08-09-2022 01:32 PM - edited 08-10-2022 06:22 AM
Background: I am trying to setup an almost zero touch enrollment workflow for our environment. Using the typical Apple Business Manager/Automated Device Enrollment, PreStage Enrollment, and Jamf Connect method.
Issue: After the remote management triggers, we progress through the SSO of Enrollment Customization, then the configuration profiles are installed, and I progress through the macOS setup screens, the next thing is the local login screen of Jamf Connect. The SSO/AD account is not created. I am able to login to the device using the pre-configured Admin account we setup during the Pre-Stage settings, but nothing else.
I have checked the Users & Groups for what accounts are created and only the admin profile is shown. I have a feeling that our Enrollment Customization SSO pane settings for Identity Provider Attribute Mappings might be incorrect, but I am not sure what they should be. (Attached below is a screenshot of the current settings). I also have the PreStage Enrollment Account Settings > Local User Account Type > Skip Account Creation: Checked (As instructed by Jamf Connect Documentation) and Pre-fill primary account information: Unchecked. Am I missing a setting in one of the Jamf Connect configuration profiles?
Goal: To have an account created during enrollment using the SSO of the user with the format of Full Name: company email address, Account Name: first.last
Info: macOS 12.5 (Intel), Jamf Connect 2.13, Azure SSO and IdP.
Thank you for any help. Please let me know if anymore information is needed to troubleshoot. A ticket to Jamf Support has been opened as well, just has been slow as of late.
Posted on 08-09-2022 06:34 PM
If this is indeed the exact configuration you're using, the Account name is incorrect "userPrinicpleName" is miss spelled. Change it to "userPrincipleName"
Posted on 08-10-2022 06:23 AM
Fixed the spelling and tested with no luck. Updated the post to reflect correct spelling. Thanks for pointing that out.
Posted on 08-10-2022 11:45 AM
I have also been struggling with this and turns out there is a known PI for this specific issue - PI109772.
Here is a temp fix config profile to push during enrollment. Jamf Support made sure to tell me to make sure this gets removed after the user is created, they suggested a smart group based on "Enrollment Complete" more that 1 day ago. Your variables may need to be different based on how your userPrincipalName is set in AAD, ours is our email.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnrollmentRealName</key> <string>$REALNAME</string> <key>EnrollmentUserName</key> <string>$USERNAME</string> </dict> </plist>
Posted on 08-12-2022 05:16 AM
@DaneAbernathy Thanks a bunch for this. I has gotten me on the right track. I does in fact create the local account using the SSO. However, I am having trouble dialing in the correct <string> for the EnrollmentRealName. Are you using LDAP? If you are using Azure AD as a Cloud idP, did you have to use any schemas?
Posted on 08-16-2022 03:10 PM
We are using Azure Ad.
The Azure AD attributes must be setup as claims in your Jamf Pro app in Azure. In Azure, the attribute for full name is displayName. So you’ll want to set up that claim.
Posted on 08-16-2022 02:57 PM
I have the same issue. Did you get a fix for the following?
Posted on 08-16-2022 03:04 PM
Not a full fix, but a temp fix. See my reply above for a temp fix. This issue is part of a larger known issue that hasn’t been fixed yet.
Posted on 08-16-2022 03:14 PM
Am I creating a Configuration Profile > Application & Custom Setting?
What is the preference domain?
Screenshot if possible?
Posted on 08-16-2022 03:21 PM
Yes a config profile for External Application to be pushed during prestige enrollment.
the domain is