Jamf Nation Community

pbenware1 · ‎08-06-2014

Greetings,
We're a new Casper shop, as of April. We have AD feeding data into Casper. As part of preparing for our rollout, one thing I've been asked to do is figure out if there is a way to have a user provide their LDAP UserName during the Self Enroll process so the user can be linked to the inventory asset in the JSS immediately. I haven't found a way to do this thus far.

Why? For the Self Enroll process, this would minimize effort after a device is enrolled, in that the device and user could be associated at enrollment time, rather require a tech or admin constantly monitoring for new enrollments, trying to figure out who the user is and then updating the inventory record.
The Self Enroll using the QuickAdd package works just fine. But we have these extra steps that require us to edit the inventory data later on so we can associate the asset with an LDAP UserName, which can be time consuming.

So, first, am I missing something here? I feel like this should be a fundamental aspect of the Self Enroll process, but if it is, I can't figure it out from the Admin Guide or various and sundry searching here and elsewhere. Or maybe my search technique is just failing me.

Next- Part of our challenge in particular is that although every user will have an AD UserName, a relatively small percentage of our total Macs are bound to AD, or use AD logins. The vast majority of them are not. Therefore we have no way to collect AD names from the logged in user.
This suggests to me that I'd need to build a script or something that runs sometime after the QuickAdd package install is complete, requests the user to enter their LDAP UserName (and validate that it is correct by performing an AD lookup), and then somehow apply the LDAP UserName to the Username field in the appropriate inventory record in the JSS.

Has anyone run into this issue, or have any suggestions? It won't slow our rollout if we don't have this function, but it would surely speed things up if we did.

Thanks
Phil

stevewood · ‎08-06-2014

If you have LDAP setup under System Settings in the JSS, then your users should be able to sign in to the enrollment page, download the QuickAdd package, and the machine will have their user name tied to the machine. I just tested this on a VM and it worked. I visited https://myjssurl:8443/enroll and logged in as an LDAP user, downloaded the QA package, ran the QA package and then checked in the JSS. The machine had the LDAP user listed as the user for the device.

Is this not what you are seeing? Verify that you have your LDAP server configured properly under System Settings -> LDAP Servers.

View solution in original post

stevewood · ‎08-06-2014

If you have LDAP setup under System Settings in the JSS, then your users should be able to sign in to the enrollment page, download the QuickAdd package, and the machine will have their user name tied to the machine. I just tested this on a VM and it worked. I visited https://myjssurl:8443/enroll and logged in as an LDAP user, downloaded the QA package, ran the QA package and then checked in the JSS. The machine had the LDAP user listed as the user for the device.

Is this not what you are seeing? Verify that you have your LDAP server configured properly under System Settings -> LDAP Servers.

qhle373 · ‎08-07-2014

We're using Apple's Device Enrollment Program linked into our JSS. This has the user logging in with their AD to enroll the device in the initial startup. If the devices cannot be added into the DEP for any reason (ex. age) we use a profile distributed through Configurator to the devices that gives an icon for the user to click on once they've set up the iPad. This enrolls with their AD as well into the JSS.

pbenware1 · ‎08-07-2014

@stevewood-
Ah. See, I was missing something! All the enrollment testing I've done has been with my techs, and I never made the mental connection that that was the case. I just went through the admin guide again, and only now I find that one little sentence- "Users can log in to the enrollment portal using an LDAP directory account or a JSS user account. If users log in to the enrollment portal with an LDAP directory account, user and location information is submitted during enrollment".

Thanks for that. I -really- wish I had caught that ahead of time.

@qhle373
If Only I were able to. We're a Grad school at a higher ed. Due to how the university purchases from Apple, and then resells to the grad schools, we're not able to take advantage of the DEP, at least for the time being, unless the entire university does so, at which point we lose control of the process. At least, that's what I was told by Apple when they asked for our Reseller ID, which we don't have.

Thanks All.

Olivier · ‎08-08-2014

In our company, we do not associate the asset with a user using Casper (we also do not do it for PCs...).

This is because the one who performs the enrollment, may not be the owner of the Mac (example : enrollment could be done by someone from IT, could be done by the assistant of the manager, it could be a shared/pool Mac device, and so on...). Owners of Mac devices (= the real responsible of the device) are only stored inside our ERP database, as it obviously cover any platform such as PC, tablets,...

We also do not allow employees to connect to LAN if they use local accounts, there is NAC solution in place that prevent it, so obviously requirement is to have all Macs being bound to an AD.
Letting users logon with local accounts while being on the LAN is legally dangerous, but that is another story... :-)

XMY7250 · ‎11-23-2018

I have a similar problem

My JIM server does work and I can already see it in the console of my Web App.

In the same way I do Tests in search of users and I throw them without problem.

What I still can not do is the user login in LDAP for the enrollment process.

They will have some idea of how to solve this.

Jamf Nation Community

Self Enroll including LDAP UserName?