Pre-filling primary account information in Prestage Enrollment

mdp
Contributor

Trying to do zero touch with our next batch of computers, so I've been working on a new Enrollment Profile. Everything's working well...with one exception.

The test computer is in prestage with all the user fields filled in. The idea was, they turn on their MacBook, get to the Create a Computer Account screen, and everything's prepopulated (and can't be changed) except the password. So in the Enrollment Profile under Account Settings, I have "Pre-fill primary account information" checked, then "Device owner details" for Information Type, then "Lock primary account information" checked.

What's happening is actuality is nothing's getting prefilled. All the fields are blank on the Create a Computer Account page.

The one curious thing I'm seeing is that when I look at that computer in Jamf, sometimes the User and Location fields are still blank by the time the computer gets to the Computer Account screen — almost like the prestage info isn't getting to Jamf fast enough to prepopulate the fields. (The info shows up in Jamf shortly thereafter.) Maybe a clue, maybe not. 

Hoping to hear any ideas as to what's going on, and happy to give more info that anyone needs to diagnose. Cheers!

---
Matthew Prins -- Jamf Scripts @ Github
7 REPLIES 7

Anonymous
Not applicable

In order for the setting to work you need some sort of authentication prior to the setup assistant.  Either SSO customization or LDAP "require authentication", that information will pass as user account information and lock in the setup assistant.

That did cross my mind, but on the Jamf Pro documentation about prestage enrollments, it says: 



  • Device Owner's DetailsThis option sets the account name and account full name based off of the Username and Full Name values in the computer's inventory information at the time of enrollment. If authentication is required during enrollment, the user's information is associated with the device using a lookup from Jamf Pro to LDAP.

The fact that it says "if authentication is required" makes me believe there is some way to do it without authentication. It reads to me like if you're not using authentication, it should just pull from what the preload has — that would be "set[ting] the account name and account full name based off of the Username and Full Name values in the computer's inventory information at the time of enrollment" — but since it's not working, I'm either misunderstanding what can be done or doing a step incorrectly.

---
Matthew Prins -- Jamf Scripts @ Github

mline
New Contributor

Where did you get to with this? I'm trying to get this setup with Azure but no account is being created.

whiteb
Contributor II

Screenshot 2023-02-15 at 1.57.24 PM.png

 

Pretty sure OP actually wants it setup like the above. I made the same mistake, I did 'Device Owner' instead of 'Custom Details' as well, and was wondering why it wasn't populating the local account creation info at all.

Instead you want 'Custom Details' and then use the above variables to get LDAP account info passed through to local user creation screen.

mline
New Contributor

What about if you don't have LDAP. 
And just run Azure?

whiteb
Contributor II

It looks like you do SAML Token Attributes after SSO is enabled for Azure in Jamf.

https://docs.jamf.com/technical-papers/jamf-pro/managing-jamf-connect/10.19.0/SAML_Token_Configurati...

 

Edit: I didn't realize that documentation is for Jamf Connect, but I think it could still work. Use that method and create an Enrollment Customization.

iMathijs
New Contributor II

Any luck yet?