Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Automate account creation during Prestage Enrollment

Hi all,

For JSS 9.93, is there a way automate the account creation during the Prestage Enrollment? Please look at the screenshot below

Here is what we're trying to accomplish:

During DEP, the user is asked to enter their AD credential. With JSS 9.93, there is an option to skip local account creation. What we want to do is to create a local account base on the assigned user (whoever authenticate during DEP) and not using a standard local admin account. Is this possible? Thanks

Like Comment
Order by:
SOLVED Posted: by stevevalle

We bind our Macs to AD at time of enrolment through the DEP process (add directory binding details to the Directory tab in your screenshot). This way, when the Mac is enrolled into Casper, it is also bound to AD and the user is able to login with their AD account. A local account is created based on the users username.

The only issue with this is that the user needs to be on the local network to bind to AD, but we are working on resolving this!

Like
SOLVED Posted: by vtran

@stevevalle Thanks for the fast response. The reason why I want to create a local account is because of the remote users who will not have local network to bind to AD. Please share the solution to this issue when you found out :)

Like
SOLVED Posted: by mabec

@stevevalle Have you been successful in binding to AD with the PreStage Enrollment for DEP? My team has everything set in the directory payload, but it is just not completing.

Like
SOLVED Posted: by stevevalle

@mabec Yes, every staff Mac deployed is bound to AD during the DEP enrolment process. By the time the Mac gets to the login screen, it is bound to AD.

The only issue with this is they need to enrol the Mac while on our network. They are unable to do this from home.

Like
SOLVED Posted: by HangerS

We are using something like this to create mobile AD user account later on thru VPN during DEP enrollment process.

# Set cocoaDialog location
CD="/Users/Shared/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter your Company Username"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter your Company Password"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi

#Create Mobile Account
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $USERNAME -p $PASSWORD > /dev/null 2>&1
if [ $? -eq 0 ]; then
break
    fi
    sleep 1
done
Like
SOLVED Posted: by shifty

@stevevalle I try (!) to accomplish the same thing which you already have running. Unfortunately I can not get it running so maybe you (or someone else) could gimme a hint on what to do or where I zigged when I should have zagged....

The goal is: Startup -> DEP Greeting -> User authetificates -> Machine binds automatically to AD, using ($SERIALNUMBER-$USERNAME) -> User gets login screen and can log in with the AD account -> login creates mobile account based on $USERNAME.

To accomplish this I set up DEP like this:

Account Settings:
Local User Account Type = Skip account creation (so that no local user account will be created)

Directory:
(next to the obvious connection to our AD)
Client ID = $SERIALNUMBER-$USERNAME
User Experience = Create mobile account

The problem is, that when I start a new computer the only part which works is the first two parts, the DEP Greeting and the user authentification. After that the user is asked to add a local user and the machine will be set up with that user and no binding to the AD. And it shows up in JAMF as the default name: Usernames Machine....

First I assumed, that the AD Binding between JSS and AD maybe has a Problem, but as the authetification works, this can not be the problem, can it?

ANY idea on what I could be doing wrong?

Disclaimer: I am fairly new to this and maybe I am missing something obvious.

Like
SOLVED Posted: by Look

Did anyone actually get the skip local account function to work?
I have had it enabled on a few DEP machines and basically regardless of what else is configured it always seems to prompt.

Like
SOLVED Posted: by shifty

@Look To me it looks like @stevealle achieved this in his first post. So I am guess it is possible. Anyhow, I can not get it to work. It just ignores that setting…

Like
SOLVED Posted: by ClassicII

@shifty @Look

What version of the JSS are you using? We can not get this option to work correctly either and are on 9.100.

Jamf is saying that they can not replicate it on 9.101.

Could you file a support issue on this? As we sure could use some help as it seems like no one else is having the same issue.

Like
SOLVED Posted: by shifty

@ClassicII We are using 9.99.0. Will try to update to latest version and will let you know if that changes anything.

Like
SOLVED Posted: by Look

@ClassicII We are on 100 as well.
Not sure when we will more to 101 though, but possibly soon as there are one or two other issues with 100 that are bugging me.

Like
SOLVED Posted: by CCNapier

We have the same issue on 9.100, although this is me setting it up for the first time.
Going to schedule update to 101 for early next week if possible.

