Mac devices not respecting prestage enrollment

I've been told by JAMF that in order to use the Account Settings payload you also need to have the Directory payload configured. While it is not called out anywhere if you only configure the Account Settings the entire prestage will fail.

Are you installing anything on your image? If it's a completely blank OS this shouldn't happen. We see this as well with some applications that we have installing on boot drive after imaging.

@BostonMac At the moment, we do not have the Directory payload configured and we have days where laptops will respect the Account Settings payload and days where the laptop(s) will prompt to create the local user account.

@rhoward During our reimaging process, we install a blank OS. All the other applications are installed via policy after enrollment completes.

@ctopacia01 I am also having this issue. I received it after updating to 9.100 yesterday. Last week, on 9.98, it respected "the Prestage enrollment settings (specifically the "skip account creation" setting)" and created the hidden admin account as set in Prestage. We would like to return to that workflow.

Do anyone know if that is possible?

We would also like to wait on OD directory binding till after software installations and data restores are complete. We are setting up 350 New 2017 iMacs and would like to use Prestage Authentication and skip account creation since we use Configuration Profile to create local mobile accounts.

@BostonMac did Jamf mention to you if adding but not configuring the Directory payload would fix the issue? What's the implication of leaving out the Account Creation payload? If a policy happens on check-in to create a local admin as needed does this payload need to be set at all, or will not having the account set at all keep it from running policies or other standard management of the Mac?

I have added a configured Directory payload to my testing and it did not work. The iMac during Prestage Enrollment creates the Authenticated user as a local admin account and the payload also creates an Admin account.

Hi All,

I am seeing this issue as well since upgrading JSS to 9.100.0.
No combination I have tried seems to get around the problem.
I was even told by JAMF support to unhide the Management Account set in User-Initiated Enrollment.

Did anyone ever get any resolution to this? Now that High Sierra is coming along and DEP is being forced upon us, I'm starting to work on my implementation and am running into this. Was going to put in a ticket with JAMF, but ran across this.

--

Yeah we're on 9.101 currently. We're hoping a combo of updating to 10.2, making sure redirects to Akamai are allowed on our firewall rules (we'll see who on the network security team I need to bake cupcakes for to make that happen), and the release of 10.13.4 will all fix this for us. 🤞🏻

Habanero Cupcakes if they say no.

I have a similar issue with 10.1.0 that I will post about shortly.

Also seeing "Skip Account Creation" not being respected on Jamf Pro 10.2.1 + macOS 10.13.3.

@analog_kid We are also on 10.2.1. With 10.13.3 we see that account creation is only skipped if "Require Authentication" is deselected :-(

I saw the same thing when we were on 9.100.0 and we recently upgraded to 10.3.1 hoping it would fix the issue. However, I think that it is now worse. Now instead of not skipping account creation when the setting is checked it just hangs at "Contacting remote management server" at the Remote Management step of the Setup Assistant. Has anybody else seen this behavior with 10.3.1?