First post - here we go!
Some context for this post: Our Company picked up Jamf Pro in 2019. Since that time we have slowly been building up the platform. Primary goal being to get to a zero-touch state with our devices (wanting to cut out IT as the middle-man for having to manually setup new Macs).
We hit a snag with this process in that our devices rely on certificate based authentication to connect our users to various services.
The machine based certificates would deploy relatively quickly after login; however, we could not get the user based certs to deploy due to a missing flag for the user account on the Jamf side. The flag being “MDM Capable User”. Without the username populated in this field - the user cert config profile would not deploy to the Scoped Macs. It was originally due to us skipping account creation in pre-stage and leveraging Jamf connect to complete that step. This left the user without a secure token and would require fully unenrolling the device from Jamf via the removeframework command, and re-enrolling under the users account. We tried several approaches to force the issue with the MDM Capable user field to include the target username but nothing would work. When we finally re-enabled account creation during pre-stage , we would get a computer error stating the following:
”Computer Account Creation Failed:
Your computer account could not be created with the name and password specified. Please try again.”
Upon clicking “try again” - and “next” - we get a new error:
”The name you entered can’t be used.
The name is not available. Enter a different name”
We could then change the name to whatever we wanted, and the error messages would remain the same. We verified the users home folder was not being created as a result of these error messages.
After a lengthy support case open with Jamf Support - (who did assist us in getting our enrollment customization configuration set properly to provide the correct IDP attributes into the fields on the “Create a new computer account” window), and some excellent discussions with both Jamf staff and other Jamf admins at JNUC2022 - we have found the cause of the error message & the subsequent fix to getting us up & running with Zero-touch deployments:
We needed to remove Jamf Connect from our pre-stage packages & config profiles. (Testing still needed to verify if the true issue was just the client or just the configs, or a combination.)
Once removed - the error messages no longer appeared at the “Create a computer account window”. The users would enter their passwords, be taken to their desktop screen, and within moments the user cert config profile would appear ( along with the matching user cert in the keychain ).
We want to give a big thanks to the Jamf Support team(Jacob Espeth - our Jamf success managers (Hannah and Grace) - Jamf Client Engineer: Gregory Maki, and all of the other Jamf Admins (Perrin, Jenny, and Vincenzo to name a few) at JNUC this year who provided such excellent ideas and suggestions to help us provide a better Mac experience for our users.
Thanks again!
TL;DR Weird error messages happening with pre-stage enrolled devices at “Create a computer account” window. Took out all Jamf connect related items from Prestage. Error went away!
