DEP Enrolment, NoMAD Login + and MDM Capable Users

Visier
New Contributor

Hello,

We are currently experiencing issues with our PreStage Enrolment where a user is not added to MDM Capable Users, hence VPP apps fail to install. Following is our setup:

Prestage Enrolment:

General
8fda221a5153438da3648c5ebdde16c8

Account Settings
- A management account is created along with a local admin account
- Under Local User Account Type, "Skip Account Creation" is selected as we want to use Nomad Login+ just in time user creation

During DEP enrolment, Nomad Login+ package is pushed and installed on the computer and then using "files and processes", following command is run to kill the loginwindow so Nomad Login+ can take over

killall -HUP loginwindow

This helps us with creating local user accounts using Okta authentication but the user created is not added to MDM Capable Users.

https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts suggests that the first local user created during DEP enrolment is made MDM capable. Shouldn't the local admin account created by account settings be considered MDM capable? Or the first account created by Nomad Login+?

What does your setup look like? What can be done to mitigate this?

12 REPLIES 12

marck
New Contributor III

I believe that the first local user that's created is actually your Jamf Admin user. Check it's UID. It will likely be 501 which is usually the first user account. So that becomes the MDM capable user. That's what I've see so far.

Visier
New Contributor

Yes, the first user is the local admin created by JAMF (not the management account but the additional local administrator account) and the UID is 501. However, it is still not being listed as MDM capable user.

marck
New Contributor III

In my testing I set the PreStage to not create any accounts, not even the management account. In that setup the machine prompts for account creation and that account was MDM capable. I've not had a chance to test other configurations. I believe even the management account gets counted and it's the first local account that's actually created.

glaske
New Contributor III

We ran into this same issue. Our setup is exactly the same as yours. Make sure in your PreStage that "Allow MDM Profile Removal" is checked, or else it will never show. We tried absolutely everything, and this was the only thing to finally solve it.

Let me know if it works once you give that a go.

JeffA
New Contributor II

I have the same problem. I changed the PreStage to "Allow MDM Removal" and still no go... MDM Capability, Enrolled via DEP, and User Approved MDM are all "Yes" on the device record but still no MDM Capable User. When attempting "sudo jamf mdm -userLevelMdm" I get this in the terminal output:
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/D60E42C-E9D9-4CC-AD9B-62EB4D0.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)

Anyone still dealing with this or able to find a solution?

eDooku
New Contributor III

We have the exact same issue, running Jamf Connect with Azure AD.

Seems to me, the jamf mdm -userLevelMdm command doesn't handle the NetworkUser account as a local account, and tries to install the user level MDM profile on the root user instead.

Anyone created a Support Case with Jamf on this one?

whitebeer
Contributor

We have the exact same issue and I just created a case with jamf yesterday. ๐Ÿ™‚
For us it's a showstopper to migrate to an all new setup-process combined with DEP and jamfconnect ๐Ÿ˜’

jamf mdm -userLevelMdm is our current workaround we found and the support also says to use that, but that bricks the DEP Enrollment and you can't process mdm commands which require DEP Enrollment (e.g. Download and Install Updates or UserList). That destroys the nice Zero-Touch fancy stuff ...

There is also a comment here: https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts which says that if "Skip User creation" is selected and the account is created with Jamf Connect, then the account will not be mdm enabled.

But how to handle the setup-process with jamf connect, there is no guide for the whole process?

eDooku
New Contributor III

I can confirm that the workaround seems to be to change the Prestage enrollment to "Allow MDM Removal", and run "sudo jamf mdm -userLevelMdm" after Prestage enrollment.

This does, however, not help for the computers already enrolled with the previous version of the Prestage enrollment...

@whitebeer You are right, the jamf mdm command removes the Enrolled via DEP flag, as well as User Approved MDM. It is not a good workaround.... I also agree that the Jamf Connect documentation lacks about everything needed to make a good user experience. Take a look at this post, which is the best I have found so far.

whitebeer
Contributor

Just mentioned our thread here in the incident I created with jamf yesterday - seems that we all have the same problem ๐Ÿ™„

whitebeer
Contributor

So jackpot - Support told me that we are hitting a product issue with this (PI-004892) and there is also a radar ticket open at Apple (46787857). As we already mentioned "jamf mdm -userLevelMdm" is the only possible workaround, but I don't think it's a good one. ๐Ÿ˜”Funnily enough this bug already existed with NoMAD Login+ like the creator of this thread described and that was more than a year ago. For us jamf connect is useless at the moment, because we don't won't to brick the DEP enrollment.

eDooku
New Contributor III

Let's just hope that the "Apple-Jamf symbiosis" can work out this thing. And soon.

jameson
Contributor II

So close to 2 years since this post - any way to get this working ?