prestage enrollment for macOS X not working

christianalt
New Contributor

hi all,
i want to set up a zero touch configuration, but the process stops after the prestage enrollment :(
i have AD, and want to have mobile accounts created on login. a local hidden admin account should be created too.
this is how far it goes now:
i get asked for username/password
i get asked to create an account for the previously entered username/password (what shouldn't happen at all)
16d88cbaefb34dcbbbbd165f114cbefd
7d457e00e19445dc9958200f4cbc8f69
here my process stops. meaning the policies i've created to install printers and some software do not run. they cannot run, because remote login is not enabled, and the hidden admin account is not created. but the profile is installed. the machine is still listed as unmanaged in the inventory list.
fb2df67a52ca432da07ea1ce6abea6a0
1e56df7931d446048b03d3b2022257ce
i'm not bound to the configured AD
ff21426c2c6b4df2a23b5de090e1b5fd
f4328a587f804056980553265010192b
after binding manually to the domain, i can login with domain users and managed accounts will be created automatically
17b930db7b3c4944a120a4f037958314
what am i missing or what is wrong here?
any help is welcome :)

btw: when i connect to https://myjamf/enroll, login, download and install the package, my policies get executed and the machine is listed as managed.

5 REPLIES 5

rhoward
Contributor

What kind of image are you using? Are they in the scope of the prestage enrollment and in DEP? Those are usually the culprits as we have only been able to image machines that are on the initial startup screen with a blank OS image from AutoDMG or a new machine.

jwojda
Valued Contributor II

are you connected to the network?
is the scope assigned to the machine?
You have to wipe/reload the machine in order for it to register the DEP.

Key1
New Contributor III

The documentation is extremely light around the Directory payload for the PreStage Enrolments. I'm also trying to figure out what each field refer too.

The quickadd should still install tho, others have related that to the Allow MDM profile removal setting. https://www.jamf.com/jamf-nation/discussions/12530/dep-quickadd-failed-to-download

will reply if i figure out the Directory payload fields.

jwojda
Valued Contributor II

my ad binding is working for prestage/dep

-
the directory server username is incorrect in your screenshot, it should be an account with binding rights (lan id).

the hostname of the server isn't populated in yours, it should be something like my.domain.com

client id is the machine name, you can look in the admin manual for options, I use $SERIALNUMBER - then during the setup of the machine to install the extra stuff, I unbind, change the name to our naming convention, then rebind - annoying but whatever. If you look in the admin guide and search for $SERIALNUMBER it will bring you to the list of options you can use.

the Organizational Unit is the bucket you use to put the machines in (this can be copied from your AD Binding Profile in jamf)

christianalt
New Contributor

@rhoward: i'm not using any image. i'm unpacking a brand new mac, switch it on the first time and want to get it configured by zero touch magic
@Key1: you can even say, the documentation is not existent for that :( and yes, quickadd is running and doing what i've configured in the policies. but quickadd is not the way to go
@jwojda: yes, i'm connected to the network and the scope is assigned. the AD hostname is removed only for the screenshot. the AD binding is working fine. yes, i will switch to SSL as soon this is working.
10ddcee18e924b04803588e36c6b29d7
but this shouldn't happen:
69165da3424c4cc5906f1974e8d2ecdf
now i have that:
8300399f384a4c4280896eecb9cb73d0
362c0e9d55ba46edb76ca0a5e3993c1e
18e5129f7960432c868956a668cdbf65
where this seems to be related to ldap attribute mappings: 3b45c17ce5ec4a7082728f07d6c7e542
506f7ca651714354901ebc3294297300