Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Automate account creation during Prestage Enrollment

Hi all,

For JSS 9.93, is there a way automate the account creation during the Prestage Enrollment? Please look at the screenshot below

Here is what we're trying to accomplish:

During DEP, the user is asked to enter their AD credential. With JSS 9.93, there is an option to skip local account creation. What we want to do is to create a local account base on the assigned user (whoever authenticate during DEP) and not using a standard local admin account. Is this possible? Thanks

Like Comment
Order by:
SOLVED Posted: 10/10/16 at 10:27 PM by stevevalle

We bind our Macs to AD at time of enrolment through the DEP process (add directory binding details to the Directory tab in your screenshot). This way, when the Mac is enrolled into Casper, it is also bound to AD and the user is able to login with their AD account. A local account is created based on the users username.

The only issue with this is that the user needs to be on the local network to bind to AD, but we are working on resolving this!

SOLVED Posted: 10/11/16 at 12:21 PM by vtran

@stevevalle Thanks for the fast response. The reason why I want to create a local account is because of the remote users who will not have local network to bind to AD. Please share the solution to this issue when you found out :)

SOLVED Posted: 3/29/17 at 2:37 PM by mabec

@stevevalle Have you been successful in binding to AD with the PreStage Enrollment for DEP? My team has everything set in the directory payload, but it is just not completing.

SOLVED Posted: 3/30/17 at 4:28 PM by stevevalle

@mabec Yes, every staff Mac deployed is bound to AD during the DEP enrolment process. By the time the Mac gets to the login screen, it is bound to AD.

The only issue with this is they need to enrol the Mac while on our network. They are unable to do this from home.

SOLVED Posted: 3/31/17 at 3:18 AM by HangerS

We are using something like this to create mobile AD user account later on thru VPN during DEP enrollment process.

# Set cocoaDialog location

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter your Company Username"))


if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter your Company Password"))


if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit

#Create Mobile Account
/System/Library/CoreServices/ -n $USERNAME -p $PASSWORD > /dev/null 2>&1
if [ $? -eq 0 ]; then
    sleep 1
SOLVED Posted: 9/8/17 at 3:59 PM by shifty

@stevevalle I try (!) to accomplish the same thing which you already have running. Unfortunately I can not get it running so maybe you (or someone else) could gimme a hint on what to do or where I zigged when I should have zagged....

The goal is: Startup -> DEP Greeting -> User authetificates -> Machine binds automatically to AD, using ($SERIALNUMBER-$USERNAME) -> User gets login screen and can log in with the AD account -> login creates mobile account based on $USERNAME.

To accomplish this I set up DEP like this:

Account Settings:
Local User Account Type = Skip account creation (so that no local user account will be created)

(next to the obvious connection to our AD)
User Experience = Create mobile account

The problem is, that when I start a new computer the only part which works is the first two parts, the DEP Greeting and the user authentification. After that the user is asked to add a local user and the machine will be set up with that user and no binding to the AD. And it shows up in JAMF as the default name: Usernames Machine....

First I assumed, that the AD Binding between JSS and AD maybe has a Problem, but as the authetification works, this can not be the problem, can it?

ANY idea on what I could be doing wrong?

Disclaimer: I am fairly new to this and maybe I am missing something obvious.

SOLVED Posted: 9/10/17 at 4:16 PM by Look

Did anyone actually get the skip local account function to work?
I have had it enabled on a few DEP machines and basically regardless of what else is configured it always seems to prompt.

SOLVED Posted: 9/12/17 at 8:53 AM by shifty

@Look To me it looks like @stevealle achieved this in his first post. So I am guess it is possible. Anyhow, I can not get it to work. It just ignores that setting…

SOLVED Posted: 9/12/17 at 9:19 AM by ClassicII

@shifty @Look

What version of the JSS are you using? We can not get this option to work correctly either and are on 9.100.

Jamf is saying that they can not replicate it on 9.101.

Could you file a support issue on this? As we sure could use some help as it seems like no one else is having the same issue.

SOLVED Posted: 9/13/17 at 1:33 AM by shifty

@ClassicII We are using 9.99.0. Will try to update to latest version and will let you know if that changes anything.

