Jamf Connect not creating Local Accounts for DEP enrolled devices

Smadakram0
New Contributor II

Hi everyone, 

Pulling my hair out in regards to implementing Jamf Connect in a PreStage Enrollment. 

The SSO mechanism is using Azure. 

If we don't implement any PreStage Enrollment, the DEP MacOS device will prompt for our Azure credentials and then prompt for a Local Account to be created.  Once logged in, we can then push all the Jamf Connect profiles and policies to the device, reboot and Jamf Connect works like a dream. This is the same for User Enrolled devices using the web enrolment URL. 

The issue comes when I try to get it built closer to a Zero touch solution by adding in the PreStage enrollment. 
It goes through the Azure Authentication prompt, installs all the profiles (can't see if it is installing the Jamf Connect package, but I'm guessing it is because it is in the PreStage).

Then I get a prompt, "Hello (User).  Please re-enter my password". 

I can see that this is pulling the correct User from Azure because I've changed the claims to verify this and I get a different value for the User in this prompt which matches a different attribute in Azure. 

After I enter my password in again, I get a message, "An error occurred.  Contact your IT administrator".  
It isn't the most helpful message that I've seen!!

I've I reboot the machine in recovery mode and run the terminal command 'resetpassword', I can see no accounts created.  Neither the this local user is created (Makes sense though because it can't finish it) or the Local Admin account set in the PreStage. 


I've tried applying the same Jamf Connect profiles and packages as I would be applying if this was a user based enrolment or DEP enrolment without the PreStage.  
I've also tried creating replacement profiles and package just for the PreStage enrolled devices.  It gives me the same response every time.  

IMG_20210804_115258.jpg

Clearly I've missed something.  Has anyone else seen something similar or have any ideas of how I can see what is wrong (Can't log into the machine to see any failures). 
The MacOS devices is a M1.  I'm not able to test with anything else because this is our only DEP purchased MacOS device.  Business isn't going to pay for more, unless this process gets bottomed out.

I just can't understand why it works so smoothly when not using PreStage, when the same configurations are being pushed.

 Here are some of the plist files used for com.jamf.connect.login.plist
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>DenyLocal</key>
<false/>
<key>LocalFallback</key>
<true/>
<key>EnableFDE</key>
<true/>
<key>LicenseFile</key>
<data>
************************
</data>
<key>OIDCClientID</key>
<string>********-****-****-****-************</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>********-****-****-****-************</string>
<key>OIDCAdmin</key>
<key>Admin</key>
<key>OIDCAdminAttribute</key>
<string>roles</string>
</dict>
</plist>

Or

<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateAdminUser</key>
<true/>
<key>OIDCNewPassword</key>
<false/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>EnableFDE</key>
<true/>
<key>EnableFDERecoveryKey</key>
<true/>
<key>OIDCAdmin</key>
<string>Admin</string>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>********-****-****-****-************</string>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>********-****-****-****-************</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCTenant</key>
<string>********-****-****-****-************</string>
</dict>
</plist>

1 ACCEPTED SOLUTION

bwoods
Contributor II

Remove the Jamf Connect package from your prestage. Then enroll the machine via ADE and verify that all of your configuration profiles are on the machine. 

View solution in original post

5 REPLIES 5

bwoods
Contributor II

Remove the Jamf Connect package from your prestage. Then enroll the machine via ADE and verify that all of your configuration profiles are on the machine. 

View solution in original post

Smadakram0
New Contributor II

Thanks you for this, it is interesting, both of the profiles are missing, so they must be getting removed after PreStaging.  

Not sure why it would be removed, because it is using a smart group based on the enrollment method, so this should be populated during the enrolment.

I'm guessing my only choice is going to be rolling this out to all computers.  Seems like a sledge hammer approach when we have devices that use different enrolment methods. 

emily
Valued Contributor III

You can add profiles to the PreStage to ensure they are installed immediately upon enrollment. Then make sure those profiles are scoped correctly to stay in place after enrollment completes.

bwoods
Contributor II

@Smadakram0 , @emily  is correct make sure that your configuration profiles for Jamf Connect are checked for immediate installation. 

2021-08-04_09-30-50.png

Smadakram0
New Contributor II

Thanks @bwoods/.  The first message reminded me that I created a different enrolment profile, so I didn't make any changes to the one the 3rd party made.  This is why the profile was being deleted after the profile was added via PreStage.  

When I had fixed the original issue, where the Enrollment Customization didn't have the, "Enable Jamf Pro to pass user information to Jamf Connect" enabled.  I missed the smart group.

Once I added that into the smart group, the final piece came together and it is now working.

It also means I don't need to assign it to all computers. 

Thank you @bwoods and @emily