Posted on 12-11-2019 08:26 AM
Is there a way to hide the local Management Account during DEP Prestage Enrollment?
We are not creating an additional management account but users are brought to this screen prompting for the local admin credentials.
I can't see where to change this behaviour so that the user gets a blank login prompt so that they can log in with their AD credentials. What am I missing here?
Posted on 12-11-2019 08:41 AM
It looks like you are only creating 1 account, and then skiping new account creation. So there is only 1 account on the mac, So of course its prompting for that account password, its the only option. You either need to let the user make an account, or have a technician setting up the machine create their account. If you are binding to AD during the DEP/SA process and expecting the user to login with their AD account (mobile) and not have admin rights then you needs to adjust the logon screen policy to not show a list of users, that will let them type in their username and password.
For our company, since we still bind to AD and we still have computer techs setup machines for users, we have the tech setup our local admin account during the DEP/Setup assistant. From there they use Self Service to bind to AD and setup the users mobile admin account before it goes to the user. Reason we dont force the local admin during setup is some machines to do directly to the users (global, offsite, ect..) so in that case, the users will just use a local account (not bound to AD). A policy later ensures our admin account is in place. This gives us some flexibility in how the machine is setup to meet all of our scenarios.
Does that help?
Posted on 12-11-2019 09:02 AM
@ScottSimmons thanks that does make sense. Guess we will have to make some decisions because we have a similar scenario to yours but we're hoping to get away from relying on an engineer to be available to do the initial set up.
Posted on 12-11-2019 09:50 AM
yea, realistically if you dont want a tech ("engineer", boy thats fancy) setting up the machine, you will need to get away from AD binding. That way the users can just setup their local account when they walk the mac thru Setup Assistant.
You can also look into Nomad (or Jamf Connect) as an alternative to AD binding entirely. We kinda are, but honestly im kinda holding out for the near future when the installs are all Catalina and Okta Authentication happens at DEP enrollment. For us, the Desktop support team management still wants techs setting up most of our machines for the users so they can help the users with other things like Data transfers, flow-down collection and physical stuff like docking station hookups, wire management, ect... So its not a huge rush to get off the tech setup workflow.