Big Sur mobile account no securetoken after prestage.

SteveC
New Contributor III

My current workflow (working for older OS but fails for Big Sur):

Prestage enrollment
Bind to domain in prestage enrollment with configuration profile
Create the jamf management account
Skip local account creation

When configured this way the Big Sur M1 computers do not get a securetoken on the mobile accounts and do not escrow the bootstraptoken in the server. Most often the securetoken is picked up by either the AV management account deployed by Sophos or another IT admin account. In either case, bootstraptoken is not escrowed in the server.

This can be worked around by creating a local account during prestage which will then receive the securetoken and escrow the bootstraptoken, but that is not my preferred workflow, and introduces more potential technician errors during setup if account credentials are entered incorrectly.

4 REPLIES 4

sumitjha
New Contributor II

+1, same situtiaon here as well. Infact the mobile account doesn't create which already set in domain binding settings. I tested on 11.1 & 11.2 as well.

Apple commented "We received several reports previously that account creation may fail when logging in for the first time with a mobile account in the macOS Big Sur 11.0.1. I am not sure what is the exact macOS Big Sur version you are testing on currently as you didn’t mentioned it. So I can’t determine if you are having the exact same issue as investigated. However, I would like to inform you that the reported issue should be fixed in macOS Big Sur 11.3 Beta 2 and a testable version is available in AppleSeed for IT portal now. I would like to encourage you to download the testable beta version and perform the testing again. Once you have tested, we appreciate you feedback the result"

SteveC
New Contributor III

At least Apple are working on it, frustratingly I'll probably need to deploy an alternative prestage just to handle Big Sur until this is fixed before I can revert back to my normal methods. Pretty sad for mobile accounts to be broken in the new OS for 3+ months.

atomczynski
Contributor III

@SteveC

How would your temporary PreStage be configured for Big Sur?

SteveC
New Contributor III

@atomczynski Nothing really temporary about it, other than only being used to provide a workaround during the period in which this issue occurs. The prestage will need to sit in my JAMF server until all those devices are retired.