Manually Assisgning Sites during PreStage Enrollment

rabiul
New Contributor

Hey, 

We have multiple sites in our Jamf pro because we are a group of companies. Now we want to assign sites during the prestage enrollment. So, when the user will connect a new laptop with the internet, then it should pop up an option with site names so the user can select which site he/she belongs. Based on that, he will receive the enrollment customizations and policies made for that specific sites. 

It is working fine with user initiated enrollment but I can't figure out how to do that with prestage enrollment. Can anyone help?

Thanks

1 ACCEPTED SOLUTION

ega
Contributor III

So a lot of device managers would not want the end user to select the Site due to human error introduced (picked the wrong site, did not care and just took first Site in pop-up etc).  Also any mechanism you build could be subject reliability issues especially  if you have to write the site name back to Jamf with API or the like.   One straight forward way to avoid this is to setup one "MDM Server" per Jamf Site in Apple Business/School Manager.  Set the Prestage in each Site to automatically accept anything assigned in AB/SM and then when you purchase just use the Apple Order number or the serial numbers (you can paste in a whole group) to assign to Sites.  No need for any other complex workflow at that point.
If one did need a Smart Group or  scope criteria  Jamf has a criteria of " Enrollment Method: PreStage enrollment" which take the name a PreStage.  Someone has to make the assignment at some point and this method make the best use of built-in tools and simplifies workflow. 

View solution in original post

10 REPLIES 10

Shyamsundar
Contributor

you can run the same policy which popups the the site information during the Prestage as well, but you need to ensure this policy runs only after the user login,  you can create a launch daemon to execute this policy by calling via custom trigger at the same time you can set a condition that it will check for any user login and execute only after that. 

Instead of creating a launch daemon, is there any way to do the setup from the GUI? For user-initiated enrollment, it's enabled automatically once I created new sites and connected LDAPs. 

I can write a custom script and push the user to update the site info via jamfhelper. But then, user will be already logged in to the system without any enrollment customization setup which I want to avoid. 

Shyamsundar
Contributor

you can have multiple Prestage enrollments and devices are scoped only to the particular Prestage and each Prestage can have a different configuration based on your sites.

That means each time we order laptops, I need to add those manually or scope out the whole bunch via group assignment to a specific site, correct?

ega
Contributor III

So a lot of device managers would not want the end user to select the Site due to human error introduced (picked the wrong site, did not care and just took first Site in pop-up etc).  Also any mechanism you build could be subject reliability issues especially  if you have to write the site name back to Jamf with API or the like.   One straight forward way to avoid this is to setup one "MDM Server" per Jamf Site in Apple Business/School Manager.  Set the Prestage in each Site to automatically accept anything assigned in AB/SM and then when you purchase just use the Apple Order number or the serial numbers (you can paste in a whole group) to assign to Sites.  No need for any other complex workflow at that point.
If one did need a Smart Group or  scope criteria  Jamf has a criteria of " Enrollment Method: PreStage enrollment" which take the name a PreStage.  Someone has to make the assignment at some point and this method make the best use of built-in tools and simplifies workflow. 

rabiul
New Contributor

Thanks @ega 
I figured out this is the correct way to do it. Though Shyam and Sanstar also provided solutions but I will accept your answer as solution because that's the detailed explanation what I have to do in my case. 

ega
Contributor III

Assign to a PreStage per Site is the right answer like @ Shyamsundar says. (We have one "MDM Server" per Site with same name in our Apple School).   However if you may also want to take a look at Jamf Setup Manager (https://github.com/Jamf-Concepts/Setup-Manager) which can manage user input and run policies based on that input (among other things)

Samstar777
Contributor II

Hello @rabiul 

Assigning sites during PreStage enrollment to ensure the appropriate enrollment customizations and policies are applied is indeed possible. However, I would need a bit more information to guide you effectively. Could you please clarify the following:

  1. Onboarding Application:
    Are you leveraging any specific onboarding application or enrollment customization tool during the PreStage enrollment process? For example, are you using Jamf's Enrollment Customization Settings, or a third-party solution integrated with Jamf Pro?

  2. Device Assignment Method:
    Are devices assigned to sites in Jamf Pro using automated workflows (e.g., via DEP/Automated Device Enrollment with tokens) or manual methods post-enrollment?

  3. User Authentication:
    Is user authentication during enrollment done via Single Sign-On (SSO), and does your SSO IdP (e.g., Azure AD, Okta) maintain site-specific attributes that could help automate the assignment?

  4. LDAP Configuration:
    Have you already integrated multiple LDAP configurations in Jamf Pro for the various sites? If yes, is there a consistent attribute or identifier (e.g., department, office location) that could be mapped for site selection?

  5. Current User Workflow:
    In user-initiated enrollment, you mentioned that site selection works well. Could you elaborate on how this is achieved? For example, does the workflow rely on user groups, LDAP mappings, or another mechanism?

  6. Expected End-User Experience:
    Are you expecting the site selection to happen as an interactive option (e.g., a dropdown during enrollment) or automatically based on the user's identity or device attributes?

The answers to these questions will help identify the best approach to achieve your desired outcome without requiring users to intervene after login.

Hey @Samstar777 

Find my response below: 

  1. Onboarding Application:
    I am using Enrollment Customization Settings. For now, there is no third-party integration but in future we will have that.

  2. Device Assignment Method:
    I used Automated Device Enrollment with tokens. Laptop information is synced from our ABM account via token.

  3. User Authentication:
    There is no SSO at the moment. But in future, I want to integrate that. We are using Google Workspace for user administration.

  4. LDAP Configuration:
    There are LDAPS configured for all of the companies (6 as of now). But I am picking only the username and title for the maping because other fields are not required at the moment. 

  5. Current User Workflow:
    Once I created the sites after connecting the LDAPs, it appeared automatically for the user initiated enrollment. See the pop-up and directory service user enrollment settings below: 
    attachment_2.pngScreenshot 2024-11-26 at 11.29.45.png
    During the user initiated enrollment, they have the privilege to select a specific site by themselves. 

  6. Expected End-User Experience:
    I want it as a dropdown during enrollment. I am not considering device attributes and user's identity at the moment because of the project deadline. 

    Hope this clarifies everything. Let me know if more information is needed. Thanks

Samstar777
Contributor II

@rabiul Thanks for sharing all this information, You can easily achieve this through an API. The design would be small script to prompt user to select the Site and save the info as variable and a curl command to populate the variable value in Jamf Pro.

If you need additional support on this, feel free to reach me on Slack @samstar777