Currently the device gets registered in AD, but still prompts for local credentials even though "skip account creation" is selected.

Like
SOLVED Posted: by ClassicII

@shifty @CCNapier @Look

We have upgraded our dev environment to 101 and issue looks to be fixed.

Like
SOLVED Posted: by shifty

@ClassicII Thanks for the info. I have some news as well. We are still on 9.99.0. but I updated the Client to the latest OS. Before it was 10.10.5, now it is 10.12.6... and it works like wanted. Binding to AD and no local account.
Like I wrote before, I am fairly new to this and I did not know that the OS of the client has to be the latest. Is there a KB entry somewhere that shows which JAMF feature works with which client OS version?

Now I am interested to know which client OS versions you used, @ClassicII. Before and after the upgrade to 101.

Edit: I just realised, that one thing did not work: I told the machine to use the $SERIALNUMBER as machine name, which it did not use. Machin is just called "iMac".

Like
SOLVED Posted: by Look

Is binding to AD a requirement for automatic account creation?
I have create Local Admin configured, thought that should be enough.
Also what about require authentication during enrollment?

Like
SOLVED Posted: by CCNapier

Problem still exists for me with 101.
Trying a few different options before I contact support.

Like
SOLVED Posted: by shifty

@CCNapier Which MacOS Client Version are you using?

Like
SOLVED Posted: by CCNapier

@shifty Currently Sierra (recovery).
@ClassicII @Look

JAMF support are saying to me this morning it looks like a new Product Issue, but I have yet to hear full details. @ClassicII it's working for you though? Care to share your configuration?

Like
SOLVED Posted: by CCNapier

PI-004473

Like
SOLVED Posted: by bse_college

We're setting up DEP for 10.13 at the moment

We've got the Directory set up for AD authentication, and set to skip user setup under Users

But when it prompts for details (pop-down box when you accept the remote management) all that does is prefill the fields in the account creation screen, which I assumed it would skip

We've got a localadmin account set up in the users payload also, but when I go ahead and create a user the localadmin account isn't under users (and it isn't set to hidden)

Is this a common issue people are having? We've deleted and readded the tokens/keys/mdm servers about 5 times over the last week trying to fix it

Like
SOLVED Posted: by npynenberg

I have the same issue on JSS 9.101.0-t1504998263.

No matter what I select in the Prestage Enrollment --> Account Settings area.. I always get prompted to create an account (which is always an admin account).

I want it to skip account creation.

Like
SOLVED Posted: by Kaltsas

@npynenberg I opened a case on this issue. If I select Create an additional local administrator account I am prompted every time. If I don't select this option on average 1/3 DEP enrollments will correctly skip account creation.

Like
SOLVED Posted: by Kaltsas

@npynenberg Jamf confirmed I am hitting PI-004473, I would suggest opening a case and getting a ticket attached to the PI.

Like
SOLVED Posted: by snovak

Big ole' me too on this one.

Currently thinking I can detect the presence of those accounts, and delete them after my splashbuddy workflow has completed.

Like
SOLVED Posted: by bmccune

Same issue as everyone here on the latest JSS 10.1.1 deploying 10.12.6 to a 2017 Macbook Pro.

Skip Account Creation does not work...it still prompts to create a local user account. Tried with only the user initiated enrollment Admininistrator account...also tried checking the box and creating an additional Administrator account. Everything I've tried and it still does not skip the account creation. Odd thing I noticed is when I'm prompted to create the local user, I can use the same Administrator username and password used in my Prestage settings and it will proceed. So I'm thinking none of it is working...since that Administrator account should already exist and not let me create it again..?

Like
SOLVED Posted: by neil.martin83

I am seeing the same - on prem 9.101. No local admin account created, and does not skip account creation dialog, no matter what I try.

Like
SOLVED Posted: by gunnar90

Jamf support just stated to me that skip account creation is broken and a known issue (PI-004473) on older versions, but should be resolved with Jamf Pro 10.2.2 (and also that their internal documentation shows it resolved but that this item is missing from the release notes and documentation for 10.2.2.)

