DEP - Prestage enrollment - Computer name for AD binding

Vincent
New Contributor II

Hi to all ,

During Prestage enrollment is it possible to set computer name for AD binding ?
Actually i can do that with a policy (with trigger enrollment complete) :
- Script for Computer Name
- Directory Bindings
The problem is that this policy needs to login with local admin account login to run

Thanks for your help

19 REPLIES 19

ooshnoo
Valued Contributor

Policies can be run whether a user is logged in or not, and yes, you can set the computer name during prestage.

jakem
New Contributor II

Hi mainiervi,

We are having the same problem, here is our workaround.

  1. Add Computer to our DEP account and assign it to Jamf
  2. Assign computer to our pre-stage enrollment.
  3. Perform Apple Internet Recovery (If Needed)
  4. Boot computer and run through first run wizard.
  5. Login with local administrator account created by the pre-stage enrollment.
  6. Open Self Service and login with authenticated domain creds and run a policy which prompts for the computer name. It then renames the computer and joins it to Active Directory.
  7. Logout and it's all done.

It would be nice if Apple adds a spot in the setup/first run wizard to prompt for the computer name as it would save some steps.

Let me know if you have any questions or would like further explanations.

Cheers,
Jake

hkabik
Valued Contributor

We set our Macs Computer name to the Serial number and bind during the pre-stage enrollment. Works a treat.

stevevalle
Contributor III

Have a look at THIS post I wrote not so long ago. We also bind computers using the serial number, but change it when the user logs in!

It's one of the ways we name staff computers.

pueo
Contributor II

Hello @hkabik

Found this post and was intrigued buy your reply. 'Bind during pre-stage'...what part of pre-stage? I have renaming and binding implemented but you have to login to the device, the Rename script runs (as part of work flow), you enter the new device name, a few steps down the policy the AD Bind script runs and joins the device to the domain.
Wondering if there is another way.
Ultimately we are moving away from AD binding (as its terrible on a Mac) and will use NoLOAD and NoMAD until then we are stuck with AD Binding for Lab devices. We have ditched AD on Faculty/Staff Laptops..(much better off)...in favour of NoMAD.

P.

yadin
Contributor

Unlike Profile Manager where you can set the name of a pre-stage system so all this is automated, JAMF has no real ability to manage device names, and therefore several other features, like AD binding, are completely useless. Apparently JAMF assumes no one uses computer names, so just set it to the serial number. That's not how business works, and it makes management via groups of names by area impossible. We need to have custom names set on enrollment so that binding at enrollment, as well as other internal systems, actually work. Right now, we're finding JAMF an expensive paperweight as it can't do basic things that Profile Manager can. I find threads where this has been beaten on for 3 years and JAMF has ignored the issue. Unbelievable. It's a basic critical requirement to have automation work. This has to be fixed.

LRZ_Jamf
Contributor

There's some easy Solution.

If you have some kind of CMDB -> Write a Script that asks the API to give you the proper Name for the SerialNumber
If you have no CMDB -> get a webserver, add a .csv file containing ComputerName,SerialNumber, write a Script which downloads the csv and gets the Name for the SerialNumber

Scope the Script to run at DEP-Enrollment.
add a reboot after the Script ran, Scope your Directory Binding to all DEP-Machines to run at first-Reboot
-> Binding will be with the proper name, derived from the csv

We are querying our CMDB, grabbing the Name, doing some other fancy stuff, rebooting, joining AD, setting NTP etc. settings. Rebooting again... And the Machine is ready after about 5 Minutes.

Be sure to place "Do not Login" Signs everywhere, else People will try to login.

yadin
Contributor

I should not have to implement another MDM or other cobbled work arounds with additional systems because the premier MDM I purchased is missing a base level requirement for allowing other features in it to work. That's allowing JAMF to get away with far too much for the price. If there is an option to bind to directory at enrollment, that needs to work. That can't work if the name is not set properly, so there MUST be a way to set the name otherwise you have a useless feature which makes no sense, especially when this has been a complaint for 4 years and Apple's MDM does it for $20. Customers need to hold JAMF accountable for the product they paid for.

RickDalton
New Contributor III

@hkabik I know this is an old thread but how are you setting computer name during pre-stage enrollment. I understand how to do it via script and then bind after but not at pre-stage. Could you explain how you set it up?

hkabik
Valued Contributor

In the directory settings of the prestage enrollment I set the client id to $SERIALNUMBER

That's all there is to it. Then the computer name is set to the same in the scripts that run as part of the DEP process.

yadin
Contributor

Yeah unfortunately JAMF only believes in using serial numbers for machine names, which is not how a federated enterprise setting normally works. Real name management, both in pre-stage and push from console, is desperately needed to catch them up with Profile Manager.

hkabik
Valued Contributor

The options available in Prestage Enrollments are determined by Apple, not JAMF. A policy could always be set to accommodate any naming convention and a re-bind to the domain with that name post-prestage. This would leave you with un-needed machine accounts (left over from the initial bind) in AD but a daily cleanout could easily be written in powershell.

yadin
Contributor

Apple lets you name prestage records in Profile Manager and enforce them. Therefore at enrollment, the machine gets the proper name and binds to the proper computer record in AD. JAMF does not allow this. That's pretty clearly JAMF, not Apple, and it's a severe limitation by comparison for many of us.

alv2015591
New Contributor III

https://www.jamf.com/jamf-nation/feature-requests/6193/dep-computer-naming
Check this out

kerouak
Valued Contributor

Manual Entry of Computername via this script.
I run it before Binding..

>>#!/bin/bash

functions

function machinename () { osascript <<EOT tell application "Finder" activate set nameentry to text returned of (display dialog "Please Input New Computer Name" default answer "" with icon 2) end tell
EOT
}

function renameComputer(){ #Set New Computer Name echo "The New Computer name is: $ComputerName" scutil --set HostName $ComputerName scutil --set LocalHostName $ComputerName scutil --set ComputerName $ComputerName

echo Rename Successful
}

Script

ComputerName=$(machinename) renameComputer
exit 0

HNTIT
Contributor II

If this Worked for Computers as well as Devices then it would allow us to fix the issue.

Aguiness
New Contributor III

I use a policy that installs a cvs file in the tmp folder then a script runs and names the computer then it triggers a bindtoad policy to bind the Mac

PaulHazelden
Valued Contributor

I am not currently using DEP. But to name the Macs, we first of all add them to DHCP with a name and their macaddress. Then as they are being set up a script runs that gets the local macaddress and then queries DHCP database for the device name for that Mac address. Then the script uses the resulting name to set the device name on the Mac. Our names are based on Campus-room-device number, so Smart groups are easy to setup looking at the first part of the name. The Macs then enrol with their correct name.
DEP is a cloud on our horizon for MacOS, we love it for IOS.

RobbieReichard
New Contributor III

@Aguiness s can you post the script that you use to read the .csv file and renames the machine?