Jamf Nation Community

bcameron · ‎02-28-2023

I have a Prestage set up that creates a local admin user.

It works correctly in Monterey or before.

Ventura it stopped working.

My work around right now is to not add the machine to pre-enrollment until after I manually setup the local admin user then add the machine to Pre-Enrollment and run [profiles renew -type enrollment] from CMD.

I would like to get my pre-enroll working again.

Any suggestions?

mariopena · ‎03-01-2023

I just got some new MacBook Pro's and MacBook Airs (M1/M1 Max/ M2/M2 Max and the same thing is happening to our devices. They all had Monterrey still on them out the box. I enrolled 3 of them but our Pre-stage enrollment did not escrow the secure token. I'm pretty new to this JAMF thing and I'm at a loss. My Local admin account cand do and install everything except for Software updates.

bcameron · ‎03-02-2023

you are having this issue in Monterey too? The Monterey machines I have left still work, that's how I know my Pre-Enroll was not compromised somehow.

mariopena · ‎03-03-2023

I just got a MacBook Air (M2 2022) that had Monterey out the box. It created my Local Admin Account from Pre Stage enrollment and My Account when I enrolled it. But Cannot update to Ventura because neither of the accounts has Secure token escrowed. Same Issue with 2 MBP with M1 and M2 Max that I got a few months ago.

bcameron · ‎03-02-2023

To add to the issue, if using Pre-Enrollment to create the admin user, at least 60% of the time the user will not accept the password to log in. I have to wipe the machine and restore the OS and try again.

I have tried going into recovery mode and using [resetpassword] from terminal. You can reset the password and log in but the user permissions are not correct and they are un-correctable even using sudo or su to root. Says operation denied for permissions change.

This is Def. a JAMF issue because if I set the Local admin user up manually Ventura works correctly.

mariopena · ‎03-03-2023

So did you remove the Option to create the Local Admin user from Pre stage enrollment, enrolled the machine and then created the Local Admin? Or did you Remove the device from Pre Stage enrollment and enrolled it Manually? I'm just trying to figure what my workflow will look like because I'm going to be replacing 4 Labs this summer and a few Mobile Users with MBP and Mac Mini Users. Also I'm pretty new to this type of management position and I'm just trying to learn how to script. Most of my fleet is still Intel based and I have not had any issues with those even after resetting/restoring.

bcameron · ‎03-15-2023

Yes I removed the admin acct. creation. It still seemed to create it. Asked me to create one at the setup process but won't let me create the admin user with the same name because it, I guess still creates an invisible one.

mariopena · ‎03-06-2023

Just wanted to follow up about the issue at hand. So I played around with my Pre Stage enrollment. Actually ended up creating a brand new one with everything my old one had exept for the creation of the local admin account. I reset a 2022 M1 MacBook Air that I had and used my new enrollment to enroll it. I used my account as the first login. Security Token was escrowed to the device and I was able to update it from Monterey to Ventura. Still playing around to see if our workflow needs to change and what else will be different as far as administration of these new M1 and newer devices.

bcameron · ‎03-15-2023

What OS version is it working on. I rebuilt mine from the ground up and it Still does not work on Ventura.

mariopena · ‎04-10-2023

I just enrolled 4 Mac Mini's, 6 MacBook Pro's and 4 iMacs running Ventura. Enrolled under my new Prestage Enrollment which does not create an admin UN/PW upon enrollment. Rather it issues the secure token to the person that enrolled it, In this case, me/my account. I then went into accounts Created the Admin UN/PW and logged in with it to remove my self as an Admin. No issues updating sofware and JAMF shows that the secure token has been issued to the endpoint.

svonderbruegge · ‎04-06-2023

I apologize if this solution sounds about the same as "shake it and see if that works" but while having the same problem as @bcameron I tried sudo softwareupdate -i -a -R as the local admin created during the prestage. Safari was the only app that that showed as available. I quit Safari, let the install of Safari complete and then I went back to the Install macOS Ventura screen. I went through the steps again and when I entered the local admin credentials the install process started as expected. I have a hard time believing that updating Safari via terminal had anything to do with this but maybe the update "shook something loose".

cdprice · ‎05-12-2023

Has anyone reported this? This problem started for us last week. Doesn't matter what model device or what OS is installed. I have 152 new in box iMac's to deploy and so far I have seen no suitable solutions

mariopena · ‎05-12-2023

See my reply above... Apple is no longer allowing the creation of Admin Accounts during pre-stage enrollments from what I can tell for Apple Silicon. See the info straight from apple below, the first user to enroll the device is granted Boot Strap token not the admin account set in pre-stage enrollment anymore. So it's not really a JAMF issue it's the way Apple changed when the went to Apple Silicon. What I had to do to make this work is I that I created a new Pre-Stage enrollment identical to the one I use for my Intel Macs but removed the Admin Account creation. I moved all of the new Apple Silicon devices to that Pre-Stage enrollment. Enroll them with my account, My account gets granted the boot strap token and then currently I am manually creating the Admin account and removing myself as admin after that. IT's a pain in the butt. I'm trying to look for ways to automate that right now. I have 3 iMac Labs to replace this summer with Mac Minis, So it's gonna be fun.

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web

cdprice · ‎05-12-2023

That is odd, it works one minute and not the next. I setup 10 identical new MacBook Pro's for a laptop cart a few days ago. It worked on 1/2 of them, the other 1/2 had to be erased in order for the admin account to create properly. I am testing with a MacMini now, after erase and reinstall and a new Prestage created it created the account and the accounts folders are not locked this time but the password doesn't work for updates. Just more steps now for setting up labs/classrooms. Feel like we are going backwards again

mariopena · ‎05-12-2023

For sure!! I can tell you that by not creating the admin account thru the Pre-Stage enrollment has made it easier for me. I'm a 1 man show here in my school district and having to reset brand new devices is much more time consuming than creating the admin account after the fact. I'm pretty new to this whole MDM thing and I'm not really impressed. LOL. Good Luck!!!

bcameron · ‎05-17-2023

Another feed here solved this for me. Adding a script that logs the created Admin in and out to create the token is working.

I found it in this thread: https://community.jamf.com/t5/jamf-pro/automatic-secure-token-from-enrollment/td-p/268418

bcameron · ‎05-25-2023

I found another solution.

1. create another "Local" admin acct. using the primary admin acct without token.

2. log in with second acct.

3. run the following cmd: sudo sysadminctl -adminUser “SecondAdminAccount” -adminPassword “password” -secureTokenOn “lOriginalAdminAcct” -password “Password”

bcameron · ‎05-25-2023

I needed a solution to fix a couple of machines I had in the wild that I could not wipe to fix. This did it.

mariopena · ‎05-25-2023

Sweet!!! That will work with the ones I have out there in the wild too!!.

Thanks

Jamf Nation Community

Prestage enrollment local admin not creating secure token in Ventura 13.2.1