Authenticate DEP Enrollment

forrestbeck
New Contributor III

I would like to see if there is a way to require a IT Staff user to sign in before DEP will proceed.  I was thinking of using the Enrollment Customization to do this, but this will assign the user to the device.  I would rather not have all our devices assigned to me.  Anyone else tried something similar?  Any ideas?

10 REPLIES 10

junjishimazaki
Valued Contributor

What exactly are you trying to accomplish? 

forrestbeck
New Contributor III

Just want to prevent the DEP enrollment from continuing unless an IT Staff member logs in first. 

junjishimazaki
Valued Contributor

Sorry, let me rephrase my question. Why do you want IT to login first? Once, you have the Mac assigned to your Jamf Prestage it will automatically enroll. 

 

I don’t want it to automatically enroll without authentication.  This is what would best fit our situation. 

junjishimazaki
Valued Contributor

I'm sorry but that's the whole of the "automated device enrollment" process in the prestage. You can certainly talk to Jamf support about what you want to do and see what they say.  But, you can also just unassign the Macs from your prestage, then setup the local admin account and enroll the mac via user-initiated. 

I will figure it out. Just looking to see if anyone else has tried something similar. 

junjishimazaki
Valued Contributor

I understand and I wish you good luck. Hopefully, someone chimes in and respond. 

Vaid
New Contributor III

@forrestbeck If you intend to do as following: 
IT staff use their own credentials and let the config profiles install allowed in your prestage settings and then after that let user create his own account it is possible. You just need to disallow the option of "Prefill primary account information" under Account settings payload in Prestage Enrollment settings.

cbrewer
Valued Contributor II

You could do something like give your IT staff special enrollment accounts (enroll_username). Then run a script tied to enrollment trigger that uses the API to check and see if the assigned username matches "enroll_". If the username matches "enroll_" then use the API to remove the user assignment for that Mac in Jamf.

That might be a lot to do just to prevent regular users from enrolling. I am thinking that with the coming "Erase Content and Settings" addition in Monterey, you may want a workflow that allows all users to enroll themselves.

Tribruin
Valued Contributor II

We just have the techs login using an Enrollment Customization with LDAP (Azure AD) and limit the logins to the team that builds the computers. We then prompt the tech to enter the user account of the end user and update the userName in Jamf based on this response.