Hello - I am scratching my head trying to figure this out.
We are currently on 9.96 and will be moving to latest cloud JSS, so hopefully this is a possibility. But I am working on making a truly Zero Touch experience for my users that receive machines while on network.
In our current Pre-Stage enrollment, I have a local account being created, the client signs into that account, and launches a self service policy, packages install, reboot and you're ready to sign in with your AD account (I would do AD binding at time of DEP, but Centrify makes it a bit difficult)
In my perfect scenario, they would plug into the network, power on, receive the Pre-Stage enrollment, and proceed to be logged into a local account, policies run, reboot and you're in like Flynn. Maybe even throw in a JamfHelper window if time permits, but that's just icing at this point.
I've been playing around with my pre-stage by not creating a local account, and setting my policy to run at time of enrollment; in the assumption that it would automatically log in, then my policies would kick off. Not the case. I get to the login screen, and there's no user available.
How have you all in the "Real World", especially you in the corporate world made this happen? Or am I looking at this the wrong way?
Any assistance or fresh ideas would be greatly appreciated.
To do what you’re proposing you’ll have to revisit the need to use Centrify to bind to the domain. As you discovered, the centrify package is an ‘after market’ package so won’t be installed until after the user has logged in.
If macOS’s built in AD plugin works for you, you can test a prestage that has a directory binding built into it. Because this plugin is built into the OS it can run while the user is still walking through the Setup Assistant. You can then safely skip account creation altogether and let the user log in with their real domain account at the login window.
If you still need Centrify I’d suggest a thin imaging workflow that just installs Centrify. DEP is out as an option at that point but you’re meeting the goal of a zero touch deployment as far as the end user is concerned (not you, unfortunately :))
Does it matter if we use a config profile with the Directory payload instead of the Pre-Stage Enrollment Directory payload?
The config profile is scoped to all devices within a site. I tested it and it seems to work that way. Upon enrollment, the computer is dropped into the site and gets the config profiles.
Just wondering if there are any pros/cons to doing it this way.