- Jamf Nation Community
- Products
- Jamf Pro
- PreStage Enrolment vs Normal Enrolment
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 08:00 AM
Hi Guys 👋
New here, so please forgive me if this is a silly question and I'm getting all of the terminology wrong.
We recently acquired Jamf Pro and we've got it up and running with a few basic policies. So far we've only enrolled devices manually (with either an email invite or downloading the agent from our Jamf instance). Policies and everything work just fine on enrolled devices which is great.
We've also configured the PreStage Enrolment integration so that Apple Business Manager (ABM) and our Jamf console are linked, which all worked without a hitch, but I'm confused about the PreStage Enrolment policy.
I don't understand how we 'transition' a device from PreStage enrolment to a 'full enrolment' - i.e. - if I PreStage enrol a device, does it then just pick up all of the policies and config I've configured for my other devices that are assigned to 'All managed devices', or do I need to recreate my other policies in the PreStage enrolment settings? All I really want to do is suppress some of the Set up wizard and have the device join the Jamf Pro instance as normal.
Any basic pointers would be much appreciated.
Mitof
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 08:16 AM
Any computers that enroll via Automated Enrollment with a Prestage Enrollment would be considered managed, and would fall into the scope of all managed computers. So yes, it would pick up any policies and configuration profiles you have set up with that scope. They will run on their appropriate triggers - next recurring check in, at enrollment, etc.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 08:16 AM
Any computers that enroll via Automated Enrollment with a Prestage Enrollment would be considered managed, and would fall into the scope of all managed computers. So yes, it would pick up any policies and configuration profiles you have set up with that scope. They will run on their appropriate triggers - next recurring check in, at enrollment, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 09:03 AM
Thank you very much, that's honestly so helpful. My only follow-up (if I may) is about account creation. I create a local admin account when enrolment complete's per my normal policy, applied to all managed devices. In terms of the flow, if I PreStage the enrolment successfully, will that account be created straight away? I.e. Can I leave the user creation stage of the setup wizard enabled for the purpose of creating the local user, and the local admin will be created separately (and be usable) within a short enough time frame to do the remainder of the setup?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 09:26 AM
You can even have the prestage create the user and bypass the user creation part of setup assistant entirely if you want - or yes, you can do that manually
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 09:56 AM
Great, thank you. I'll start playing around to see if I can get where I want to be. Much appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2021 11:38 AM
It might be easier to understand by explaining the three types of enrollment; "automated enrollment," "device enrollment" and "user enrollment." "Normal enrollment" and "full enrollment" aren't defined enrollment types, and those names may lead to confusion.
Since you are migrating from another MDM, or using MDM for the first time, device enrollment via the methods you describe (invitation or user initiated enrollment) work well for Device Enrollment, and probably get you where you need to be. Automated Device Enrollment requires devices to be erased and enrolled during Setup Assistant and is therefore impractical for devices that have already been deployed.
Every situation is different, and you only need to worry if you need the subset of management commands that require Supervision. If you do, then iOS and iPadOS devices will need to be erased, but there are some tricks to get macOS devices supervised without erasing (see 'Supervision' link).
That being said, the difference is only apparent when dealing with MDM management. Since the Jamf Management framework predates MDM, policies, restricted software records, extension attributes, etc. don't care how the device is enrolled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2021 01:45 AM
Thank you for taking the time to elaborate, that's very useful. Our use-case is that we want to device enrol macOS devices manually where they already exist, but want it done automatically when we buy a new device from an Apple Auth. Reseller.
We've recently done the latter, and just setup our Pre-Enrolment policy, so hopefully those devices will auto-enrol when they're finally unboxed/connected. 🤞
