Help

Account Creation Failed Error on M2/M1 Macs with Prestage Enrollment

light-user
New Contributor II

Posted on ‎07-24-2023 11:17 AM

We are seeing this account creation failed error message occur more often now in M1 and M2 macbooks running Ventura or Monterey OS. We have set up prestage in jamf to automatically create an admin account before the apple set up assistance steps. The workflow is, we turn on the macbook (already assigned to default prestage) and it gets enrolled through ADE and installs the remote management profile. Skips the admin account creation part, but allows us to create a local user manually. This is where it throws the error message. We have a tick with Jamf Support, but not so helpful as it doesn't sound like they have a solid fix for this. 

account-creation-error 2.png

 

 

0 Kudos
6 REPLIES 6

correct-horse
New Contributor II

Posted on ‎07-24-2023 02:24 PM

Are you creating a Prestage admin account and also a Jamf Management account (Jamf Pro Settings > User Initiated Enrollment > macOS)?

I had ADE flat out crashing with certain prestage enrollment setups because Jamf is installing the Jamf Management accounts using old school Open Directory commands and it was making the underlying services that run device enrollment crash to a useless login window.

It might be something similar, there's a handful of ADE/Setup Assistant and Jamf related crashes happening right now. Good luck getting Jamf support agents to listen and escalate it for you.

0 Kudos

light-user
New Contributor II

Posted on ‎07-24-2023 02:40 PM

@correct-horse Yes, we got a management account created as well as a local admin account through Prestage. Did you ultimately fix this issue by disabling the management account?

This is from the jamf wiki, 

When you enroll computers, you must specify a local administrator account called the "management account". This is required for computers to be considered managed by Jamf Pro. However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to perform the following tasks on the computer:

Using a policy to administer the management account allows you to do the following:

  • Enable FileVault using a policy (when SecureToken is enabled on the management account)

  • Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)

  • Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)

  • Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)

Sounds like if i disabled the management account I won't be able to do these functions




0 Kudos

correct-horse
New Contributor II
In response to light-user

Posted on ‎07-24-2023 02:53 PM

🤣Oh, no, see, I had to toggle on/off "transfer information" and "location services" in my main prestage enrollment, somehow that manages to override whatever jamf is doing wrong that macOS hates (but I'm also pushing a password config policy at time of PreStage enrollment so YMMV). It's cargo cult-y, but seriously just toggle those settings, save the prestage, then toggle them back how you want them -- it may just fix it; I was able to get 1 in 5 enrollments to fail with my setup until I toggled "location services" and "transfer information" on and off, and since then for some weird reason now my primary prestage is bulletproof and new enrolls Just Work™ again.

There are a bunch of open Known Issues like PI111120 around account creation issues, prestage enrollment, and various combinations of management accounts/config profiles/pre-enrollment PKG installers leading to setup assistant fails, so whatever is breaking seems to be impacting a variety of Jamf Pro setups.

🙃On the bright side -- Apple engineering does know about the management accounts being installed by Jamf like its 2009 so they're hardening the underlying systems that run Setup Assistant for macOS 14 Sonoma (not that this helps at all for macOS 12/13).

0 Kudos

danlaw777
Contributor III

Posted on ‎07-25-2023 04:23 AM

so i looked into this as well, and even tho the account creation error appears, it actually creates the account. do a hard reboot, and and it comes up to the login screen. i was able to login to both the admin account i created as well as the user account i created. it appears as if it is just a harmless error message......

0 Kudos

light-user
New Contributor II

Posted on ‎07-25-2023 10:39 AM

Thanks will try. First, Jamf support told me to exclude prestage from Filevault and remove from exclusion again and that seems to be working so far. Glad to know apple is aware of this issue. Yes, I heard its jamf using older AD tech. Woohoo theere's hope for vendor support, they are giving me solution that may be working!

0 Kudos

light-user
New Contributor II

Posted on ‎07-25-2023 02:08 PM

RIP it didn't work :( will try to toggle off and on those apple assistance set up windows @correct-horse  mentioned.

0 Kudos