We are looking to upgrade from 10.47 to 10.50. We've held off going beyond 10.47 while we worked on devices this summer due to the changes implemented with LAPS.
Currently we have a management account configured in the "User-initialted enrollment" settings. From what I understand, the password specified here will no longer be an option to be set on all computers for this account, and it will now rotate on each device with a randomly generated password and be stored in the device record in Jamf. That is fine as we do not typically ever need to use that account unless something went wrong during enrollment, which typically we just wipe and start again anyways. My first question with that change: We have 4-5 computers that the "Allow Jamf Pro to perform management tasks" box unchecked on the Inventory>General page as essentially we do not want Jamf to do anything with them and when we do, we recheck the box and type in our management account password, then when we're done we uncheck the box again. Now that this password is going to be rotated and random, what happens with these computers? Does the password change on them still and I have to look it up and paste in into that page when I want to check the box (which is fine)? Does the password not rotate because it's not "managed"? As far as I know, Jamf can't do anything to these computers really, though, so how does the password change or stay listed in the inventory? Since it's only a few machines, I can recheck the management box before updating and then have each of them check-in/inventory once afterwards to get the password "rotated" one time and then uncheck them again.
My next question is regarding prestage enrollment and the account creation option. Prior to this summer we did not have any account settings specified in the Account Settings section of our prestage enrollment. We setup each machine ourselves in our school district and then profile for the user later. We used the Account Creation during the Setup Assistant on the computer to make our local administrator account. Starting this summer, rather than typing that username and then password twice into every machine and occasionally having a typo (making it hard or impossible to login after and then having to use the management account to delete and recreate the local administrator), we now have the prestage set to "create a local administrator account before the Setup Assistant", "Make the local administrator account MDM-enabled", and then "Skip Account Creation". During the Setup Assistant we now go from the enrollment page, to Location Services, then jump to the login screen and log in with our local administrator account that was created for us. The release notes/documentation make it sound like the password for making a local admin during the prestage enrollment is now rotated as well. Is this the case? We use the local admin password very frequently and having to look at the computer record each time we need to use it is not going to work in our environment. If this is the case, am I correct that we now need to uncheck "Create a local administrator account before the Setup Assistant" and then in the lower section change the "Skip Account Creation" back to "Administrator Account" and manually type the info during enrollment again? This is fine if this is the case, we've done it in the past. I see we can pre-fill the primary account information then and at least not have to type the Full Name/account name each time.
