Posted on 04-22-2021 08:08 AM
I’ve got an interesting dilemma with new employees.
Currently, we are a Gsuite shop, using all mac hardware. Jamf is configured to verify employees against Gsuite with an LDAP connection during the initial enrollment.
However… On an employee’s first day, when they are handed a laptop, they cannot enroll in Jamf, because they have not yet logged into Gsuite for the first time. Right now, this has us directing them to use a personally owned device to log into their email for the first time and change their password, before they set their laptop up. This is awkward and confusing for a lot of non-technical folks who don’t understand why they can’t just log into their laptop first.
How have others solved this? Is it adjusting the workflow? Or is there a better process?
Posted on 04-22-2021 08:25 AM
@user-SARWUJQFcj What about setting up Google SSO and using that in your PreStage? You can still keep the ldap intact and use it during inventory runs to bring in more info than SSO typically does. Alternatively If your wireless infrastructure can do captive portals then use Google for that and the resulting splash page will allow the password to be setup.
Posted on 04-22-2021 12:17 PM
I'm not sure how much different google SSO would be... would it not still fail since the user hadn't yet logged into their google account for a first time?
As for captive-portals... our workforce is still 100% remote at this time (thanks covid), so that's not an option for us at this time.
Posted on 04-23-2021 04:59 AM
@user-SARWUJQFcj An SSO login during a PreStage will display a captive portal like window versus the basic user+pass popup that ldap gives you. I've been able to reset passwords within them before.