Posted on 11-25-2024 04:40 AM
Hey,
We have multiple sites in our Jamf pro because we are a group of companies. Now we want to assign sites during the prestage enrollment. So, when the user will connect a new laptop with the internet, then it should pop up an option with site names so the user can select which site he/she belongs. Based on that, he will receive the enrollment customizations and policies made for that specific sites.
It is working fine with user initiated enrollment but I can't figure out how to do that with prestage enrollment. Can anyone help?
Thanks
Solved! Go to Solution.
Posted on 11-26-2024 11:09 AM
So a lot of device managers would not want the end user to select the Site due to human error introduced (picked the wrong site, did not care and just took first Site in pop-up etc). Also any mechanism you build could be subject reliability issues especially if you have to write the site name back to Jamf with API or the like. One straight forward way to avoid this is to setup one "MDM Server" per Jamf Site in Apple Business/School Manager. Set the Prestage in each Site to automatically accept anything assigned in AB/SM and then when you purchase just use the Apple Order number or the serial numbers (you can paste in a whole group) to assign to Sites. No need for any other complex workflow at that point.
If one did need a Smart Group or scope criteria Jamf has a criteria of " Enrollment Method: PreStage enrollment" which take the name a PreStage. Someone has to make the assignment at some point and this method make the best use of built-in tools and simplifies workflow.
Posted on 11-25-2024 07:02 AM
you can run the same policy which popups the the site information during the Prestage as well, but you need to ensure this policy runs only after the user login, you can create a launch daemon to execute this policy by calling via custom trigger at the same time you can set a condition that it will check for any user login and execute only after that.
Posted on 11-25-2024 07:11 AM
Instead of creating a launch daemon, is there any way to do the setup from the GUI? For user-initiated enrollment, it's enabled automatically once I created new sites and connected LDAPs.
I can write a custom script and push the user to update the site info via jamfhelper. But then, user will be already logged in to the system without any enrollment customization setup which I want to avoid.
Posted on 11-25-2024 09:33 AM
you can have multiple Prestage enrollments and devices are scoped only to the particular Prestage and each Prestage can have a different configuration based on your sites.
Posted on 11-26-2024 02:23 AM
That means each time we order laptops, I need to add those manually or scope out the whole bunch via group assignment to a specific site, correct?
Posted on 11-26-2024 11:09 AM
So a lot of device managers would not want the end user to select the Site due to human error introduced (picked the wrong site, did not care and just took first Site in pop-up etc). Also any mechanism you build could be subject reliability issues especially if you have to write the site name back to Jamf with API or the like. One straight forward way to avoid this is to setup one "MDM Server" per Jamf Site in Apple Business/School Manager. Set the Prestage in each Site to automatically accept anything assigned in AB/SM and then when you purchase just use the Apple Order number or the serial numbers (you can paste in a whole group) to assign to Sites. No need for any other complex workflow at that point.
If one did need a Smart Group or scope criteria Jamf has a criteria of " Enrollment Method: PreStage enrollment" which take the name a PreStage. Someone has to make the assignment at some point and this method make the best use of built-in tools and simplifies workflow.
a month ago
Thanks @ega
I figured out this is the correct way to do it. Though Shyam and Sanstar also provided solutions but I will accept your answer as solution because that's the detailed explanation what I have to do in my case.
11-25-2024 10:02 AM - edited 11-25-2024 10:03 AM
Assign to a PreStage per Site is the right answer like @ Shyamsundar says. (We have one "MDM Server" per Site with same name in our Apple School). However if you may also want to take a look at Jamf Setup Manager (https://github.com/Jamf-Concepts/Setup-Manager) which can manage user input and run policies based on that input (among other things)
Posted on 11-25-2024 10:22 AM
Hello @rabiul
Assigning sites during PreStage enrollment to ensure the appropriate enrollment customizations and policies are applied is indeed possible. However, I would need a bit more information to guide you effectively. Could you please clarify the following:
Onboarding Application:
Are you leveraging any specific onboarding application or enrollment customization tool during the PreStage enrollment process? For example, are you using Jamf's Enrollment Customization Settings, or a third-party solution integrated with Jamf Pro?
Device Assignment Method:
Are devices assigned to sites in Jamf Pro using automated workflows (e.g., via DEP/Automated Device Enrollment with tokens) or manual methods post-enrollment?
User Authentication:
Is user authentication during enrollment done via Single Sign-On (SSO), and does your SSO IdP (e.g., Azure AD, Okta) maintain site-specific attributes that could help automate the assignment?
LDAP Configuration:
Have you already integrated multiple LDAP configurations in Jamf Pro for the various sites? If yes, is there a consistent attribute or identifier (e.g., department, office location) that could be mapped for site selection?
Current User Workflow:
In user-initiated enrollment, you mentioned that site selection works well. Could you elaborate on how this is achieved? For example, does the workflow rely on user groups, LDAP mappings, or another mechanism?
Expected End-User Experience:
Are you expecting the site selection to happen as an interactive option (e.g., a dropdown during enrollment) or automatically based on the user's identity or device attributes?
The answers to these questions will help identify the best approach to achieve your desired outcome without requiring users to intervene after login.
Posted on 11-26-2024 02:35 AM
Hey @Samstar777
Find my response below:
Onboarding Application:
I am using Enrollment Customization Settings. For now, there is no third-party integration but in future we will have that.
Device Assignment Method:
I used Automated Device Enrollment with tokens. Laptop information is synced from our ABM account via token.
User Authentication:
There is no SSO at the moment. But in future, I want to integrate that. We are using Google Workspace for user administration.
LDAP Configuration:
There are LDAPS configured for all of the companies (6 as of now). But I am picking only the username and title for the maping because other fields are not required at the moment.
Current User Workflow:
Once I created the sites after connecting the LDAPs, it appeared automatically for the user initiated enrollment. See the pop-up and directory service user enrollment settings below:
During the user initiated enrollment, they have the privilege to select a specific site by themselves.
Expected End-User Experience:
I want it as a dropdown during enrollment. I am not considering device attributes and user's identity at the moment because of the project deadline.
Hope this clarifies everything. Let me know if more information is needed. Thanks
Posted on 11-26-2024 09:44 AM
@rabiul Thanks for sharing all this information, You can easily achieve this through an API. The design would be small script to prompt user to select the Site and save the info as variable and a curl command to populate the variable value in Jamf Pro.
If you need additional support on this, feel free to reach me on Slack @samstar777