We have our prestage enrollment set to create a hidden local admin account. The settings we have selected are: Create a local admin account before setup assistant, Hide managed admin account in Users & Groups, and Skip Account Creation.
Initially, this seems to work 100% fine. I can log in through the local admin without issues. BUT, as soon as another user uses the computer and it creates their account, I suddenly lose access to the local admin. Let me walk you through this so it makes more sense.
- The computer goes through prestage enrollment and creates the admin account.
- When we reach the login screen it is populated with our Single-Sign On window asking for our company email login. We instead click local login and log in with the local admin. This works.
- We log out of the local admin and return to the SSO login window. The new computer user will log in with their company credentials and it will create and account for them on the computer. They log out of the account.
- The admin account no longer has access or has somehow changed passwords.
I have to assume something in our settings is making this happen but I can't figure it out. My original test machines are not having this issue, but I haven't made any changes to policies or configurations that should have had an impact. All I've done is add more programs for availability.
I even did a full factory reset, deleted from Jamf, and started a computer fresh today and it worked exactly like I described above, which means something must be writing over the local admin at some point when the new user logs in, but I for the life of me can't figure it out and it's hurting our whole program.
No, I'm not.
Something I saw in a discussion today was that it is potentially effected by LAPS? We did have Management Account (with a different name) set in the User-Enrolled section, which I guess in the recent update now has LAPS automatically applied, and I was wondering if it somehow applied that to my admin account since it was like the password had changed completely.
As far as I know MDM LAPS isn't enabled by default, you have to enable that in the API. Here is the guide about it. https://learn.jamf.com/bundle/technical-paper-laps-current/page/Implementing_LAPS.html
The logs didn't show anything unusual. I did find this though: https://learn.jamf.com/bundle/technical-paper-laps-current/page/Enrollment_Method_and_LAPS_Accounts_...
If I am reading this right, because I use prestage enrollment to create the local admin account, it automatically gives it MDM LAPS.
What tool are you using to add your Corp SSO to the macOS Login screen? You mention this login screen in step 2 and 3, macOS does not have SSO functionality from the login screen (yet). I'm wondering if your tool is doing something, or needs to be configured differently. For example if it is JAMF Connect, it will force an account sync and your local account should be exempted from this work flow.
My last thought. If you have password requirements enabled, there is a chance the tool providing SSO to macOS is suppressing the messages from macOS about the password like it not being compliant. If you don't respond to those messages, macOS will abort the login without any further dialog.
I'm not actually using any tool other than Jamf Connect.
We have it connected to Azure and our domain and when a user sees their login screen it's been replaced by our company login portal. I didn't have to do anything additional beyond Connect to get that functioning and had the assistance of a Jamf engineer.