Automate account creation during Prestage Enrollment

I am seeing the same - on prem 9.101. No local admin account created, and does not skip account creation dialog, no matter what I try.

Jamf support just stated to me that skip account creation is broken and a known issue (PI-004473) on older versions, but should be resolved with Jamf Pro 10.2.2 (and also that their internal documentation shows it resolved but that this item is missing from the release notes and documentation for 10.2.2.)

I'm on JSS 9.101, can anyone confirm this issue is resolved for them on 10.2.2 before I dive in myself? XD

We had our cloud instance upgraded to 10.2.2 this week. So far I'm seeing the same results while using a VM as I did prior to the upgrade. I have seen some people on the slack channels say its working better for them after the upgrade. Just wish it was more consistent, between getting DEP to work and figuring out how to make secure tokens work is making me go crosseyed.

I can confirm this issue is still happening in 10.2.2, I have resorted to having staff login with any account, then I built an app which shows on the desktop, this is pushed out through enrolment policy. this app will rename/bind, install apps and restart. It also creates a launch daemon so when the user logs into an AD account it deletes the local created user account.
It does some other things like, make sure you are connected to domain, popup stating, all data will be wiped from this account etc

Its really the only way I see to make it work consistently. When a user opens the computer offsite it will allow them to work straight away not being able to bind to AD

@BOBW Sounds like your application install process for users is very similar to what Splashbuddy can do. Have you looked into that? I've been testing DEP with this product, very clean system. Also, with your process of deleting the local created user account, are you taking into consideration the SecureToken and passing that along to the account created through the AD login? That's my next step I'm trying to iron out in my workflow.

Last question: What account settings are you using in your Prestage Enrollment process?

Cheers

@mgshepherd Yeah I have had a quick look at splashbuddy, havent really had time to make it work yet.... My settings are to create additional account, this gets created without issue and secure Token applied to this account. Which means deleting this account created by end user works fine.
The big problem is the bug where the Skip account creation is not applied... even though it is selected...
We dont use filevault at all in my environment so Secure Tokens are not something I really looked at until I have to delete the primary admin account. This only happens when a computer is started without network connection.
Take a look at @rtrouton post on derflounder which shows how to enable SecureToken on AD accounts, this should help
something along the lines of sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
or, to be prompted for password
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password -

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

You could, using something like cocoadialog prompt a user for their password and then capture this to a variable and then turn it on. Might need to make sure this is correct by writing a dummy file to desktop and then deleting it. Not sure how to check this without looking into it otherwise. Maybe make this as part of a policy which enables filevault, but you could only do this after login as it needs user input.

@BOBW would you be willing to share the code you've written for your app? I know it's a big ask but I'm curious to see examples of how to move forward with DEP

JAMF support has told me that PI-004473 is resolved with release 10.1.0 +.

I've also seen a few folks comment that they had to create new pre-stages in order to realize the fix.

Hi @unserializedMLB , might be a little difficult in sending all of it to you, there is quite a few different scripts / policies used to make it all happen.
Basically what I am doing is, having an automator app calling a single policy trigger.

do shell script "sudo /usr/local/bin/jamf policy -event depstaff" with administrator privileges

This single policy trigger runss a script
this script runs through a heap of different policy triggers to install apps, runs scripts etc then calls another trigger to change the name, this uses cocoadialog to prompt the end user for their site and then appends the last 6 digits of serial number, then changes the computername
Then call another trigger to bind the device to AD
Finally runs a recon reboots, and all done.

I know its pretty vague, but its not too hard to build if you can get each policy correct. Just test each one separately and then add the trigger to your script.

I took the suggestion for Splashbuddy and have now built a solution using this, it is probably a little more difficult to setup but the end result is quite good.

@bmccune

Skip account creation works fine for me??

If you want to add a standard user account just enable the Standard account checkbox and that works..

Running 9101.4

Does what it says on the tin!

Skip account creation used to work for me back in the 9.9.x days last year. At some point with an upgrade to Jamf Pro 10.x that function stopped working. Currently I am at JAMF Pro 10.2.1 and this is still broken.

How do we elevate this issue with JAMF engineering so that this bug gets fixed?

Of those who have "Skip account creation" working, are you finding that this will only work if you say have an additional account created, Directory services configured, etc? Also are you guys either on premise or cloud hosted with JAMF that have this working correctly?

@lynnaj: Have you tried removing your current Prestage Enrollment config and creating a new one? I've heard that can make a difference but it hasn't for me.

I have Make MDM mandatory, skip all setup except for : location services and file vault, skip account creation turned on, Directory Services Configured and creation of a second account.

Im not 100% sure creating a second prestage is a great answer though.

What happens to all the machines which were enrolled in the previous prestage? Do you delete the previous prestage or leave it there?
We have automatically assign devices enabled So I figure I would turn it off on the original one and turn it on with the new one. We have some delays in machines getting added which means we need to check if a machine is enrolled prior to turning on, which means we have to check both prestage scopes.

I have tried the edit / save without making any changes but doesn't make any difference.

This week I went from 10.2.1 to 10.2.2 to 10.3 in the hope of resolving this issue. No luck as yet, have a support call open with Jamf, but they seem as puzzled as me.

@mgsheppard
I'm as curious as you to find that some have no issues at all, but I've never had consistent results.

I am on 10.2.1 and seeing the issue as well. I have Locations services set to show and the Account creation set to skip. Most of the computer we enroll will still show the account creation and not show the location services. Every once an a while one will show the location services and skip the account creation. This happened today with two identical new in box MacBook Pros. One worked as it should and one did not.

I have tried all the different combos of creating an additional admin account and hiding/showing the Management account.

I did create the prestage enroll a few versions back so I deleted it and made a new one. The account creation still DID NOT skip.

Update: after talking with Jamf Support they sent up the following:

After doing some digging into that PI-004473 it seems it is still open and not confirmed closed although users reported that Mac OS 10.11.6 running Jamf Pro 10.1 did not have the issue. Another option we could try would be to log into MySQL on the jamfsoftware database and run the following queries: select count*, command from mobile_device_management_commands where apns_result_status='' group by command; delete from mobile_device_management_commands where command IN ("DeviceInfoAccountHash","DeviceInfoITunesActive","ProfileList") and apns_result_status="";"

That seemed to fix the issue. At least for now. I have done 8 Prestage enrolls and they all skipped the user account creation.

UPDATE #2:It is still working as of 10/16/2018. We have had no trouble with the Pre-stage skipping the user account creation since.

Hi @jnm1 could you please confirm this is still working for you? I've spoken with Jamf Support earlier and they didn't state that as a workaround, but stated they would get back to me once they can confirm.

@jnm1 I can confirm that this worked in my environment after Jamf support suggested the same to me. Now getting other niggles but things are moving forward.

I am on Jamf Pro 10.8 and it's now 2 years after this post was created and I'm also experiencing the exact same issue. I.e. It's creating a local account even though I have checked "Skip Account Creation" and it's not creating a mobile account even though I have "Create mobile account at login" checked. I have tried with 10.13.6 and 10.14.1.

Have there been any advancements with this issue? Considering DEP will be the only way to go soon I think this is a pretty big problem.