DEP Enrolment, NoMAD Login + and MDM Capable Users

I believe that the first local user that's created is actually your Jamf Admin user. Check it's UID. It will likely be 501 which is usually the first user account. So that becomes the MDM capable user. That's what I've see so far.

Yes, the first user is the local admin created by JAMF (not the management account but the additional local administrator account) and the UID is 501. However, it is still not being listed as MDM capable user.

In my testing I set the PreStage to not create any accounts, not even the management account. In that setup the machine prompts for account creation and that account was MDM capable. I've not had a chance to test other configurations. I believe even the management account gets counted and it's the first local account that's actually created.

We ran into this same issue. Our setup is exactly the same as yours. Make sure in your PreStage that "Allow MDM Profile Removal" is checked, or else it will never show. We tried absolutely everything, and this was the only thing to finally solve it.

Let me know if it works once you give that a go.

I have the same problem. I changed the PreStage to "Allow MDM Removal" and still no go... MDM Capability, Enrolled via DEP, and User Approved MDM are all "Yes" on the device record but still no MDM Capable User. When attempting "sudo jamf mdm -userLevelMdm" I get this in the terminal output:
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/D60E42C-E9D9-4CC-AD9B-62EB4D0.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)

Anyone still dealing with this or able to find a solution?

We have the exact same issue, running Jamf Connect with Azure AD.

Seems to me, the jamf mdm -userLevelMdm command doesn't handle the NetworkUser account as a local account, and tries to install the user level MDM profile on the root user instead.

Anyone created a Support Case with Jamf on this one?

We have the exact same issue and I just created a case with jamf yesterday. 🙂
For us it's a showstopper to migrate to an all new setup-process combined with DEP and jamfconnect 😒

jamf mdm -userLevelMdm is our current workaround we found and the support also says to use that, but that bricks the DEP Enrollment and you can't process mdm commands which require DEP Enrollment (e.g. Download and Install Updates or UserList). That destroys the nice Zero-Touch fancy stuff ...

There is also a comment here: https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts which says that if "Skip User creation" is selected and the account is created with Jamf Connect, then the account will not be mdm enabled.

But how to handle the setup-process with jamf connect, there is no guide for the whole process?

I can confirm that the workaround seems to be to change the Prestage enrollment to "Allow MDM Removal", and run "sudo jamf mdm -userLevelMdm" after Prestage enrollment.

This does, however, not help for the computers already enrolled with the previous version of the Prestage enrollment...

@whitebeer You are right, the jamf mdm command removes the Enrolled via DEP flag, as well as User Approved MDM. It is not a good workaround.... I also agree that the Jamf Connect documentation lacks about everything needed to make a good user experience. Take a look at this post, which is the best I have found so far.

Just mentioned our thread here in the incident I created with jamf yesterday - seems that we all have the same problem 🙄

So jackpot - Support told me that we are hitting a product issue with this (PI-004892) and there is also a radar ticket open at Apple (46787857). As we already mentioned "jamf mdm -userLevelMdm" is the only possible workaround, but I don't think it's a good one. 😔Funnily enough this bug already existed with NoMAD Login+ like the creator of this thread described and that was more than a year ago. For us jamf connect is useless at the moment, because we don't won't to brick the DEP enrollment.

Let's just hope that the "Apple-Jamf symbiosis" can work out this thing. And soon.

So close to 2 years since this post - any way to get this working ?