JAMF Connect and non-dep devices

perryd84
Contributor III

Hi,

I'm all out of ideas and need some serious help! Please excuse the length of this post but I needed to add all the details.

So we are moving to JAMF connect and it works perfectly!! The machines in DEP pull down all the policies and once done the device sits at the shiny JAMF connect SSO page ready for the user to log in. They log in, DEPNotify installs a few apps, filevault runs for them, and the world is a happy place!

My issue is non-dep machines.

This still requires an engineer to kick off a quick add package and in doing this it kicks off the normal enrolment policies. Doing this runs filevault and so it grants the admin account the secure token and encrypts the machine to them. After this the mac cannot be shipped to the end user as it will be locked to the admin account. The way round this was to get the user to log in with the engineer but during these times theres a massive push to remove this engineer intervention and go "zero-ish" touch.
I've tried cancelling the encryption but then the mac is stuck in deferred mode and nothing can be encrypted.
We have a self service policy to grant the user a secure token and add them to filevault and this works perfectly, but, again we cant use this as the machine would have already been locked to the admin account and the end user wouldn't be able to even log in.

I need something that removes the deferred encryption for the admin account and basically kicks off when the new user logs in.

I've tried using Outset to kick off the encryption policy but it doesn't seem to work anymore (or I cant get it to work).

I'd love to know how people have got round this if they are in the same situation?

9 REPLIES 9

DBrowning
Valued Contributor II

I assume you are using Sync or Verify as well with Jamf Connect Login. Why not have the engineer setup the machine as the user with a temp password. Then when the machine is shipped to user, they login the first time with the temp password and then use Sync/Verify to update it to their actual SSO password.

perryd84
Contributor III

Yes sorry didn't add that in, we are using verify along side jamf connect login. Not using sync.
We did think of that but, I forgot to add we use MFA. So the user would need to pass us their number then tell us the code and it just gets a little messy and not as seem-less as we would like to be.

DBrowning
Valued Contributor II

We too use MFA. What I'm saying is you setup a local account for the user (without using Jamf Connect). Then install your base apps (to include Jamf Connect), and when the user goes to login the first time with JC, and Sync/Verify will update the password.

You just need to make sure when you create the local account that it matches whatever they would be getting as if they were to do it through Automated enrollment.

i.e: you create a local account for John Smith. IDP username is john.smith
create a local account with username john.smith. set a password to Temp1234! enable FV
Install Base Apps to include JC
shutdown and ship to user
User receives and logs in with john.smith/Temp1234!
JC Sync/Verify launches
User logs in with IDP password
Gets MFA Prompt
Syncs local password to IDP via JC Sync/Verify

perryd84
Contributor III

Thats actually a brilliant idea!

So at this step "User receives and logs in with john.smith/Temp1234!", do you defer the automatic filevault login so they are taken to the JAMF connect login page? Or, do you let them log in through filevault and they are then prompted by verify to change password once they see the desktop/finder etc?

DBrowning
Valued Contributor II

the latter. FV should be enabled when you setup the account. that way you know its encrypted before leaving your engineer.

perryd84
Contributor III

Cool! Thanks so much for the suggestion really appreciate the quick help! I will try this out and see how the team get on!

perryd84
Contributor III

@ddcdennisb So this method is working perfectly except for one issue. The verify sign in window doesn't pop up when the user logs in so they have to manually click the icon and then sign in. I've got the "ForceSignInWindow" set the true but it doesn't pop up!?

How do you get round this as we cant rely on the users to click the icon and sign in?

DBrowning
Valued Contributor II

@perryd84 I use Sync as I'm authing via Okta. I would suggest getting a ticket open with Jamf Support to help troubleshoot why the Verify login is not coming up.

perryd84
Contributor III

Looks like there are a few open already was hoping you had a magic fix.