Background: I am trying to setup an almost zero touch enrollment workflow for our environment. Using the typical Apple Business Manager/Automated Device Enrollment, PreStage Enrollment, and Jamf Connect method.
Issue: After the remote management triggers, we progress through the SSO of Enrollment Customization, then the configuration profiles are installed, and I progress through the macOS setup screens, the next thing is the local login screen of Jamf Connect. The SSO/AD account is not created. I am able to login to the device using the pre-configured Admin account we setup during the Pre-Stage settings, but nothing else.
I have checked the Users & Groups for what accounts are created and only the admin profile is shown. I have a feeling that our Enrollment Customization SSO pane settings for Identity Provider Attribute Mappings might be incorrect, but I am not sure what they should be. (Attached below is a screenshot of the current settings). I also have the PreStage Enrollment Account Settings > Local User Account Type > Skip Account Creation: Checked (As instructed by Jamf Connect Documentation) and Pre-fill primary account information: Unchecked. Am I missing a setting in one of the Jamf Connect configuration profiles?
Goal: To have an account created during enrollment using the SSO of the user with the format of Full Name: company email address, Account Name: first.last
Info: macOS 12.5 (Intel), Jamf Connect 2.13, Azure SSO and IdP.
Thank you for any help. Please let me know if anymore information is needed to troubleshoot. A ticket to Jamf Support has been opened as well, just has been slow as of late.
If this is indeed the exact configuration you're using, the Account name is incorrect "userPrinicpleName" is miss spelled. Change it to "userPrincipleName"
I have also been struggling with this and turns out there is a known PI for this specific issue - PI109772.
Here is a temp fix config profile to push during enrollment. Jamf Support made sure to tell me to make sure this gets removed after the user is created, they suggested a smart group based on "Enrollment Complete" more that 1 day ago. Your variables may need to be different based on how your userPrincipalName is set in AAD, ours is our email.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnrollmentRealName</key> <string>$REALNAME</string> <key>EnrollmentUserName</key> <string>$USERNAME</string> </dict> </plist>
@DaneAbernathy Thanks a bunch for this. I has gotten me on the right track. I does in fact create the local account using the SSO. However, I am having trouble dialing in the correct <string> for the EnrollmentRealName. Are you using LDAP? If you are using Azure AD as a Cloud idP, did you have to use any schemas?