Automate account creation during Prestage Enrollment

vtran
New Contributor

Hi all,

For JSS 9.93, is there a way automate the account creation during the Prestage Enrollment? Please look at the screenshot below

574d0336940f49039f11f3cc9cf9ce4e

Here is what we're trying to accomplish:

During DEP, the user is asked to enter their AD credential. With JSS 9.93, there is an option to skip local account creation. What we want to do is to create a local account base on the assigned user (whoever authenticate during DEP) and not using a standard local admin account. Is this possible? Thanks

43 REPLIES 43

stevevalle
Contributor III

We bind our Macs to AD at time of enrolment through the DEP process (add directory binding details to the Directory tab in your screenshot). This way, when the Mac is enrolled into Casper, it is also bound to AD and the user is able to login with their AD account. A local account is created based on the users username.

The only issue with this is that the user needs to be on the local network to bind to AD, but we are working on resolving this!

vtran
New Contributor

@stevevalle Thanks for the fast response. The reason why I want to create a local account is because of the remote users who will not have local network to bind to AD. Please share the solution to this issue when you found out :)

caitlin_mabe
New Contributor

@stevevalle Have you been successful in binding to AD with the PreStage Enrollment for DEP? My team has everything set in the directory payload, but it is just not completing.

stevevalle
Contributor III

@mabec Yes, every staff Mac deployed is bound to AD during the DEP enrolment process. By the time the Mac gets to the login screen, it is bound to AD.

The only issue with this is they need to enrol the Mac while on our network. They are unable to do this from home.

HangerS
New Contributor II

We are using something like this to create mobile AD user account later on thru VPN during DEP enrollment process.

# Set cocoaDialog location
CD="/Users/Shared/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter your Company Username"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter your Company Password"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi

#Create Mobile Account
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $USERNAME -p $PASSWORD > /dev/null 2>&1
if [ $? -eq 0 ]; then
break
    fi
    sleep 1
done

shifty
New Contributor II

@stevevalle I try (!) to accomplish the same thing which you already have running. Unfortunately I can not get it running so maybe you (or someone else) could gimme a hint on what to do or where I zigged when I should have zagged....

The goal is: Startup -> DEP Greeting -> User authetificates -> Machine binds automatically to AD, using ($SERIALNUMBER-$USERNAME) -> User gets login screen and can log in with the AD account -> login creates mobile account based on $USERNAME.

To accomplish this I set up DEP like this:

Account Settings:
Local User Account Type = Skip account creation (so that no local user account will be created)

Directory:
(next to the obvious connection to our AD)
Client ID = $SERIALNUMBER-$USERNAME
User Experience = Create mobile account

The problem is, that when I start a new computer the only part which works is the first two parts, the DEP Greeting and the user authentification. After that the user is asked to add a local user and the machine will be set up with that user and no binding to the AD. And it shows up in JAMF as the default name: Usernames Machine....

First I assumed, that the AD Binding between JSS and AD maybe has a Problem, but as the authetification works, this can not be the problem, can it?

ANY idea on what I could be doing wrong?

Disclaimer: I am fairly new to this and maybe I am missing something obvious.

Look
Valued Contributor III

Did anyone actually get the skip local account function to work?
I have had it enabled on a few DEP machines and basically regardless of what else is configured it always seems to prompt.

shifty
New Contributor II

@Look To me it looks like @stevealle achieved this in his first post. So I am guess it is possible. Anyhow, I can not get it to work. It just ignores that setting…

ClassicII
Contributor III

@shifty @Look

What version of the JSS are you using? We can not get this option to work correctly either and are on 9.100.

Jamf is saying that they can not replicate it on 9.101.

Could you file a support issue on this? As we sure could use some help as it seems like no one else is having the same issue.

shifty
New Contributor II

@ClassicII We are using 9.99.0. Will try to update to latest version and will let you know if that changes anything.

Look
Valued Contributor III

@ClassicII We are on 100 as well.
Not sure when we will more to 101 though, but possibly soon as there are one or two other issues with 100 that are bugging me.

CCNapier
Contributor

We have the same issue on 9.100, although this is me setting it up for the first time.
Going to schedule update to 101 for early next week if possible.

Currently the device gets registered in AD, but still prompts for local credentials even though "skip account creation" is selected.

