Can anyone better explain the following from the 10.19.0 release notes?
Management Account Information Changes—The Management Account information that is configured in the User-Initiated Enrollment settings is no longer included in the Account Settings payload. As a result, the local administrator account created using the Create an additional local administrator account setting in the Account Settings payload is now the only account that you can configure that is created and presented to the user before the Setup Assistant.
Note: If your environment uses the Management Account information from the User-Initiated Enrollment settings, that account information is now displayed in the Create a local administrator account before the Setup Assistant settings. This is now editable and can be modified to fit your environment.
We have our management account specified in User-Initiated Enrollment Settings. After upgrading to 10.19.0 I was expecting to no longer have our management account get automatically created upon enrollment. That, however, is not what I've seen so far. Our management account is still being created even though we don't have it specified in a PreStage.
If the management account no longer comes from User-Initiated Enrollment Settings and it's not specified in PreStage Account Settings, where is it coming from?
Some additional information from Jamf Support for those who may stumble upon this post.
1) Any time the Account Settings payload was configured, an administrator user account would be created via the AccountConfiguration MDM command.
2) If the "Create additional local administrator account" feature was not selected, the Jamf Management Account (as defined in User-Initiated Enrollment settings) would be created
---> This caused issues where the Management account home directory is being created in /Users/ with UID being set to 501(first account created) instead of being located within /private/var/ with a UID of 80.
3) Per Apple's MDM specifications, a Managed Administrator is only required to be created when the Local User Account Type is set to "Standard" or "Skip Account Creation."
---> This caused confusion as the Jamf Management account doesn't need to be created if the Local User Account Type was set to "Admin"
---> It also caused additional confusion if the UIE settings were set to not create the Management account
1) Design changes were implemented to reduce confusion per #3 above -- no longer shows the Jamf Management account information unless the "Create additional local admin account" wasn't selected pre 10.19
2) The design changes also addressed a product issue surrounding #2 and helped the admin setting up the PreStage to understand what management account was going to be created.
3) In addition, the Jamf Binary now exclusively creates the management account according to the UIE settings (if the UIE settings are set to create the management account)
My comment (not Jamf's):
This change wasn't documented very well in the 10.19.0 release notes but, admittedly, it's complicated. The main take-away for me is that User-Initiated Enrollment is still the place where you specify your jamfadmin (or casperadmin or whatever) management account. This management account information from Settings > Global Management > UIE is still used for PreStage enrollments.
This change made things a lot more complicated for me; not to mention I just spent a significant amount of time trying to figure out why I could not see the admin account on the most recent enrolled computers from the JAMF Portal.
On top of that, the local user accounts are being created as admin accounts (501) instead of standard (502).