Pre-Stage Enrollment & Passwords on Big Sur

arlogilbert
New Contributor II

Having two issues. Any feedback?

1) We have the options set to create a "Standard" user, users are always configured as admins. We can remediate by downgrading them with a script, but this seems super odd. Screenshot attached.

2) We have an enrollment customization set to prefill and force account details. The username & full name are correctly pre-filled and locked, but the user is able to choose their own password (we need it to be the same as the one we assigned them). All the docs seem to suggest that the password will be set once they log in successfully through the LDAP based custom enrollment pane (which works well and authenticates correctly).... Yet they are always still able to choose their password.

Thoughts?
09389582f07c459292b0d8f817e8caf5

8d6126fd488c4b73a03d0e2dace3f8c9

672ea296047b42a8aac1fa6c998f1675

2 REPLIES 2

walt
Contributor III

Yes, this is expected behavior, at least from what I was told from both Jamf and Apple; they are not able to pass secure credentials (ie; password) to another form. So the user can ultimately put whatever password they want in the account setup screen.

We resolve this with the EnterpriseConnect configuration profile (Kerberos SSO Extension though I dislike that name/term lol), as we use Microsoft for LDAP and that resyncs the password during initial setup. If you have JamfConnect that is another option. But this is just my experience and others may have better input/experience with a Google setup and I'd be curious to know as well...

arlogilbert
New Contributor II

Thanks Walt.

We use Google's Enterprise offering and their secure LDAP as the directory in JamF, so Enterprise Connect (Keberos) is not an option for us.

We're using JumpCloud and the JC agent to keep Mac passwords & Google passwords in sync. We tried JamF connect but as it turns out, JamF connect can't sync the Google password to the machine, so we had do switch. The docs now make that clear, but when we bought it the docs did not disclose this failure. Thankfully with JumpCloud, once the agent launches, the user has to verify their password and then reset, so this is more of an annoyance than a crisis.

With so many remote workers now it's kind of surprising how much duct tape & WD-40 is holding together the enterprise authentication of users on Macs.

At this point I'd be thrilled if Apple brought back their ability to login with iCloud as we all now have the ability with Apple Business Manager to federate identities to ABM and it works flawlessly.