ClassicII
Contributor III

@shifty @CCNapier @Look

We have upgraded our dev environment to 101 and issue looks to be fixed.

shifty
New Contributor II

@ClassicII Thanks for the info. I have some news as well. We are still on 9.99.0. but I updated the Client to the latest OS. Before it was 10.10.5, now it is 10.12.6... and it works like wanted. Binding to AD and no local account.
Like I wrote before, I am fairly new to this and I did not know that the OS of the client has to be the latest. Is there a KB entry somewhere that shows which JAMF feature works with which client OS version?

Now I am interested to know which client OS versions you used, @ClassicII. Before and after the upgrade to 101.

Edit: I just realised, that one thing did not work: I told the machine to use the $SERIALNUMBER as machine name, which it did not use. Machin is just called "iMac".

Look
Valued Contributor III

Is binding to AD a requirement for automatic account creation?
I have create Local Admin configured, thought that should be enough.
Also what about require authentication during enrollment?

CCNapier
Contributor

Problem still exists for me with 101.
Trying a few different options before I contact support.

shifty
New Contributor II

@CCNapier Which MacOS Client Version are you using?

CCNapier
Contributor

@shifty Currently Sierra (recovery).
@ClassicII @Look

JAMF support are saying to me this morning it looks like a new Product Issue, but I have yet to hear full details. @ClassicII it's working for you though? Care to share your configuration?

CCNapier
Contributor

PI-004473

bse_college
New Contributor III

We're setting up DEP for 10.13 at the moment

We've got the Directory set up for AD authentication, and set to skip user setup under Users

But when it prompts for details (pop-down box when you accept the remote management) all that does is prefill the fields in the account creation screen, which I assumed it would skip

We've got a localadmin account set up in the users payload also, but when I go ahead and create a user the localadmin account isn't under users (and it isn't set to hidden)

Is this a common issue people are having? We've deleted and readded the tokens/keys/mdm servers about 5 times over the last week trying to fix it

npynenberg
Contributor

I have the same issue on JSS 9.101.0-t1504998263.

No matter what I select in the Prestage Enrollment --> Account Settings area.. I always get prompted to create an account (which is always an admin account).

I want it to skip account creation.9675c21abc9f4e168a0c83a9bf3dc568

Kaltsas
Contributor III

@npynenberg I opened a case on this issue. If I select Create an additional local administrator account I am prompted every time. If I don't select this option on average 1/3 DEP enrollments will correctly skip account creation.

Kaltsas
Contributor III

@npynenberg Jamf confirmed I am hitting PI-004473, I would suggest opening a case and getting a ticket attached to the PI.

snovak
Contributor

Big ole' me too on this one.

Currently thinking I can detect the presence of those accounts, and delete them after my splashbuddy workflow has completed.

bmccune
Release Candidate Programs Tester

Same issue as everyone here on the latest JSS 10.1.1 deploying 10.12.6 to a 2017 Macbook Pro.

Skip Account Creation does not work...it still prompts to create a local user account. Tried with only the user initiated enrollment Admininistrator account...also tried checking the box and creating an additional Administrator account. Everything I've tried and it still does not skip the account creation. Odd thing I noticed is when I'm prompted to create the local user, I can use the same Administrator username and password used in my Prestage settings and it will proceed. So I'm thinking none of it is working...since that Administrator account should already exist and not let me create it again..?

neilmartin83
Contributor II

I am seeing the same - on prem 9.101. No local admin account created, and does not skip account creation dialog, no matter what I try.

gunnar90
New Contributor II

Jamf support just stated to me that skip account creation is broken and a known issue (PI-004473) on older versions, but should be resolved with Jamf Pro 10.2.2 (and also that their internal documentation shows it resolved but that this item is missing from the release notes and documentation for 10.2.2.)

I'm on JSS 9.101, can anyone confirm this issue is resolved for them on 10.2.2 before I dive in myself? XD

mgshepherd
Contributor

We had our cloud instance upgraded to 10.2.2 this week. So far I'm seeing the same results while using a VM as I did prior to the upgrade. I have seen some people on the slack channels say its working better for them after the upgrade. Just wish it was more consistent, between getting DEP to work and figuring out how to make secure tokens work is making me go crosseyed.

