Mac devices not respecting prestage enrollment

ctopacio01
New Contributor

We are imaging multiple Mac devices and they are not respecting the Prestage enrollment settings (specifically the "skip account creation" setting) after DEP has been applied and is still prompting to create the user account. This issue has been occurring sporadically.

So far, the devices we have been imaging are:
-Macbook Pro 13" (Mid 2012)
-Macbook Air 13" (Early 2015)

We are currently using Jamf Pro 9.99

14 REPLIES 14

MacSysAdmin
Contributor

I've been told by JAMF that in order to use the Account Settings payload you also need to have the Directory payload configured. While it is not called out anywhere if you only configure the Account Settings the entire prestage will fail.

rhoward
Contributor

Are you installing anything on your image? If it's a completely blank OS this shouldn't happen. We see this as well with some applications that we have installing on boot drive after imaging.

ctopacio01
New Contributor

@BostonMac At the moment, we do not have the Directory payload configured and we have days where laptops will respect the Account Settings payload and days where the laptop(s) will prompt to create the local user account.

@rhoward During our reimaging process, we install a blank OS. All the other applications are installed via policy after enrollment completes.

Jacetram
New Contributor

@ctopacia01 I am also having this issue. I received it after updating to 9.100 yesterday. Last week, on 9.98, it respected "the Prestage enrollment settings (specifically the "skip account creation" setting)" and created the hidden admin account as set in Prestage. We would like to return to that workflow.

Do anyone know if that is possible?

We would also like to wait on OD directory binding till after software installations and data restores are complete. We are setting up 350 New 2017 iMacs and would like to use Prestage Authentication and skip account creation since we use Configuration Profile to create local mobile accounts.

emily
Valued Contributor III
Valued Contributor III

@BostonMac did Jamf mention to you if adding but not configuring the Directory payload would fix the issue? What's the implication of leaving out the Account Creation payload? If a policy happens on check-in to create a local admin as needed does this payload need to be set at all, or will not having the account set at all keep it from running policies or other standard management of the Mac?

Jacetram
New Contributor

I have added a configured Directory payload to my testing and it did not work. The iMac during Prestage Enrollment creates the Authenticated user as a local admin account and the payload also creates an Admin account.

retroroscoe
Contributor

Hi All,

I am seeing this issue as well since upgrading JSS to 9.100.0.
No combination I have tried seems to get around the problem.
I was even told by JAMF support to unhide the Management Account set in User-Initiated Enrollment.

tsd25108
New Contributor II

Did anyone ever get any resolution to this? Now that High Sierra is coming along and DEP is being forced upon us, I'm starting to work on my implementation and am running into this. Was going to put in a ticket with JAMF, but ran across this.

jmahlman
Valued Contributor

--

emily
Valued Contributor III
Valued Contributor III

Yeah we're on 9.101 currently. We're hoping a combo of updating to 10.2, making sure redirects to Akamai are allowed on our firewall rules (we'll see who on the network security team I need to bake cupcakes for to make that happen), and the release of 10.13.4 will all fix this for us. 🤞🏻

Egardner
New Contributor III

Habanero Cupcakes if they say no.

I have a similar issue with 10.1.0 that I will post about shortly.

analog_kid
Contributor

Also seeing "Skip Account Creation" not being respected on Jamf Pro 10.2.1 + macOS 10.13.3.

michaelhusar
Contributor II

@analog_kid We are also on 10.2.1. With 10.13.3 we see that account creation is only skipped if "Require Authentication" is deselected :-(

spalmer
Contributor III

I saw the same thing when we were on 9.100.0 and we recently upgraded to 10.3.1 hoping it would fix the issue. However, I think that it is now worse. Now instead of not skipping account creation when the setting is checked it just hangs at "Contacting remote management server" at the Remote Management step of the Setup Assistant. Has anybody else seen this behavior with 10.3.1?