Jamf Nation Community

Just want to prevent the DEP enrollment from continuing unless an IT Staff member logs in first. 

Sorry, let me rephrase my question. Why do you want IT to login first? Once, you have the Mac assigned to your Jamf Prestage it will automatically enroll. 

I'm sorry but that's the whole of the "automated device enrollment" process in the prestage. You can certainly talk to Jamf support about what you want to do and see what they say.  But, you can also just unassign the Macs from your prestage, then setup the local admin account and enroll the mac via user-initiated. 

I understand and I wish you good luck. Hopefully, someone chimes in and respond. 

@forrestbeck If you intend to do as following: 
IT staff use their own credentials and let the config profiles install allowed in your prestage settings and then after that let user create his own account it is possible. You just need to disallow the option of "Prefill primary account information" under Account settings payload in Prestage Enrollment settings.

You could do something like give your IT staff special enrollment accounts (enroll_username). Then run a script tied to enrollment trigger that uses the API to check and see if the assigned username matches "enroll_". If the username matches "enroll_" then use the API to remove the user assignment for that Mac in Jamf.

That might be a lot to do just to prevent regular users from enrolling. I am thinking that with the coming "Erase Content and Settings" addition in Monterey, you may want a workflow that allows all users to enroll themselves.

We just have the techs login using an Enrollment Customization with LDAP (Azure AD) and limit the logins to the team that builds the computers. We then prompt the tech to enter the user account of the end user and update the userName in Jamf based on this response.