Jamf Connect (2.13) not creating local account from SSO pane of Enrollment Customization

mdcooledge
New Contributor III

Background: I am trying to setup an almost zero touch enrollment workflow for our environment. Using the typical Apple Business Manager/Automated Device Enrollment, PreStage Enrollment, and Jamf Connect method.

 

Issue: After the remote management triggers, we progress through the SSO of Enrollment Customization, then the configuration profiles are installed, and I progress through the macOS setup screens, the next thing is the local login screen of Jamf Connect. The SSO/AD account is not created. I am able to login to the device using the pre-configured Admin account we setup during the Pre-Stage settings, but nothing else.

I have checked the Users & Groups for what accounts are created and only the admin profile is shown. I have a feeling that our Enrollment Customization SSO pane settings for Identity Provider Attribute Mappings might be incorrect, but I am not sure what they should be. (Attached below is a screenshot of the current settings). I also have the PreStage Enrollment Account Settings > Local User Account Type > Skip Account Creation: Checked (As instructed by Jamf Connect Documentation) and Pre-fill primary account information: Unchecked. Am I missing a setting in one of the Jamf Connect configuration profiles?

 

Goal: To have an account created during enrollment using the SSO of the user with the format of Full Name: company email address, Account Name: first.last

 

Info: macOS 12.5 (Intel), Jamf Connect 2.13, Azure SSO and IdP.

Thank you for any help. Please let me know if anymore information is needed to troubleshoot. A ticket to Jamf Support has been opened as well, just has been slow as of late. 

Screen Shot 2022-08-10 at 9.12.17 AM.png

9 REPLIES 9

Hugonaut
Valued Contributor II

@mdcooledge 

If this is indeed the exact configuration you're using, the Account name is incorrect "userPrinicpleName" is miss spelled. Change it to "userPrincipleName"

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

mdcooledge
New Contributor III

Fixed the spelling and tested with no luck. Updated the post to reflect correct spelling. Thanks for pointing that out.

DaneAbernathy
New Contributor III

I have also been struggling with this and turns out there is a known PI for this specific issue - PI109772.

Here is a temp fix config profile to push during enrollment. Jamf Support made sure to tell me to make sure this gets removed after the user is created, they suggested a smart group based on "Enrollment Complete" more that 1 day ago. Your variables may need to be different based on how your userPrincipalName is set in AAD, ours is our email. 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnrollmentRealName</key>
<string>$REALNAME</string>
<key>EnrollmentUserName</key>
<string>$USERNAME</string>
</dict>
</plist>

 

 

@DaneAbernathy  Thanks a bunch for this. I has gotten me on the right track. I does in fact create the local account using the SSO. However, I am having trouble dialing in the correct <string> for the EnrollmentRealName. Are you using LDAP? If you are using Azure AD as a Cloud idP, did you have to use any schemas?  

We are using Azure Ad.

The Azure AD attributes must be setup as claims in your Jamf Pro app in Azure. In Azure, the attribute for full name is displayName. So you’ll want to set up that claim. 

dpwlg
New Contributor III

I have the same issue. Did you get a fix for the following?

DaneAbernathy
New Contributor III

Not a full fix, but a temp fix. See my reply above for a temp fix. This issue is part of a larger known issue that hasn’t been fixed yet. 

dpwlg
New Contributor III

Am I creating a Configuration Profile > Application & Custom Setting?

What is the preference domain?
Screenshot if possible?

DaneAbernathy
New Contributor III

Yes a config profile for External Application to be pushed during prestige enrollment. 

the domain is 

com.jamf.connect.login