- Jamf Nation Community
- Products
- Jamf Connect
- Problems With PreStage Enrollment, Jamf Connect
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Problems With PreStage Enrollment, Jamf Connect
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-09-2020 09:51 AM
Hi everyone,
Having problems creating local user accounts using Jamf Connect, SSO credentials as part of Setup Assistant.
Workflow Expectations
- User powers on 'fresh' (either factory-new or wiped/reinstalled) laptop
- User selects country
- User connects to Internet
- PreStage enrollment kicks off
- Users enter their MS365 credentials
- Jamf Connect, added as an Enrollment Package, passes credentials to Create a Computer Account
- Workflow proceeds as configured...
Actual Workflow Behavior
- Laptop is booted
- Country selected
- Laptop connected to Internet
- PreStage kicks off (the Remote Management window launches), click Continue
- As part of the Remote Management window, we're prompted for our M365 credentials
- After submitting M365 credientials, Remote Management window states 'Installing enrollment profile"
- Immediately moves to Create a Computer Account screen with no further actions taken until a forced reboot, at which time Jamf Connect Login displays
Our Context
- Apple Business Manager and Jamf Pro successfully talking
- PreStage Enrollment scoped to all computers synced from Apple Business Manager
- Jamf Connect Login package signed with an Apple Developer Installation cert
- Jamf Connect Login package added as an Enrollment Package
- Jamf Connect Login plist successfully scoped, pushed via Configuration Profile
- We use enrollment customization to include SSO screen
Any help, insight anyone can offer is greatly appreciated. I'm also happy to provide more clarification.
Thanks!
Andrew
Labels:
Reply
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-09-2020 05:04 PM
Are you skipping the account creation? You should allow Jamf Connect to create the main local account
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2020 11:20 AM
Hey wblack, thank you for your suggestion!!
Our troubleshooting was wayyy too in-the-weeds and missed that.
Edited our PreStage Enrollment to skip account creation. It's now closer to behaving as expected, but now Jamf Connect Login asks us to re-type our SSO password and continually refuses to accept it.
I have a feeling this is now something to do with FV2. We shall see! I have a support case open now.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2020 12:30 PM
It may be more about your SSO settings. In our environment, SSO kicks in first, before Jamf Connect, as our IdP is Azure.
Does the user being entered a part of the SSO group? It may depend on the IdP you are set for SSO. We had to make the users match in both the Jamf Connect and Jamf SSO Azure enterprise apps.
Keep testing, and keep testing, I can assure you of that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-15-2020 06:52 AM
Hey everyone!!
Thank you again for your time and responses! I wanted to write a follow up in case it helps anyone else down the road.
Our PreStage Enrollment was configured to create an additional admin account. Despite receiving the aforementioned errors when trying to create/authentication with an MS365 account, we let the computer complete PreStage Enrollment and logged in locally using the admin account.
Once in, found mpjamf_login.log. It contained authentication attempts for both the MS365 account as well as the local admin account. For reference, I've attached a sanitized copy of the log that pertains only to the MS365 account.
Focusing on the log events pertaining to MS365, a couple errors appeared with each authentication attempt:
- [com.jamf.connect.login] - Error - UI: WebFrame failed provisional load with: Could not connect to the server.
- [com.jamf.connect.login] - Error - OpenDirectory: ODError while trying to check for local user: The operation couldn'92t be completed. (JamfConnectLogin.DSQueryableErrors error 0.).
- [com.jamf.connect.login] - Error - UI: ROPG error, description from json: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
There were a few others not listed here.
Not sure where to begin, I picked the 3rd error, above, and Googled. I eventually found https://community.powerbi.com/t5/Developer/The-request-body-must-contain-the-following-parameter-client/td-p/259147, specifically the last post of the thread made by user "jayendran".
Following what their post suggested, we checked our Azure App Registration settings, and sure enough our "Default client type" setting was set to "No". Flipped it to "Yes", saved, and Jamf Connect Login with PreStage Enrollment worked!!!!
Jamf Connect Login now creates a new local user as advertised. I wrote a similar summary for our Jamf Support case so they can update their documentation to reflect Azure's new App Registration UI that jayendran pointed out.
I hope this helps anyone in the future.
Reply