BOBW
Contributor II

I can confirm this issue is still happening in 10.2.2, I have resorted to having staff login with any account, then I built an app which shows on the desktop, this is pushed out through enrolment policy. this app will rename/bind, install apps and restart. It also creates a launch daemon so when the user logs into an AD account it deletes the local created user account.
It does some other things like, make sure you are connected to domain, popup stating, all data will be wiped from this account etc

Its really the only way I see to make it work consistently. When a user opens the computer offsite it will allow them to work straight away not being able to bind to AD

mgshepherd
Contributor

@BOBW Sounds like your application install process for users is very similar to what Splashbuddy can do. Have you looked into that? I've been testing DEP with this product, very clean system. Also, with your process of deleting the local created user account, are you taking into consideration the SecureToken and passing that along to the account created through the AD login? That's my next step I'm trying to iron out in my workflow.

Last question: What account settings are you using in your Prestage Enrollment process?

Cheers

BOBW
Contributor II

@mgshepherd Yeah I have had a quick look at splashbuddy, havent really had time to make it work yet.... My settings are to create additional account, this gets created without issue and secure Token applied to this account. Which means deleting this account created by end user works fine.
The big problem is the bug where the Skip account creation is not applied... even though it is selected...
We dont use filevault at all in my environment so Secure Tokens are not something I really looked at until I have to delete the primary admin account. This only happens when a computer is started without network connection.
Take a look at @rtrouton post on derflounder which shows how to enable SecureToken on AD accounts, this should help
something along the lines of sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
or, to be prompted for password
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password -

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

You could, using something like cocoadialog prompt a user for their password and then capture this to a variable and then turn it on. Might need to make sure this is correct by writing a dummy file to desktop and then deleting it. Not sure how to check this without looking into it otherwise. Maybe make this as part of a policy which enables filevault, but you could only do this after login as it needs user input.

gunnar90
New Contributor II

@BOBW would you be willing to share the code you've written for your app? I know it's a big ask but I'm curious to see examples of how to move forward with DEP

dpertschi
Valued Contributor

JAMF support has told me that PI-004473 is resolved with release 10.1.0 +.

I've also seen a few folks comment that they had to create new pre-stages in order to realize the fix.

BOBW
Contributor II

Hi @unserializedMLB , might be a little difficult in sending all of it to you, there is quite a few different scripts / policies used to make it all happen.
Basically what I am doing is, having an automator app calling a single policy trigger.

do shell script "sudo /usr/local/bin/jamf policy -event depstaff" with administrator privileges

This single policy trigger runss a script
this script runs through a heap of different policy triggers to install apps, runs scripts etc then calls another trigger to change the name, this uses cocoadialog to prompt the end user for their site and then appends the last 6 digits of serial number, then changes the computername
Then call another trigger to bind the device to AD
Finally runs a recon reboots, and all done.

I know its pretty vague, but its not too hard to build if you can get each policy correct. Just test each one separately and then add the trigger to your script.

I took the suggestion for Splashbuddy and have now built a solution using this, it is probably a little more difficult to setup but the end result is quite good.

kerouak
Valued Contributor

@bmccune

Skip account creation works fine for me??

If you want to add a standard user account just enable the Standard account checkbox and that works..

Running 9101.4

Does what it says on the tin!

lynnaj
New Contributor III

Skip account creation used to work for me back in the 9.9.x days last year. At some point with an upgrade to Jamf Pro 10.x that function stopped working. Currently I am at JAMF Pro 10.2.1 and this is still broken.

How do we elevate this issue with JAMF engineering so that this bug gets fixed?

mgshepherd
Contributor

Of those who have "Skip account creation" working, are you finding that this will only work if you say have an additional account created, Directory services configured, etc? Also are you guys either on premise or cloud hosted with JAMF that have this working correctly?

@lynnaj: Have you tried removing your current Prestage Enrollment config and creating a new one? I've heard that can make a difference but it hasn't for me.

BOBW
Contributor II

I have Make MDM mandatory, skip all setup except for : location services and file vault, skip account creation turned on, Directory Services Configured and creation of a second account.

Im not 100% sure creating a second prestage is a great answer though.

What happens to all the machines which were enrolled in the previous prestage? Do you delete the previous prestage or leave it there?
We have automatically assign devices enabled So I figure I would turn it off on the original one and turn it on with the new one. We have some delays in machines getting added which means we need to check if a machine is enrolled prior to turning on, which means we have to check both prestage scopes.

I have tried the edit / save without making any changes but doesn't make any difference.

SWicks
New Contributor

This week I went from 10.2.1 to 10.2.2 to 10.3 in the hope of resolving this issue. No luck as yet, have a support call open with Jamf, but they seem as puzzled as me.

@mgsheppard
I'm as curious as you to find that some have no issues at all, but I've never had consistent results.