Skip to main content

Hi everyone, 

Pulling my hair out in regards to implementing Jamf Connect in a PreStage Enrollment. 

The SSO mechanism is using Azure. 

If we don't implement any PreStage Enrollment, the DEP MacOS device will prompt for our Azure credentials and then prompt for a Local Account to be created.  Once logged in, we can then push all the Jamf Connect profiles and policies to the device, reboot and Jamf Connect works like a dream. This is the same for User Enrolled devices using the web enrolment URL. 

The issue comes when I try to get it built closer to a Zero touch solution by adding in the PreStage enrollment. 
It goes through the Azure Authentication prompt, installs all the profiles (can't see if it is installing the Jamf Connect package, but I'm guessing it is because it is in the PreStage).

Then I get a prompt, "Hello (User).  Please re-enter my password". 

I can see that this is pulling the correct User from Azure because I've changed the claims to verify this and I get a different value for the User in this prompt which matches a different attribute in Azure. 

After I enter my password in again, I get a message, "An error occurred.  Contact your IT administrator".  
It isn't the most helpful message that I've seen!!

I've I reboot the machine in recovery mode and run the terminal command 'resetpassword', I can see no accounts created.  Neither the this local user is created (Makes sense though because it can't finish it) or the Local Admin account set in the PreStage. 


I've tried applying the same Jamf Connect profiles and packages as I would be applying if this was a user based enrolment or DEP enrolment without the PreStage.  
I've also tried creating replacement profiles and package just for the PreStage enrolled devices.  It gives me the same response every time.  

Clearly I've missed something.  Has anyone else seen something similar or have any ideas of how I can see what is wrong (Can't log into the machine to see any failures). 
The MacOS devices is a M1.  I'm not able to test with anything else because this is our only DEP purchased MacOS device.  Business isn't going to pay for more, unless this process gets bottomed out.

I just can't understand why it works so smoothly when not using PreStage, when the same configurations are being pushed.

 Here are some of the plist files used for com.jamf.connect.login.plist
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>DenyLocal</key>
<false/>
<key>LocalFallback</key>
<true/>
<key>EnableFDE</key>
<true/>
<key>LicenseFile</key>
<data>
************************
</data>
<key>OIDCClientID</key>
<string>********-****-****-****-************</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>********-****-****-****-************</string>
<key>OIDCAdmin</key>
<key>Admin</key>
<key>OIDCAdminAttribute</key>
<string>roles</string>
</dict>
</plist>

Or

<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateAdminUser</key>
<true/>
<key>OIDCNewPassword</key>
<false/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>EnableFDE</key>
<true/>
<key>EnableFDERecoveryKey</key>
<true/>
<key>OIDCAdmin</key>
<string>Admin</string>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>********-****-****-****-************</string>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>********-****-****-****-************</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCTenant</key>
<string>********-****-****-****-************</string>
</dict>
</plist>

Remove the Jamf Connect package from your prestage. Then enroll the machine via ADE and verify that all of your configuration profiles are on the machine. 

Remove the Jamf Connect package from your prestage. Then enroll the machine via ADE and verify that all of your configuration profiles are on the machine. 


Thanks you for this, it is interesting, both of the profiles are missing, so they must be getting removed after PreStaging.  

Not sure why it would be removed, because it is using a smart group based on the enrollment method, so this should be populated during the enrolment.

I'm guessing my only choice is going to be rolling this out to all computers.  Seems like a sledge hammer approach when we have devices that use different enrolment methods. 

You can add profiles to the PreStage to ensure they are installed immediately upon enrollment. Then make sure those profiles are scoped correctly to stay in place after enrollment completes.

You can add profiles to the PreStage to ensure they are installed immediately upon enrollment. Then make sure those profiles are scoped correctly to stay in place after enrollment completes.


@Smadakram0 , @emily  is correct make sure that your configuration profiles for Jamf Connect are checked for immediate installation. 

@Smadakram0 , @emily  is correct make sure that your configuration profiles for Jamf Connect are checked for immediate installation. 


Thanks @bwoods/.  The first message reminded me that I created a different enrolment profile, so I didn't make any changes to the one the 3rd party made.  This is why the profile was being deleted after the profile was added via PreStage.  

When I had fixed the original issue, where the Enrollment Customization didn't have the, "Enable Jamf Pro to pass user information to Jamf Connect" enabled.  I missed the smart group.

Once I added that into the smart group, the final piece came together and it is now working.

It also means I don't need to assign it to all computers. 

Thank you @bwoods and @emily 

Hello @Smadakram0 @bwoods @emily I have the same issue, after starting the Prestage enrollment Azure Login will happen, and after that, it will pick up the correct user name but when the user puts in the same password it will not take.  "Enable Jamf Pro to pass user information to Jamf Connect" enabled - where I can find this? Please help. The configuration profiles are selected in prestage enrollment.

@Smadakram0 I have checked that. in our SSO "Enable Jamf Pro to pass user information to Jamf Connect" enabled" - it is enabled. But still suddenly create account part is not accepting the user password. But I can see that this is pulling the correct User from Azure.  Please help.

Honestly, I wouldn't advise letting Jamf Connect create the account. You should let SSO pass that info to setup assistant. You lose things like volume ownership, secure tokens, and the ability to use user profiles with this method.

MDM-capable, MDM-enabled, or MDM managed users - w... - Jamf Nation Community - 272243

Terms & ConditionsCookie settings