Ventura; Apple Setup does not create account if system is shutdown during Apple Setup

pbenware1
Release Candidate Programs Tester

Greetings,

Curious if anyone has run into this scenario;

We are using JSS cloud, devices enrolled in Apple School Manager and assigned to the JSS, scoped to a Prestage Configuration that bypasses all steps in Apple Setup except Location Services, Registration & FileVault.  We're also using an Enrollment Customization Configuration.  We do not create a local admin account in our Prestage

This Prestage is the only one in use and has not changed in years.

 

While setting up a new or freshly-erased-with-new-os Mac:

  • Start the computer, which initiates Apple Setup.
  • Step through the screens to the Remote Management screen.
  • Let the JSS enrollment complete.
  • At the Account Setup screen, Shut the computer off.
    • The scenario here is that a setup tech could finish up for the day and rather than continue setup, shut the computer down, or let it go to sleep.  I've only been able to replicate if the computer is shut down.
  • Restart the computer.

At this point, the computer boots to a login screen showing user and and password fields.  Except, Apple Setup did not get to the account setup screen, so there isn't a known user account on the computer and we are unable to login.

We have successfully sent a policy task to the device to create a new local admin account which does allow login.

 

So far we've confirmed this on the following devices

  • 2023 14" M2 MBPro
  • 2020 13" M1 MB Pro

Its been reported on:

  • 2022 13" M2 MB Air
  • 2023 16" M2 MB Pro

All running macOS Ventura; I know the devices I've tested have had the latest build, but the build techs may be getting new out of the box computers without the latest build installed.

I have not seen or been able to replicate this in Monterey.  I searched both Jamf Nation and the google, but apparently my google-fu is off today.

 

FWIW, at one point after replicating this, I restarted in Recovery mode, launched Terminal to scout around a bit, and found that .AppleSetupDone did not exist which was not surprising given that Apple Setup didn't actually complete.

1 ACCEPTED SOLUTION

bcrockett
Contributor III

Try to allow all the setup screens to be present at boot in your pre-stage enrollment config. This will give jamf time to create its hidden admin account. 

 

If that works. Turn them off 1 by 1 until it breaks the config. Then you will know the limit of the bypass all steps. 

 

I have run into the problem of bypassing too many steps and it causing problems. 

View solution in original post

25 REPLIES 25

sdagley
Esteemed Contributor II

@pbenware1 I can't find when it changed, but at some point Jamf's creation of the hidden admin account was no longer guaranteed to happen after the user account is created in Setup Assistant. That might be what's triggering the behavior you're seeing.

bcrockett
Contributor III

Try to allow all the setup screens to be present at boot in your pre-stage enrollment config. This will give jamf time to create its hidden admin account. 

 

If that works. Turn them off 1 by 1 until it breaks the config. Then you will know the limit of the bypass all steps. 

 

I have run into the problem of bypassing too many steps and it causing problems. 

pbenware1
Release Candidate Programs Tester

@bcrockett Thank you for the pointer.  After much trial and error, I think it could be related to the Data Transfer/Migration Assistant step; I'm not done with my testing yet but that is the only step where I can replicate this issue consistently.

pbenware1
Release Candidate Programs Tester

More info- Seem to have confirmed that the Transfer Information step is the culprit here, tested across multiple models.  Seems also to have been a change related to something in Ventura 13.2, but can't confirm that.  I do know it was not in the most recent Monterey release.  Also had a report of this issue occurring on a 2017 Intel iMac, suggesting it's not related to Apple Silicon (sort of expected that).

I've run into something similar though in my environment it appears randomly without requiring a shutdown. It's tough to tell if it's actually working but my current attempted fix is to delay a configuration profile that blocks Time Machine until after setup is complete. So far, the delay seems to be helping. 

pbenware1
Release Candidate Programs Tester

I only used shutdown myself as a way to consistently replicate the issue.  It is still not clear to me if the field intentionally shutdown devices, or unintentionally let them sleep or drain the battery.  Evidence of that nature has been pretty thin.

karenmartin
New Contributor II

We are running into the same issue,  it is extremely frustrating,   we are reconfiguring the setup steps in our preconfig.  Will post if it worked or not.  

bigben54
New Contributor III

I've had it happen seemingly randomly, although in my case it's been two different scenarios...

 

The first, much as you describe, with the new user not completing the local account setup and (most likely) letting the Mac go to sleep/run out of battery.

 

In the last couple days, I've also had two machines where Setup Assistant crashed after all the profiles were downloaded and installed, but before it even gets to the user creation screen. Just quits to the login screen with a user/password prompt. Looking at the system in Jamf, there is only the jamfadmin management account, and no other local users.

And it's the same prestage config we've used for years. Even made a new one, with the same settings, as recommended elsewhere, but no change. Will have a try with reenabling some of the setup steps.

Yes, we have seen the exact same scenario, on laptops and desktops.  We have opened a ticket with JAMF to see what they have to say,  since it is seemingly random!

pbenware1
Release Candidate Programs Tester

There is a known bug reported on this issue:

PI111120 Account creation can be skipped if "Transfer Information" and "Location Services" are configured to be skipped in Computers > PreStage Enrollments. Workaround: Deselect "Transfer Information" and "Location Services" in the PreStage Enrollments settings.

delta_sync
New Contributor II

Thank you for posting this in Community Forum. We were having some unexpected shutdowns in the last couple weeks. The laptop would boot to our hidden admin account or an empty username/password login page. I've applied the workaround and it is working great after several tests. 

bigben54
New Contributor III

Yes, confirming *not skipping* location and transfer sections of initial user setup have stopped the issue with machines ending up in a user-less state for us.

