Skip to main content

Pre-stage enrollments with Jamf Pro and JumpCloud

Pre-stage enrollments with Jamf Pro and JumpCloud help you create “Pre-stage Magic”.

Magic is a funny term here but remember Clarkes’ 3rd Law — any sufficiently advanced technology is indistinguishable from magic — that’s how JumpCloud likes to think of this beautiful workflow to save time onboarding new employees.

The “Magic” or advanced technology in play? Just-in-time provisioned user accounts. JumpCloud can create the end-user account “just-in-time” during new employee onboarding and provide access to the right settings and apps, right from opening the box — this is done with JumpCloud and Jamf Pro working seamlessly together.

Jamf and JumpCloud want to free up IT’s time to focus on more important projects than onboarding a new machine — more strategy engagement through advanced automation,

The benefits of just-in-time user provisioning:

  • True zero-touch, self-service new user onboarding
  • Get the absolute most out of Apple Business Manager and mobile device management (MDM)
  • Eliminate the commodity workload of IT-led onboarding
  • Gives the illusion of full ownership and control to the user

Tools needed to bring this to reality:

  • Apple Business Manager
  • An MDM with pre-stage enrollment: Jamf Pro
  • A jumpcloud directory
  • A configured JumpCloud script file
  • A packaging tool: Composer
  • An Apple enterprise developer account is required for package signing

What is a JumpCloud directory?

JumpCloud is a user directory which lives in the cloud. RADIUS-protocal compatible gives users access to network resources, LDAP and SMB storage, SAML 2.0 for SSO, JumpCloud runs on the device as an agent that takes care of the system aspects.

End result: a single set of credentials for employees to access company resources.

JumpCloud can pre-stage an identity account which has no password as it’s an inactive user (new hire). This means for onboarding, all end users have to do is activate their JumpCloud account. Upon activation, a user creates an account password and it gets propagated across the services they’re assigned.

Once a new device is enrolled in MDM, a .pkg installs and launches DEPNotify which is when JumpCloud agent is installed on the device. The JCA works in a similar fashion to the Jamf agent: runs command lines remotely, make administrative changes, etc.

The first enrollment account which was delivered via MDM enrollment in pre-stage gets a secure token, and these credentials are what install the agent. The enrollment account enables you to create users/service users, and the account is deleted at the end of the flow.

You will be paid back dividends in saved time if leveraging this to automate onboarding!