During Enrollment of a Sonoma MacBook, after Remote Management starts and our required Credentials are entered, it Skips creating the Local User Account. It goes straight to a Log-in Screen instead. We do push a hidden Admin Account via Script during Enrollment. I can Log-in with said hidden Admin Account at that new Log-in screen. We only see this issue with macOS 14.x (Sonoma). We can manually Enroll a Sonoma machine without issue. Only during Enrollment of a Sonoma system is it an issue. For our current Setup, we need the ability to Create Local Users still. Anyone else see this issue?

Enrollment with macOS 14.x Sonoma Skips Creating Local User Account

@bern Are you suppressing the Location Services panel in Setup Assistant with your PreStage Enrollment configuration? If so don't do that and see if that results in the local user account being created.

Ugh this sounds like PI111120 (Account creation can be skipped if "Transfer Information" and "Location Services" are configured to be skipped in Computers > PreStage Enrollments. Workaround: Deselect "Transfer Information" and "Location Services" in the PreStage Enrollments settings.) -- on 13.x I could get around it by toggling Location Services & Data Transfer on and off and then my prestages have been bulletproof.

If you can open a support case and reference the P|. I need to test this as well (esp with the new "enforce filevault at Automated Device Enrollment" feature in 14) so I'll probably be sending in a support case too.

Are you creating your management account twice by any chance (e.g. once in UIE settings and again in your PreStage)?

I did have Location Services selected to Skip and allowed Transfer Information set in Enrollment. This test, I made sure both Location Services and Transfer Information were not suppressed and it still Skipped User Creation, yikes.

Are you creating your management account twice by any chance (e.g. once in UIE settings and again in your PreStage)?

Under our UIE, we do have a hidden Management account created. We add another Admin account via Script which is also hidden.

I did have Location Services selected to Skip and allowed Transfer Information set in Enrollment. This test, I made sure both Location Services and Transfer Information were not suppressed and it still Skipped User Creation, yikes.

=\\ Darn. Well, I'm getting a test box up and running right now so I'll check and see what happens. Definitely get a case open, and triple check to make sure you're on build 23A344 which dropped earlier today

Confirmed I'm testing on 23A344 and got a Case open with Jamf Support. Just waiting for them to assign someone to it. Opened it last night. I will definitely share anything I learn from Support. Thank you for testing!

I opened a Case with Jamf 5 days ago and they still haven't responded, yikes.

😬I think they had most of their staff watching or participating in JNUC stuff — try nudging your CSM or brave calling the support number, it should get you some action on your case.

Seeing this as well. such a pain, I was told they are not having this issue in jamf 11, but it is hitting 10.50 hard.... 10.50 is supposed to support Sonoma... but I guess not, unless you don't want to provision a new mac

I have Location Services allowed, but Transfer Information skipped, and getting this error.

Sounds like they're not related anyway though. Is there a PI open for this?

Also affecting us. Was able to workaround by using Account Creation to create an erroneous user, but this sucks.

jamf support says this is PI112111

They are escalating my ticket on this issue to Engineering. That's the latest as of today on my end.

Looks like my issue is new and listed under PI113195.

Here's the provided work around that allowed User Creation to work again during Enrollment.

Login to Jamf Pro and go to Settings > Global > User Initiated Enrollment > macOS. Here uncheck "Create management account".

To add to this:

I enrolled a computer in a brand new pre-stage.

Requires Authentication
Make MDM Profile Mandatory
Prevent user from enabling Activation Lock
No Set Up Assistant Options checked to skip
No Account Settings
No Configuration Profiles in pre-stage

Still having the same issue on macOS 14.0 and 14.1b1

I'll check and see if PI112111 is valid, but I doubt so.

To add to this:

I enrolled a computer in a brand new pre-stage.

Requires Authentication
Make MDM Profile Mandatory
Prevent user from enabling Activation Lock
No Set Up Assistant Options checked to skip
No Account Settings
No Configuration Profiles in pre-stage

Still having the same issue on macOS 14.0 and 14.1b1

I'll check and see if PI112111 is valid, but I doubt so.