Less than ideal of course. Want the migration item in particular to be skipped in our main prestage config.

nasc
New Contributor II

Still seeing this issue in Ventura 13.4 where I get to the login screen but no account has been created and I can't log in - have tried all the steps above with no luck.

delta_sync
New Contributor II

Hi @nasc 

Have you attempted to turn them off one by one? I can't speak to your environment but if you have some screenshots of your pre-stage enrollment area perhaps we can help? Mine just needed the unticking of the Transfer payload, in order, to work. Sorry that you continue to have issues! 

thomas_moser
New Contributor III

Hi all,
we experience this behavior the second time as we are with JAMF.
Now it began early this week. It would be nice if it could be fixed once and for all..
Showing "Location Services" and "Transfer Information" fixes it temporary for us too.
Ventura 13.5.1 is installed on the MacBooks.
Opening a case with JAMF.

pbenware1
Release Candidate Programs Tester

I'm now seeing this issue with macOS Sonoma installs, on at least 2 computers; one brand new MB Air 15" that shipped with Sonoma and a 202 iMac 27 that was wiped with a fresh Sonoma installed on it.  The Jamf Prestage has *all* of the steps enabled, so my last workaround doesn't apply anymore.

That is a head scratcher. Can you connect the clients to an ethernet cable
during startup to ensure a hard-wired connection?

--
[image: Almaden Country Day School logo]
*Buck Crockett*
Director of Technology
*T *408-997-0424 | *E* bcrockett@almadencountryday.org
Almaden Country Day School
6835 Trinidad Drive | San Jose, CA 95120 | USA
almadencountrydayschool.org <>
FOLLOW. CONNECT. SHARE.
[image: instagram icon]
<> [image:
facebook icon] <> [image:
linkedin icon] <>
[image: youtube icon] <>
*LOVING THE NOW. READY FOR NEXT.*

[image: Bay Area Parent Hall of Fame medal]
<>

pbenware1
Release Candidate Programs Tester

The iMac, at least, was connected via ethernet.  Not sure about the MBAir, as its in another persons hands.  The iMac is one of my test units.

Seeing same issue on my side as well.  New MB Pro M3,  pre-stage has no skips, after the user clicks on Agree for terms and services the systems goes to a login screen, user never given opportunity to create account.

One of the device can be wiped back to Ventura and everything works normal on Ventura

What happens if you connect to the network with an ethernet cable? Then
reboot and try again.

--
[image: Almaden Country Day School logo]
*Buck Crockett*
Director of Technology
*T *408-997-0424 | *E* bcrockett@almadencountryday.org
Almaden Country Day School
6835 Trinidad Drive | San Jose, CA 95120 | USA
almadencountrydayschool.org <>
FOLLOW. CONNECT. SHARE.
[image: instagram icon]
<> [image:
facebook icon] <> [image:
linkedin icon] <>
[image: youtube icon] <>
*LOVING THE NOW. READY FOR NEXT.*

[image: Bay Area Parent Hall of Fame medal]
<>

lparnell
New Contributor II

We have been having this issue for a while. I read some other posts saying that if your prestage is creating a local administrator account that has the same name as the Jamf management account there will be issues. The Jamf Management Account was primarily used for Jamf Remote which is no longer supported. I couldn't find any deeper clarification on how this account is utilized. We just changed the name of the Jamf Management Account to "jamf". After doing this our computers stopped crashing during enrollment and showing a login screen with no user accounts. Only make this change if those two accounts use the same username, we had "tech" as both the local administrator account and the Jamf Management Account.

 

Try this:

Change the name of the Jamf Management Account

Jamf > Settings > User-Initiated Enrollment > macOS

Edit the username to be different from the local administrator account created in your prestage enrollment.

 

pbenware1
Release Candidate Programs Tester

We stopped creating shared admin accounts in the Prestage well before this issue came up for us, and even when we were creating them, the names were very different.

pbenware1
Release Candidate Programs Tester

Potentially these issues are resolved in Jamf Pro 11.1.1

  • [PI111014] [PI109336] Enrollment for computers no longer fails when user-initiated enrollment and PreStage enrollment settings are configured with identical management account credentials.
  • [PI111120] The user account creation step of Setup Assistant for macOS is no longer incorrectly skipped when a PreStage enrollment is configured to skip the "Transfer Information" and "Location Services" steps.
  • [PI111481] [PI103338] The user account creation step of Setup Assistant for macOS is no longer incorrectly skipped when a PreStage enrollment is configured to both create a management account and enable FileVault.
  • [PI113195] The user account creation step of Setup Assistant for macOS is no longer incorrectly skipped on computers with macOS 14 or later when user-initiated enrollment settings are configured to create a management account.

PI113195 is the bug I was hitting.  

pbenware1
Release Candidate Programs Tester

Yeah, I was hitting PI111120 and more recently PI113195 myself.