Help

Multiple Managed Local Administrator Accounts

Manon
New Contributor II

Monday

I noticed that there are 2 Managed Local Administrator Accounts listed in the Inventory > General page of our computers. All our computers and devices are all under Apple School Manager and are automatically enrolled via PreStage Enrollment (so I am thinking that User-Initiated Enrollment never happens for us).

 

My questions are:

1. Under Settings > Global > User-initiated enrollment > Computers, do we need to check the box for "Enable user-initiated enrollment for computers"? And if yes, do we need to check the box for "Create managed local administrator account" (everything else is unchecked) given that each PreStage Enrollment also creates a managed local administrator account?

 

2. Under Settings > Global > User-initiated enrollment > Devices, do we need to check the box for "Enable for institutionally owned devices" (everything else is unchecked)?

 

3. If we disable User-Initiated Enrollment, will the currently enrolled devices be affected?

Reply
3 REPLIES 3

AJPinto
Esteemed Contributor

Monday

What needs to be checked is entirely up to what your environment needs.

  1. User initiated enrollment needs to be enabled if your users need to authenticate your Automated Device Enrollment.
    1. The account created by “Create managed local administrator” is not used for anything anymore as far as a am aware, it’s just another method to create an IT admin account on devices and is tied into LAPS. The Jamf Recon App was the last tool that directly used this account that I recall.
  2. Limiting this to institutionally owned devices or not is entirely up to what your environment needs.
  3. Any of these settings will only impact devices as they enroll, any already enrolled devices will see no changes until they enroll next.
Reply

Manon
New Contributor II
In response to AJPinto

Monday

Hi AJ,

 

Pardon my ignorance but what does the "users need to authenticate your Automated Device Enrollment" workflow look like? For us, when we purchase a device, it gets added to Apple School Manager, and then they show up in Jamf and we manually assign them to a PreStage Enrollment ... this is what we always understood to be ADE (sort of like enrolling a device in Autopilot for Intune).

 

As for the PreStage "create managed local administrator" this is what we'd like to use as a "shared IT admin login" to the device (using LAPS of course) as per TalkingMoose's recommendation.

 

Thanks for the reply!

0 Kudos
Reply

Manon
New Contributor II

Monday

I tried disabling User-Initiated Enrollment and got this error in the PreStage page

Screenshot 2025-04-15 140640.png

So it seems like User-Initiated Enrollment still needs to be configured. The error goes away when I check this box:

Screenshot 2025-04-15 143734.png

0 Kudos
Reply