A perfect DEP world

BOBW
Contributor II

HI All,

Been struggling getting our DEP environment to be zero touch by IT dept.

Ideal world :
the staff member gets a new Mac
Open box and agree to DEP enrolment
computer shows login window for user to login with AD credentials
User logs in after login unbind from AD
policy kicks in which runs a script to rename computer based on users input
new computer name would then bind to AD
User continues with Self service to grab apps they need while in the background Tier1 apps are installed

What is really happening:
Computer sent to IT deput
IT dept start machine
run through DEP process
get prompt to create local account
log in and see that DEP has created the correct admin account from DEP process
JAMF binary not installed but the MDM profile is (strange)
it dept go to url to enrol device
once policy has kicked in and script to rename all works then reboot and hand to end user

What am I missing here? Why does the device prompt for user creation when a user is created through DEP? Why does the binary not install?
Why does only the MDM profile install?

1 ACCEPTED SOLUTION

Slawford
New Contributor III

Hey Mate , what version of JSS are you running ? once we upgraded to 9.91 DEP worked alot better , we could then disable the prompting the creation of a local account and things seem to be running the way you have noted in the "Ideal World"

View solution in original post

6 REPLIES 6

Slawford
New Contributor III

Hey Mate , what version of JSS are you running ? once we upgraded to 9.91 DEP worked alot better , we could then disable the prompting the creation of a local account and things seem to be running the way you have noted in the "Ideal World"

BOBW
Contributor II

yep, using 9.91, where is this magical button "disable the prompting the creation of a local account"

BOBW
Contributor II

My perfect world is a little closer.....

found the magical button. for some reason i figured the local user account type was in reference to the "create an additional local administrator" but it isn't....

Now selected the "skip account creation" in place of the "Administrator account" in DEP Account settings.

tsossong
New Contributor III

Why do you want to do the bind twice in the perfect world? You can do a policy to change the name of the computer as needed and than bind it to AD once. Which user does login next doesnt matter. Would recommend a restart after the binding.

BOBW
Contributor II

yeah, I guess that is correct, but the idea would be that a user could login straight away. My script which restarts the machine with the login window config profile isn't working until someone logs in for the first time. It also does some other stuff as in creates dummy receipt. This in turn adds to smart group which then kicks in the user prompt to have the name change completed.

So I need to have staff being able to login to kick off the script. If they do not have a local user account they need to rely on AD to be able to do this.

sgoetz
Contributor

I had the same issue with the JAMF binaries not installing during enrollment. I imported the JSS Tomcat SSL as trusted into the JAVA keychain Store. So for example. the SSL for https://jss.domain.com:8443. Once I trusted it. I've had no issues with installing the JAMF binaries during DEP enrollment.