I just found out that Pre-stage Enrollment Customization Panes do not work at all with Return to Service. How are people getting authenticated users with SSO (Cloud IDP with Entra is already setup with the connector as is Jamf Account), which translates to SSO on the device itself, also working with automatically assigned Prestage Enrollment and Return to Service? Are there good resources for best practices? I've found the documentation is lacking and Jamf 100 classes are basic. Support has mentioned Jamf Setup but that looks like it requires Shared iPads and I’d like to avoid those and we’re 1:1 with thousands of devices already. I see mention of Microsoft Authenticator with the SSO App Extension - I have this set up in Jamf School in our current implementation already but I don’t see how this works in Jamf Pro without the Azure webclip login if I can’t use a Customization Pane with Return to Service - the latter being one of the primary reasons for the move. Thanks!

New to Jamf Pro, coming from Jamf School.

RtS was developed for shared devices. If you have 1:1, what’s the necessity for RtS? RtS was developed so that a user could quickly use a device after a different user was done with the device.

RtS’ documentation does describe that it doesn’t work with enrollment customizations. So I’m just curious the need to use RtS.

RtS was developed for shared devices. If you have 1:1, what’s the necessity for RtS? RtS was developed so that a user could quickly use a device after a different user was done with the device.

RtS’ documentation does describe that it doesn’t work with enrollment customizations. So I’m just curious the need to use RtS.

Thanks for the reply. While we are 1:1, our population moves a lot (inner city K-12). The idea is not having to wait 15 minutes for all the applications to redownload/reinstall every time an iPad is wiped - which is currently how it is.

They also want to integrate that in to the inventory system (via API or plugin, this is far out and not researched yet) so that on-site people can use it with wipe which we currently have set up with Jamf School (not RtS, there is no Jamf School API for that and is one of the primary reasons I’ve been told to do this).

Jamf School has the Azure webclip which is tied to an Entra app registration, so currently users log in to that and it assigns them as device owner based on that login and I have Authenticator with the SSO extension set up. I have shifting device smart groups with different restrictions so that mostly no one can do anything until they login.

In Jamf Pro, is there an equivalent without authenticated enrollment?

RtS was developed for shared devices. If you have 1:1, what’s the necessity for RtS? RtS was developed so that a user could quickly use a device after a different user was done with the device.

RtS’ documentation does describe that it doesn’t work with enrollment customizations. So I’m just curious the need to use RtS.

Thanks for the reply. While we are 1:1, our population moves a lot (inner city K-12). The idea is not having to wait 15 minutes for all the applications to redownload/reinstall every time an iPad is wiped - which is currently how it is.

They also want to integrate that in to the inventory system (via API or plugin, this is far out and not researched yet) so that on-site people can use it with wipe which we currently have set up with Jamf School (not RtS, there is no Jamf School API for that and is one of the primary reasons I’ve been told to do this).

Jamf School has the Azure webclip which is tied to an Entra app registration, so currently users log in to that and it assigns them as device owner based on that login and I have Authenticator with the SSO extension set up. I have shifting device smart groups with different restrictions so that mostly no one can do anything until they login.

In Jamf Pro, is there an equivalent without authenticated enrollment?

There is something that may fit your workflow. Basically install authenticator (and the configured SSOe) and have them log into a single MS app which will cache their creds in Authenticator for SSO into the configured apps for SSOe. That’s somewhat how we have our guest iPads configured and it works well.

RtS was developed for shared devices. If you have 1:1, what’s the necessity for RtS? RtS was developed so that a user could quickly use a device after a different user was done with the device.

RtS’ documentation does describe that it doesn’t work with enrollment customizations. So I’m just curious the need to use RtS.

Thanks for the reply. While we are 1:1, our population moves a lot (inner city K-12). The idea is not having to wait 15 minutes for all the applications to redownload/reinstall every time an iPad is wiped - which is currently how it is.

They also want to integrate that in to the inventory system (via API or plugin, this is far out and not researched yet) so that on-site people can use it with wipe which we currently have set up with Jamf School (not RtS, there is no Jamf School API for that and is one of the primary reasons I’ve been told to do this).

Jamf School has the Azure webclip which is tied to an Entra app registration, so currently users log in to that and it assigns them as device owner based on that login and I have Authenticator with the SSO extension set up. I have shifting device smart groups with different restrictions so that mostly no one can do anything until they login.

In Jamf Pro, is there an equivalent without authenticated enrollment?

There is something that may fit your workflow. Basically install authenticator (and the configured SSOe) and have them log into a single MS app which will cache their creds in Authenticator for SSO into the configured apps for SSOe. That’s somewhat how we have our guest iPads configured and it works well.

But how do you assign device owners in a way that will also potentially make their Entra group memberships usable for scoping? At least in Jamf School, Authenticator/SSO extension doesn’t interact with the device that way.