During Enrollment of a Sonoma MacBook, after Remote Management starts and our required Credentials are entered, it Skips creating the Local User Account. It goes straight to a Log-in Screen instead. We do push a hidden Admin Account via Script during Enrollment. I can Log-in with said hidden Admin Account at that new Log-in screen. We only see this issue with macOS 14.x (Sonoma). We can manually Enroll a Sonoma machine without issue. Only during Enrollment of a Sonoma system is it an issue. For our current Setup, we need the ability to Create Local Users still. Anyone else see this issue?
Solved! Go to Solution.
Ugh this sounds like PI111120 (Account creation can be skipped if "Transfer Information" and "Location Services" are configured to be skipped in Computers > PreStage Enrollments. Workaround: Deselect "Transfer Information" and "Location Services" in the PreStage Enrollments settings.) -- on 13.x I could get around it by toggling Location Services & Data Transfer on and off and then my prestages have been bulletproof.
If you can open a support case and reference the P|. I need to test this as well (esp with the new "enforce filevault at Automated Device Enrollment" feature in 14) so I'll probably be sending in a support case too.
Confirmed I'm testing on 23A344 and got a Case open with Jamf Support. Just waiting for them to assign someone to it. Opened it last night. I will definitely share anything I learn from Support. Thank you for testing!
I am forced to provide the credentials for the local administrator account and reset the password. I receive no prompt to create a local user.
The local administrator account before the Setup Assistant was created as well as the management account. I was not forced to provide credentials and was prompted to create a computer account.
A different set of settings:
I am forced to provide the credentials for the management account, which has to be pulled from the Jamf API. I receive no prompt to create a local user.
To add to this:
I enrolled a computer in a brand new pre-stage.
Still having the same issue on macOS 14.0 and 14.1b1
I'll check and see if PI112111 is valid, but I doubt so.
This is my understanding. The engineer assisting our case said that this, "The management account is currently only used with Jamf Remote, so unless you have another purpose for you're free to disable it's creation and it should no longer skip account creation.". We use a script to push our own Admin Management account so this may not be an issue for us.
Is that a script that Jamf has anywhere? Would love to know how to do so with a script. We'll need to do this now that this has come to light. We've unchecked "Create Management Account" but we still need a managed admin :(
How are you guys scoping your configurations that need to go to all endpoints, eg certs, configs for AV, etc, even though I have nothing in prestage configuration, they say this is the bug that is affecting me.
I’ve come up with a solution to the problem and have tested successfully. However, there are some caveats. To make this work, I had to add a payload to the Account section of the Pre-Stage enrollment. I also set the general section to not Skip Location Services. Here is a screenshot of what worked.
However, because the local Admin account created in the Pre-Stage is not automatically LAPS enabled, I have a policy that deletes the account after enrollment. It is scope to any computer with that local account.
Kind of hokey, but it leaves me with a functioning enrollment and the management account from the user-initiated enrollment setting is functional and has LAPS enabled.
As far as your statement, "However, because the local Admin account created in the Pre-Stage is not automatically LAPS enabled," the reason it isn't LAPS enabled is because management of the MDM LAPS account is not enabled by default per https://learn.jamf.com/bundle/technical-paper-laps-current/page/Implementing_LAPS.html. If you have a need for 2 LAPS enabled accounts, I suggest you following the instructions to enable management of the MDM LAPS account.