to use this screen as part of DEP because we have a user-targetted MDM profile (IKEv2 VPN) and so the account must be a 'managed account' (e.g. through DEP).
Disclaimer: The thoughts below are from someone who only partially understands what he (me) is talking about. You have been warned. No warranties implied. When it doubt, call Apple.
Hi. Let me tell you we just went through this with Apple. After a bit of head scratching we got to a solution. Here is what we did (in the end). The following thoughts are my after-thoughts from three support cases with Apple in the last two weeks about the M1 Macs and recovery of the OS.
To address your specific question (i.e. my three hours with apple yesterday) consider the following:
- In ASM, unassociated the device serial number from JAMF.
Reboot to recover mode, erase, reinstall the OS*
Setup Mac as a local, non-MDM-managed Mac to confirm local accounts work again.
In ASM, re-associate the device with JAMF.
Reboot to recover mode, erase and reinstall the OS.
A few notes about erasing these Apple Silicon M1 Macs
1. If you get to the very first recovery screen and it is NOT the list of four programs to run (disk utility, reinstall OS, etc) you should check the menu at the very, very top of the screen and look for ERASE MAC. Run through that process. It does some magic that dimply deleting the volumes does not appear to do.
2. When in Disk Utility be sure to blow away all volumes, including both Macintosh HD and Macintosh HD Data. If you miss the Data drive you will end up with another set of problems to resolve.
3. There is a terminal command 'reset password' that you may wish to run that will reset some more things.
Basically, if you try really really hard you can get the Mac to be back to a factory default state and reinstall the OS. By itself, this does not resolve your issue with the local accounts, though. Those require the steps we took with ASM as listed above.
**
PS: I cannot make the online webUI WYSIWYG editor do correct number of my bullet points. Sorry about that.
Since we are using JAMF
my solution was to configure DEP profile to automatically create local admin account and skip local admin account creating during setup.
It fixed the errors for me and made the process quicker, since I do not need to create local admin account anymore
