PreStage Enrollments can not be created, configured by site admins, this needs to change

ostrowsp
New Contributor III

While setting up PreStage Enrollments, we setup our Automated Device Enrollment and assigned a site since it was only one department that was using this feature. This worked great because it allowed the site admins to add and configure PreStage Enrollments for their site. Now that we are looking at expanding PreStage Enrollments to other sites but there is no way to give more than one site access. We changed Automated Device Enrollment configuration assigning it to no site, but now site admins can not see or create PreStage Enrollments. Also you can not add more than one Automated Device Enrollment config (I.E. create one for each site)

This makes it so only Jamf admins can create, configure PreStage Enrollments and assign devices.

Jamf needs to make it so all site admins can use PreStage Enrollments when no site is assigned to Automated Device Enrollment. If this needs to be locked down we can already use group permissions to do this.

4 REPLIES 4

MLBZ521
Contributor III

Each Site would need to have their own ADE Tokens. Last I checked, you can have multiple ADE Tokens per Site. You an also have multiple PreStage Profiles per Site as well.

We used to have over 120 Sites each with their own ADE Tokens. Thankfully, we've been able to force most of our groups to consolidate their Sites and now have under 50 with additional consolidation planned.

We also have our Site Admins manage their own ADE Tokens and PreStage Profiles. This allows them to control/manage Activation Lock on devices.

ostrowsp
New Contributor III

When I try to add another ADE token (From ASM) into jamf ADE it tells me its already in use. In ASM if you create another one it tells me that the old one will no longer work.

Emailed Jamf support this is their response:

What you are seeing with Global Management -> Automated Device Enrollment is correct as well.
If we assign it to a Site, users should have access to it but a Automated Device Enrollment instance can only be assigned to one Site
I did some additional testing and spoke with an Engineer and what we are seeing as far as PreStages not being visible to Site users is correct and expected.
Like we said, we can certainly put in a Feature Request to have this changed but it is what is expected for now.

spalmer
Contributor III

@ostrowsp We have 50+ sites and each site has its own entry under Settings>Global Management>Automated Device Enrollment and it has been working well for us for 4 years.

We had the same question when we first started doing ADE. Our Apple SE rep let us know that it is not readily apparent in the Apple School Manager documentation at https://support.apple.com/guide/apple-school-manager-m/add-mdm-servers-asm1c1be359d/web (and I assume possibly the same for Apple Business Manager) that what Apple calls an “MDM Server” does not need to represent a unique Jamf Pro server with a unique URL. Even Jamf’s documentation at https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Integrating_with_Automated_Device_Enrollm... doesn’t explain that point. So for each Site in Jamf Pro you will want to create a matching MDM Server in ASM/ABM.

You will use the same public key (.pem) from your Jamf Pro server when creating each MDM Server in ASM/ABM, which is fine because the Download Token button will generate a unique token for each MDM Server. Once you have the MDM Server created and token downloaded you will create a matching ADE entry in each Jamf Pro site and upload the token from the matching MDM Server.

We name each MDM Server to match the Site name in Jamf Pro to make it easy to understand what Site you are assigning devices to in ASM/ABM. We also name the ADE entry we create for each Site in Jamf Pro to match the Site name as well. This really helps when you have a very large number of Sites because it will make each step of the token renewal process, that you need to do on a yearly basis for every Site, very clear which one you are renewing the token for.

Once this is set up, the admin(s) for each Site can create PreStage Enrollments tied to the ADE entry for their Site and they will only be able to add devices to their PreStages from the pool of devices assigned to their Site/MDM Server via ASM/ABM.

ostrowsp
New Contributor III

Thanks for the response. I will need to try this. What's interesting is Jamfs documentation says
"Note: A single server token file can only be assigned to one device enrollment instance in Jamf Pro.' https://docs.jamf.com/best-practice-workflows/jamf-pro/enrolling-devices-automated-mdm/Integrating_with_Apple_Business_Manager_and_Apple_School_Manager.html

So its sounds like its not possible and no mention of sites. They need to update their documentation to reflect this