Lock Primary Account Information - PreStage Enrollment


Is anyone able to get "Lock Primary Account Information" to work in PreStage Enrollment? I have mine setup to use device owner's details after prompting the user for their AD credentials, but once it gets to the account creation screen the user is able to edit their account name and password.

Anyone else seeing this? I've got a case open with Jamf Support, but was curious.

I'm on Jamf 10.18.0 running on Windows Server 2019


New Contributor III

I have been experiencing the same behaviour but when the option is disabled!

New Contributor II

I am also experiencing this issue. But I believe it "greyed out" the password field and didn't let them change it. However, the password they had with Google Cloud Identity (what we use in place of AD) did not meet the security requirements set by one of our payloads, thus rejected their password and allowed them to edit it to make it compliant.

Nice feature, but they are still able to edit their name and user name, regardless.

New Contributor II

Yes, me too.
Jamf asked me that likely it's caused by PI-008058 which is an issue on Apple end that they are currently working on.
There is a workaround which would be Don't allow Apple ID sign in screen during PreStage. But it doesn't work for me!

New Contributor III

I started toying with this setting today in hopes of further streamlining new computer setups.

In my testing, the Lock primary account information works as long as I don't utilize the Enrollment Customization Configuration. With ECC set to None, I receive the pop up looking dialog box asking for a username and password (authenticated agains LDAP). A Select Time Zone window appears and the Create Account Dialog window never appears. The machine Reboots and the user then logs in with the same info entered during enrollment.

If I user an ECC my custom login window appears instead of the default pop up. Followed then by the Create an account window. Interestingly, the password doesn't auto fill. If I deselect the Pre-fill Primary account info option the shortname and the password will autofill in the account creation window, but can be edited by the user. Full Name remains empty.

It's frustrating that each selection produces totally different results rather than build upon what I would think would be a common workflow.