Doesn't this result in manually enrolled computers not having the management account?

Looks like my issue is new and listed under PI113195.

Here's the provided work around that allowed User Creation to work again during Enrollment.

Login to Jamf Pro and go to Settings > Global > User Initiated Enrollment > macOS. Here uncheck "Create management account".

Doesn't this result in manually enrolled computers not having the management account?

Sorry, I meant to reply to bern

Doesn't this result in manually enrolled computers not having the management account?

This is my understanding. The engineer assisting our case said that this, "The management account is currently only used with Jamf Remote, so unless you have another purpose for you're free to disable it's creation and it should no longer skip account creation.". We use a script to push our own Admin Management account so this may not be an issue for us.

How are you guys scoping your configurations that need to go to all endpoints, eg certs, configs for AV, etc, even though I have nothing in prestage configuration, they say this is the bug that is affecting me.

This is my understanding. The engineer assisting our case said that this, "The management account is currently only used with Jamf Remote, so unless you have another purpose for you're free to disable it's creation and it should no longer skip account creation.". We use a script to push our own Admin Management account so this may not be an issue for us.

Is that a script that Jamf has anywhere? Would love to know how to do so with a script. We'll need to do this now that this has come to light. We've unchecked "Create Management Account" but we still need a managed admin :(

I’ve come up with a solution to the problem and have tested successfully. However, there are some caveats. To make this work, I had to add a payload to the Account section of the Pre-Stage enrollment. I also set the general section to not Skip Location Services. Here is a screenshot of what worked.

However, because the local Admin account created in the Pre-Stage is not automatically LAPS enabled, I have a policy that deletes the account after enrollment. It is scope to any computer with that local account.

Kind of hokey, but it leaves me with a functioning enrollment and the management account from the user-initiated enrollment setting is functional and has LAPS enabled.

Looks like my issue is new and listed under PI113195.

Here's the provided work around that allowed User Creation to work again during Enrollment.

Login to Jamf Pro and go to Settings > Global > User Initiated Enrollment > macOS. Here uncheck "Create management account".

Current settings:

"Create management account" within Settings > Global > User Initiated Enrollment > macOS unchecked
"Create a local administrator account before the Setup Assistant" checked like @John_Arenz mentioned below

Result:

I am forced to provide the credentials for the local administrator account and reset the password. I receive no prompt to create a local user.

Modified settings:

"Create management account" within Settings > Global > User Initiated Enrollment > macOS checked
"Create a local administrator account before the Setup Assistant" checked in Pre-Stage like @John_Arenz mentioned below

Result:

The local administrator account before the Setup Assistant was created as well as the management account. I was not forced to provide credentials and was prompted to create a computer account.

A different set of settings:

"Create management account" within Settings > Global > User Initiated Enrollment > macOS checked
"Create a local administrator account before the Setup Assistant" in Pre-Stage unchecked.

Result:

I am forced to provide the credentials for the management account, which has to be pulled from the Jamf API. I receive no prompt to create a local user.

I’ve come up with a solution to the problem and have tested successfully. However, there are some caveats. To make this work, I had to add a payload to the Account section of the Pre-Stage enrollment. I also set the general section to not Skip Location Services. Here is a screenshot of what worked.

However, because the local Admin account created in the Pre-Stage is not automatically LAPS enabled, I have a policy that deletes the account after enrollment. It is scope to any computer with that local account.

Kind of hokey, but it leaves me with a functioning enrollment and the management account from the user-initiated enrollment setting is functional and has LAPS enabled.

As far as your statement, "However, because the local Admin account created in the Pre-Stage is not automatically LAPS enabled," the reason it isn't LAPS enabled is because management of the MDM LAPS account is not enabled by default per https://learn.jamf.com/bundle/technical-paper-laps-current/page/Implementing_LAPS.html. If you have a need for 2 LAPS enabled accounts, I suggest you following the instructions to enable management of the MDM LAPS account.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded