+4We are using PreStage Enrollment and want to skip setup and have the first login to be Autologin with the created user during PreStage Enrollment so the rest of the Jamf policies can finish before the first Network user logs in.
Has anyone done this before and can help with what has worked and how to do it. any help would be appreciated.
Best answer by mrheathjones
I currently have an enrollment workflow similar to what you are describing. This works well for us on macOS 12.5 (even tested with macOS 13). See below.
I have a policy that installs the "Deploy_Autologin.pkg" package as an Enrollment complete trigger. My Enrollment policies are prepended with numbers 01-xxx to ensure they are executed in the order I want/need. The final policy with the enrollment complete trigger is a "Reboot" policy. After reboot, our auto login account is then auto-logged in and the configuration phase begins, one of the policies deletes the kcpassword file and deletes the autoLoginUser key from the com.apple.loginwindow plist which disables auto-login. During the configuration, right before the final reboot policy, I create a dummy file that an extension attribute is looking for. if the dummy file exists (EA = TRUE) the device is added to a Smart Group that is scoped to delete the enrollment account at at all of the necessary triggers. Long story short, yes I've done this and yes this works (for me at least). Hopefully this helps.
+8why do the polcies need to run with autologin account? cant you create a policy set to run on "enrolment complete" which runs a script with "jamf policy -trigger" comaands running the rest of the policies (set custom triggers on them)
+4I do have the policies run on "enrollment complete". I am trying to see how I can have the first login be an autologin. The client is in PreStageEnrollment Scope.It recovers the macOS and starts the RemoteManagement process. The user answers a few questions and we are at the login screen. I want this first login to be autologin with creds we created in the PreStageEnrollment. Once loggedinDepNotify takes off and informs the user of the process happening in the background, Then once the Jamf policies finish installing DepNotify completes. Then the user can restart and login with their network creds.
Any suggestions in this process? Best practices or flow you can suggest?
+8Ive not used it myself but i know some users were using a "kcpassword" script like this: https://github.com/xfreebird/kcpassword
or https://www.brunerd.com/blog/2021/08/24/automating-automatic-login-for-macos/
Not sure if it works on the latest OS, but any info sec team would prob frown upon use of something like that, i would suggest reading up on "kcpassword" script.
***The above is not a recomendation***
+4Ive not used it myself but i know some users were using a "kcpassword" script like this: https://github.com/xfreebird/kcpassword
or https://www.brunerd.com/blog/2021/08/24/automating-automatic-login-for-macos/
Not sure if it works on the latest OS, but any info sec team would prob frown upon use of something like that, i would suggest reading up on "kcpassword" script.
***The above is not a recomendation***
Thanks I did some reading before posting here and I believe kcpassword is using a python 3 script with will not work after 12.3. I will check it out again to confirm. Thank you for responding.
+8The first link uses phython3, i think the guy in the second link re-wrote it to work in bash to get around the problem (not sure if that helps you).
+10I currently have an enrollment workflow similar to what you are describing. This works well for us on macOS 12.5 (even tested with macOS 13). See below.
I have a policy that installs the "Deploy_Autologin.pkg" package as an Enrollment complete trigger. My Enrollment policies are prepended with numbers 01-xxx to ensure they are executed in the order I want/need. The final policy with the enrollment complete trigger is a "Reboot" policy. After reboot, our auto login account is then auto-logged in and the configuration phase begins, one of the policies deletes the kcpassword file and deletes the autoLoginUser key from the com.apple.loginwindow plist which disables auto-login. During the configuration, right before the final reboot policy, I create a dummy file that an extension attribute is looking for. if the dummy file exists (EA = TRUE) the device is added to a Smart Group that is scoped to delete the enrollment account at at all of the necessary triggers. Long story short, yes I've done this and yes this works (for me at least). Hopefully this helps.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.