Pre-stage Enrolment and policies stopping

JLTD
New Contributor

Hi all,

I am currently facing a really bizzare issue and not really getting far with support.

I have a prestage enrolment which for the most part works fine. It prompts for authentication and ive set it to pre populate the 'user creation' screen with the username used on the enrolment authentication prompt.

Policies run in the background as normal, however after the user is created and it logs in (automated process with the prepopulated fields) any subsequent polices set to run on enrolment complete do not run.

If i use a prestage enrolment which doesnt automatically create the user (so it sits on the login screen) all policies run, however I then face issues with other things)

If i set the prestage enrolment to create a user (but for me to enter the details manually on the user creation screen) all policies run if I leave it on this screen. If i create the user and log in as it while policies are still running it will interrupt the process again.

I have tried turning off all check in options but it doesnt seem to make any difference. I was going to leave it so the prestage enrolment skips user creation (this allows all policies to run normally) however i then face other issues (not specifically realted to JamF) The Jamf.log doesnt show much other than the machine name changing and the user logging in, but then it doesnt carry on running the enrolment policies.

Looking through the logs the only thing I can really see is that the policies do not run after the machine name change is reflected within the log (however the policy to initiate this change is the first policy to run after enrolment)

 

Does anyone have any ideas at all?

 

Here are examples from jamf.log. The last policy to run after enrolment should be a reboot, however it never gets that far. 

Wed Jun 22 00:22:41 No Name jamf[1424]: Installing MicrosoftRemoteDesktop_10.2.1_Config.dmg...
Wed Jun 22 00:22:58 MacBook Pro jamf[1424]: Executing Policy 8 Set Host Name
Wed Jun 22 00:23:36 UKC02S30UNG8WN jamf[2268]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.launchSelfService.plist...

 

Tue Jun 21 08:35:47 No Name jamf[1756]: Installing Google Chrome 96.0.4664.55 CDP...
Tue Jun 21 08:36:12 No Name jamf[1756]: Successfully installed Google Chrome 96.0.4664.55 CDP.
Tue Jun 21 08:36:41 UKC02VD08RG8WN jamf[2463]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.launchSelfService.plist...

 

Fri Jun 17 01:10:12 No Name jamf[1337]: Installing Chrome96.0.4664.55.pkg...
Fri Jun 17 01:10:14 UKC02S30UNG8WN jamf[1750]: No container info found for disk with ID disk2
Fri Jun 17 01:10:28 UKC02S30UNG8WN jamf[1750]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.bgrecon.plist...
Fri Jun 17 01:10:42 No Name jamf[1337]: Successfully installed Chrome96.0.4664.55.pkg.
Fri Jun 17 09:11:03 UKC02S30UNG8WN jamf[2555]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.launchSelfService.plist...

 

Thu Jun 23 02:45:02 JamFVPN's MacBook Air jamf[1505]: Installing Fonts.pkg...
Thu Jun 23 02:45:25 JamFVPN's MacBook Air jamf[1505]: Successfully installed Fonts.pkg.
Thu Jun 23 02:46:14 UKFVFZ40L5LYWM jamf[2507]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.launchSelfService.plist...

 

I have tested on various difference models of macbook (all running monterey)

Manual enrolment works without any issues.

This screenshot shows polices which should run after enrolment complete:

enrolment policies.png

 

This screenshot shows what policies actually ran:

policies which ran.png

 

It almost seems that the change of user from _mbtsetupuser to the user which automatically logs in (JamfVPN in this case), is causing the policy sequence to break and so stops running any remaining policies.

2 REPLIES 2

sdagley
Honored Contributor II

@JLTD Running a large number of policies triggered by Enrollment Complete is not recommended. You should look at the combination of https://gitlab.com/Mactroll/DEPNotify and https://github.com/jamf/DEPNotify-Starter which allows you to have a single Enrollment Complete triggered policy which in turn calls your list of setup policies.

JLTD
New Contributor

Think I may have fixed it.

In the prestage enrollment we had it set to create a Administrator account pre setup assistant. If I remove this option everything works absolutely fine.

It seems that the policies run as this administrator account. The prestage enrolment then creates the local user (based on LDAP lookup) and automatically logs that user in. The logging in as this LDAP created user interrupts the 'flow' of the policies started by the administrator account.

I have verified this by making the changes to the different prestage enrolments we have and also by wiping and reinstalling 4 macbooks. All work fine after removing the creation of the pre setup assistant administrator.

 

**After further testing there still seems to be some strange behaviour. Looking through the logs it also looks as if the check to run policies on login is causing this to also fail. I rebuilt one device and as soon as the automatically created user logged in I noticed within the Jamf.log that all enrolment complete triggered policies stopped. I have unticked the checkin option and am in the process of rebuilding this Mac now to see if it fixes it. It seems that the user logging in causes this break in the flow. Has anyone else experienced this at all?