prestage enrollment for macOS X not working

New Contributor

hi all,
i want to set up a zero touch configuration, but the process stops after the prestage enrollment :(
i have AD, and want to have mobile accounts created on login. a local hidden admin account should be created too.
this is how far it goes now:
i get asked for username/password
i get asked to create an account for the previously entered username/password (what shouldn't happen at all)
here my process stops. meaning the policies i've created to install printers and some software do not run. they cannot run, because remote login is not enabled, and the hidden admin account is not created. but the profile is installed. the machine is still listed as unmanaged in the inventory list.
i'm not bound to the configured AD
after binding manually to the domain, i can login with domain users and managed accounts will be created automatically
what am i missing or what is wrong here?
any help is welcome :)

btw: when i connect to https://myjamf/enroll, login, download and install the package, my policies get executed and the machine is listed as managed.



What kind of image are you using? Are they in the scope of the prestage enrollment and in DEP? Those are usually the culprits as we have only been able to image machines that are on the initial startup screen with a blank OS image from AutoDMG or a new machine.

Valued Contributor II

are you connected to the network?
is the scope assigned to the machine?
You have to wipe/reload the machine in order for it to register the DEP.

New Contributor III

The documentation is extremely light around the Directory payload for the PreStage Enrolments. I'm also trying to figure out what each field refer too.

The quickadd should still install tho, others have related that to the Allow MDM profile removal setting.

will reply if i figure out the Directory payload fields.

Valued Contributor II

my ad binding is working for prestage/dep

the directory server username is incorrect in your screenshot, it should be an account with binding rights (lan id).

the hostname of the server isn't populated in yours, it should be something like

client id is the machine name, you can look in the admin manual for options, I use $SERIALNUMBER - then during the setup of the machine to install the extra stuff, I unbind, change the name to our naming convention, then rebind - annoying but whatever. If you look in the admin guide and search for $SERIALNUMBER it will bring you to the list of options you can use.

the Organizational Unit is the bucket you use to put the machines in (this can be copied from your AD Binding Profile in jamf)

New Contributor

@rhoward: i'm not using any image. i'm unpacking a brand new mac, switch it on the first time and want to get it configured by zero touch magic
@Key1: you can even say, the documentation is not existent for that :( and yes, quickadd is running and doing what i've configured in the policies. but quickadd is not the way to go
@jwojda: yes, i'm connected to the network and the scope is assigned. the AD hostname is removed only for the screenshot. the AD binding is working fine. yes, i will switch to SSL as soon this is working.
but this shouldn't happen:
now i have that:
where this seems to be related to ldap attribute mappings: 3b45c17ce5ec4a7082728f07d6c7e542