SOLVED Posted: 9/13/17 at 5:06 PM by Look

@ClassicII We are on 100 as well.
Not sure when we will more to 101 though, but possibly soon as there are one or two other issues with 100 that are bugging me.

SOLVED Posted: 9/14/17 at 8:06 AM by CCNapier

We have the same issue on 9.100, although this is me setting it up for the first time.
Going to schedule update to 101 for early next week if possible.

Currently the device gets registered in AD, but still prompts for local credentials even though "skip account creation" is selected.

SOLVED Posted: 9/18/17 at 11:35 AM by ClassicII

@shifty @CCNapier @Look

We have upgraded our dev environment to 101 and issue looks to be fixed.

SOLVED Posted: 9/18/17 at 12:00 PM by shifty

@ClassicII Thanks for the info. I have some news as well. We are still on 9.99.0. but I updated the Client to the latest OS. Before it was 10.10.5, now it is 10.12.6... and it works like wanted. Binding to AD and no local account.
Like I wrote before, I am fairly new to this and I did not know that the OS of the client has to be the latest. Is there a KB entry somewhere that shows which JAMF feature works with which client OS version?

Now I am interested to know which client OS versions you used, @ClassicII. Before and after the upgrade to 101.

Edit: I just realised, that one thing did not work: I told the machine to use the $SERIALNUMBER as machine name, which it did not use. Machin is just called "iMac".

SOLVED Posted: 9/18/17 at 5:33 PM by Look

Is binding to AD a requirement for automatic account creation?
I have create Local Admin configured, thought that should be enough.
Also what about require authentication during enrollment?

SOLVED Posted: 9/20/17 at 9:51 AM by CCNapier

Problem still exists for me with 101.
Trying a few different options before I contact support.

SOLVED Posted: 9/22/17 at 4:19 AM by shifty

@CCNapier Which MacOS Client Version are you using?

SOLVED Posted: 9/25/17 at 4:43 AM by CCNapier

@shifty Currently Sierra (recovery).
@ClassicII @Look

JAMF support are saying to me this morning it looks like a new Product Issue, but I have yet to hear full details. @ClassicII it's working for you though? Care to share your configuration?

SOLVED Posted: 9/28/17 at 9:50 AM by CCNapier


SOLVED Posted: 10/22/17 at 9:39 PM by bse_college

We're setting up DEP for 10.13 at the moment

We've got the Directory set up for AD authentication, and set to skip user setup under Users

But when it prompts for details (pop-down box when you accept the remote management) all that does is prefill the fields in the account creation screen, which I assumed it would skip

We've got a localadmin account set up in the users payload also, but when I go ahead and create a user the localadmin account isn't under users (and it isn't set to hidden)

Is this a common issue people are having? We've deleted and readded the tokens/keys/mdm servers about 5 times over the last week trying to fix it

SOLVED Posted: 10/31/17 at 8:16 AM by npynenberg

I have the same issue on JSS 9.101.0-t1504998263.

No matter what I select in the Prestage Enrollment --> Account Settings area.. I always get prompted to create an account (which is always an admin account).

I want it to skip account creation.

SOLVED Posted: 11/7/17 at 10:02 AM by Kaltsas

@npynenberg I opened a case on this issue. If I select Create an additional local administrator account I am prompted every time. If I don't select this option on average 1/3 DEP enrollments will correctly skip account creation.

SOLVED Posted: 11/7/17 at 12:15 PM by Kaltsas

@npynenberg Jamf confirmed I am hitting PI-004473, I would suggest opening a case and getting a ticket attached to the PI.

SOLVED Posted: 11/10/17 at 8:57 AM by snovak

Big ole' me too on this one.

Currently thinking I can detect the presence of those accounts, and delete them after my splashbuddy workflow has completed.

SOLVED Posted: 2/8/18 at 8:49 AM by bmccune

Same issue as everyone here on the latest JSS 10.1.1 deploying 10.12.6 to a 2017 Macbook Pro.

Skip Account Creation does not still prompts to create a local user account. Tried with only the user initiated enrollment Admininistrator account...also tried checking the box and creating an additional Administrator account. Everything I've tried and it still does not skip the account creation. Odd thing I noticed is when I'm prompted to create the local user, I can use the same Administrator username and password used in my Prestage settings and it will proceed. So I'm thinking none of it is working...since that Administrator account should already exist and not let me create it again..?