Jamf Nation Community

@stevevalle Thanks for the fast response. The reason why I want to create a local account is because of the remote users who will not have local network to bind to AD. Please share the solution to this issue when you found out :)

@stevevalle Have you been successful in binding to AD with the PreStage Enrollment for DEP? My team has everything set in the directory payload, but it is just not completing.

@mabec Yes, every staff Mac deployed is bound to AD during the DEP enrolment process. By the time the Mac gets to the login screen, it is bound to AD.

The only issue with this is they need to enrol the Mac while on our network. They are unable to do this from home.

We are using something like this to create mobile AD user account later on thru VPN during DEP enrollment process.

# Set cocoaDialog location
CD="/Users/Shared/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter your Company Username"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter your Company Password"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi

#Create Mobile Account
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $USERNAME -p $PASSWORD > /dev/null 2>&1
if [ $? -eq 0 ]; then
break
    fi
    sleep 1
done

@stevevalle I try (!) to accomplish the same thing which you already have running. Unfortunately I can not get it running so maybe you (or someone else) could gimme a hint on what to do or where I zigged when I should have zagged....

The goal is: Startup -> DEP Greeting -> User authetificates -> Machine binds automatically to AD, using ($SERIALNUMBER-$USERNAME) -> User gets login screen and can log in with the AD account -> login creates mobile account based on $USERNAME.

To accomplish this I set up DEP like this:

Account Settings:
Local User Account Type = Skip account creation (so that no local user account will be created)

Directory:
(next to the obvious connection to our AD)
Client ID = $SERIALNUMBER-$USERNAME
User Experience = Create mobile account

The problem is, that when I start a new computer the only part which works is the first two parts, the DEP Greeting and the user authentification. After that the user is asked to add a local user and the machine will be set up with that user and no binding to the AD. And it shows up in JAMF as the default name: Usernames Machine....

First I assumed, that the AD Binding between JSS and AD maybe has a Problem, but as the authetification works, this can not be the problem, can it?

ANY idea on what I could be doing wrong?

Disclaimer: I am fairly new to this and maybe I am missing something obvious.

Did anyone actually get the skip local account function to work?
I have had it enabled on a few DEP machines and basically regardless of what else is configured it always seems to prompt.

@Look To me it looks like @stevealle achieved this in his first post. So I am guess it is possible. Anyhow, I can not get it to work. It just ignores that setting…

@shifty @Look

What version of the JSS are you using? We can not get this option to work correctly either and are on 9.100.

Jamf is saying that they can not replicate it on 9.101.

Could you file a support issue on this? As we sure could use some help as it seems like no one else is having the same issue.

@ClassicII We are using 9.99.0. Will try to update to latest version and will let you know if that changes anything.

@ClassicII We are on 100 as well.
Not sure when we will more to 101 though, but possibly soon as there are one or two other issues with 100 that are bugging me.

We have the same issue on 9.100, although this is me setting it up for the first time.
Going to schedule update to 101 for early next week if possible.

Currently the device gets registered in AD, but still prompts for local credentials even though "skip account creation" is selected.

@shifty @CCNapier @Look

We have upgraded our dev environment to 101 and issue looks to be fixed.

@ClassicII Thanks for the info. I have some news as well. We are still on 9.99.0. but I updated the Client to the latest OS. Before it was 10.10.5, now it is 10.12.6... and it works like wanted. Binding to AD and no local account.
Like I wrote before, I am fairly new to this and I did not know that the OS of the client has to be the latest. Is there a KB entry somewhere that shows which JAMF feature works with which client OS version?

Now I am interested to know which client OS versions you used, @ClassicII. Before and after the upgrade to 101.

Edit: I just realised, that one thing did not work: I told the machine to use the $SERIALNUMBER as machine name, which it did not use. Machin is just called "iMac".

Is binding to AD a requirement for automatic account creation?
I have create Local Admin configured, thought that should be enough.
Also what about require authentication during enrollment?

Problem still exists for me with 101.
Trying a few different options before I contact support.

@CCNapier Which MacOS Client Version are you using?

@shifty Currently Sierra (recovery).
@ClassicII @Look

JAMF support are saying to me this morning it looks like a new Product Issue, but I have yet to hear full details. @ClassicII it's working for you though? Care to share your configuration?

PI-004473

We're setting up DEP for 10.13 at the moment

We've got the Directory set up for AD authentication, and set to skip user setup under Users

But when it prompts for details (pop-down box when you accept the remote management) all that does is prefill the fields in the account creation screen, which I assumed it would skip

We've got a localadmin account set up in the users payload also, but when I go ahead and create a user the localadmin account isn't under users (and it isn't set to hidden)

Is this a common issue people are having? We've deleted and readded the tokens/keys/mdm servers about 5 times over the last week trying to fix it

I have the same issue on JSS 9.101.0-t1504998263.

No matter what I select in the Prestage Enrollment --> Account Settings area.. I always get prompted to create an account (which is always an admin account).

I want it to skip account creation.

@npynenberg I opened a case on this issue. If I select Create an additional local administrator account I am prompted every time. If I don't select this option on average 1/3 DEP enrollments will correctly skip account creation.

@npynenberg Jamf confirmed I am hitting PI-004473, I would suggest opening a case and getting a ticket attached to the PI.

Big ole' me too on this one.

Currently thinking I can detect the presence of those accounts, and delete them after my splashbuddy workflow has completed.

Same issue as everyone here on the latest JSS 10.1.1 deploying 10.12.6 to a 2017 Macbook Pro.

