I would like to see if there is a way to require a IT Staff user to sign in before DEP will proceed. I was thinking of using the Enrollment Customization to do this, but this will assign the user to the device. I would rather not have all our devices assigned to me. Anyone else tried something similar? Any ideas?
I'm sorry but that's the whole of the "automated device enrollment" process in the prestage. You can certainly talk to Jamf support about what you want to do and see what they say. But, you can also just unassign the Macs from your prestage, then setup the local admin account and enroll the mac via user-initiated.
@forrestbeck If you intend to do as following:
IT staff use their own credentials and let the config profiles install allowed in your prestage settings and then after that let user create his own account it is possible. You just need to disallow the option of "Prefill primary account information" under Account settings payload in Prestage Enrollment settings.
You could do something like give your IT staff special enrollment accounts (enroll_username). Then run a script tied to enrollment trigger that uses the API to check and see if the assigned username matches "enroll_". If the username matches "enroll_" then use the API to remove the user assignment for that Mac in Jamf.
That might be a lot to do just to prevent regular users from enrolling. I am thinking that with the coming "Erase Content and Settings" addition in Monterey, you may want a workflow that allows all users to enroll themselves.
We just have the techs login using an Enrollment Customization with LDAP (Azure AD) and limit the logins to the team that builds the computers. We then prompt the tech to enter the user account of the end user and update the userName in Jamf based on this response.