Skip Account Creation does not work...it still prompts to create a local user account. Tried with only the user initiated enrollment Admininistrator account...also tried checking the box and creating an additional Administrator account. Everything I've tried and it still does not skip the account creation. Odd thing I noticed is when I'm prompted to create the local user, I can use the same Administrator username and password used in my Prestage settings and it will proceed. So I'm thinking none of it is working...since that Administrator account should already exist and not let me create it again..?

I am seeing the same - on prem 9.101. No local admin account created, and does not skip account creation dialog, no matter what I try.

Jamf support just stated to me that skip account creation is broken and a known issue (PI-004473) on older versions, but should be resolved with Jamf Pro 10.2.2 (and also that their internal documentation shows it resolved but that this item is missing from the release notes and documentation for 10.2.2.)

I'm on JSS 9.101, can anyone confirm this issue is resolved for them on 10.2.2 before I dive in myself? XD

We had our cloud instance upgraded to 10.2.2 this week. So far I'm seeing the same results while using a VM as I did prior to the upgrade. I have seen some people on the slack channels say its working better for them after the upgrade. Just wish it was more consistent, between getting DEP to work and figuring out how to make secure tokens work is making me go crosseyed.

I can confirm this issue is still happening in 10.2.2, I have resorted to having staff login with any account, then I built an app which shows on the desktop, this is pushed out through enrolment policy. this app will rename/bind, install apps and restart. It also creates a launch daemon so when the user logs into an AD account it deletes the local created user account.
It does some other things like, make sure you are connected to domain, popup stating, all data will be wiped from this account etc

Its really the only way I see to make it work consistently. When a user opens the computer offsite it will allow them to work straight away not being able to bind to AD

@BOBW Sounds like your application install process for users is very similar to what Splashbuddy can do. Have you looked into that? I've been testing DEP with this product, very clean system. Also, with your process of deleting the local created user account, are you taking into consideration the SecureToken and passing that along to the account created through the AD login? That's my next step I'm trying to iron out in my workflow.

Last question: What account settings are you using in your Prestage Enrollment process?

Cheers

@mgshepherd Yeah I have had a quick look at splashbuddy, havent really had time to make it work yet.... My settings are to create additional account, this gets created without issue and secure Token applied to this account. Which means deleting this account created by end user works fine.
The big problem is the bug where the Skip account creation is not applied... even though it is selected...
We dont use filevault at all in my environment so Secure Tokens are not something I really looked at until I have to delete the primary admin account. This only happens when a computer is started without network connection.
Take a look at @rtrouton post on derflounder which shows how to enable SecureToken on AD accounts, this should help
something along the lines of sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
or, to be prompted for password
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password -

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

You could, using something like cocoadialog prompt a user for their password and then capture this to a variable and then turn it on. Might need to make sure this is correct by writing a dummy file to desktop and then deleting it. Not sure how to check this without looking into it otherwise. Maybe make this as part of a policy which enables filevault, but you could only do this after login as it needs user input.

@BOBW would you be willing to share the code you've written for your app? I know it's a big ask but I'm curious to see examples of how to move forward with DEP

JAMF support has told me that PI-004473 is resolved with release 10.1.0 +.

I've also seen a few folks comment that they had to create new pre-stages in order to realize the fix.

Hi @unserializedMLB , might be a little difficult in sending all of it to you, there is quite a few different scripts / policies used to make it all happen.
Basically what I am doing is, having an automator app calling a single policy trigger.

do shell script "sudo /usr/local/bin/jamf policy -event depstaff" with administrator privileges

This single policy trigger runss a script
this script runs through a heap of different policy triggers to install apps, runs scripts etc then calls another trigger to change the name, this uses cocoadialog to prompt the end user for their site and then appends the last 6 digits of serial number, then changes the computername
Then call another trigger to bind the device to AD
Finally runs a recon reboots, and all done.

I know its pretty vague, but its not too hard to build if you can get each policy correct. Just test each one separately and then add the trigger to your script.

I took the suggestion for Splashbuddy and have now built a solution using this, it is probably a little more difficult to setup but the end result is quite good.

@bmccune

Skip account creation works fine for me??

If you want to add a standard user account just enable the Standard account checkbox and that works..

Running 9101.4

Does what it says on the tin!

Skip account creation used to work for me back in the 9.9.x days last year. At some point with an upgrade to Jamf Pro 10.x that function stopped working. Currently I am at JAMF Pro 10.2.1 and this is still broken.

How do we elevate this issue with JAMF engineering so that this bug gets fixed?

Of those who have "Skip account creation" working, are you finding that this will only work if you say have an additional account created, Directory services configured, etc? Also are you guys either on premise or cloud hosted with JAMF that have this working correctly?

@lynnaj: Have you tried removing your current Prestage Enrollment config and creating a new one? I've heard that can make a difference but it hasn't for me.

I have Make MDM mandatory, skip all setup except for : location services and file vault, skip account creation turned on, Directory Services Configured and creation of a second account.

Im not 100% sure creating a second prestage is a great answer though.

What happens to all the machines which were enrolled in the previous prestage? Do you delete the previous prestage or leave it there?
We have automatically assign devices enabled So I figure I would turn it off on the original one and turn it on with the new one. We have some delays in machines getting added which means we need to check if a machine is enrolled prior to turning on, which means we have to check both prestage scopes.

I have tried the edit / save without making any changes but doesn't make any difference.

This week I went from 10.2.1 to 10.2.2 to 10.3 in the hope of resolving this issue. No luck as yet, have a support call open with Jamf, but they seem as puzzled as me.

@mgsheppard
I'm as curious as you to find that some have no issues at all, but I've never had consistent results.