I'm on JSS 9.101, can anyone confirm this issue is resolved for them on 10.2.2 before I dive in myself? XD

Like
SOLVED Posted: by mgshepherd

We had our cloud instance upgraded to 10.2.2 this week. So far I'm seeing the same results while using a VM as I did prior to the upgrade. I have seen some people on the slack channels say its working better for them after the upgrade. Just wish it was more consistent, between getting DEP to work and figuring out how to make secure tokens work is making me go crosseyed.

Like
SOLVED Posted: by BOBW

I can confirm this issue is still happening in 10.2.2, I have resorted to having staff login with any account, then I built an app which shows on the desktop, this is pushed out through enrolment policy. this app will rename/bind, install apps and restart. It also creates a launch daemon so when the user logs into an AD account it deletes the local created user account.
It does some other things like, make sure you are connected to domain, popup stating, all data will be wiped from this account etc

Its really the only way I see to make it work consistently. When a user opens the computer offsite it will allow them to work straight away not being able to bind to AD

Like
SOLVED Posted: by mgshepherd

@BOBW Sounds like your application install process for users is very similar to what Splashbuddy can do. Have you looked into that? I've been testing DEP with this product, very clean system. Also, with your process of deleting the local created user account, are you taking into consideration the SecureToken and passing that along to the account created through the AD login? That's my next step I'm trying to iron out in my workflow.

Last question: What account settings are you using in your Prestage Enrollment process?

Cheers

Like
SOLVED Posted: by BOBW

@mgshepherd Yeah I have had a quick look at splashbuddy, havent really had time to make it work yet.... My settings are to create additional account, this gets created without issue and secure Token applied to this account. Which means deleting this account created by end user works fine.
The big problem is the bug where the Skip account creation is not applied... even though it is selected...
We dont use filevault at all in my environment so Secure Tokens are not something I really looked at until I have to delete the primary admin account. This only happens when a computer is started without network connection.
Take a look at @rtrouton post on derflounder which shows how to enable SecureToken on AD accounts, this should help
something along the lines of sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
or, to be prompted for password
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password -

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

You could, using something like cocoadialog prompt a user for their password and then capture this to a variable and then turn it on. Might need to make sure this is correct by writing a dummy file to desktop and then deleting it. Not sure how to check this without looking into it otherwise. Maybe make this as part of a policy which enables filevault, but you could only do this after login as it needs user input.

Like
SOLVED Posted: by gunnar90

@BOBW would you be willing to share the code you've written for your app? I know it's a big ask but I'm curious to see examples of how to move forward with DEP

Like
SOLVED Posted: by dpertschi

JAMF support has told me that PI-004473 is resolved with release 10.1.0 +.

I've also seen a few folks comment that they had to create new pre-stages in order to realize the fix.

Like
SOLVED Posted: by BOBW

Hi @unserializedMLB , might be a little difficult in sending all of it to you, there is quite a few different scripts / policies used to make it all happen.
Basically what I am doing is, having an automator app calling a single policy trigger.

do shell script "sudo /usr/local/bin/jamf policy -event depstaff" with administrator privileges

This single policy trigger runss a script
this script runs through a heap of different policy triggers to install apps, runs scripts etc then calls another trigger to change the name, this uses cocoadialog to prompt the end user for their site and then appends the last 6 digits of serial number, then changes the computername
Then call another trigger to bind the device to AD
Finally runs a recon reboots, and all done.

I know its pretty vague, but its not too hard to build if you can get each policy correct. Just test each one separately and then add the trigger to your script.

I took the suggestion for Splashbuddy and have now built a solution using this, it is probably a little more difficult to setup but the end result is quite good.

Like
SOLVED Posted: by kerouak

@bmccune

Skip account creation works fine for me??

If you want to add a standard user account just enable the Standard account checkbox and that works..

Running 9101.4

Does what it says on the tin!

Like
SOLVED Posted: by lynnaj

Skip account creation used to work for me back in the 9.9.x days last year. At some point with an upgrade to Jamf Pro 10.x that function stopped working. Currently I am at JAMF Pro 10.2.1 and this is still broken.

How do we elevate this issue with JAMF engineering so that this bug gets fixed?

Like
SOLVED Posted: by mgshepherd

Of those who have "Skip account creation" working, are you finding that this will only work if you say have an additional account created, Directory services configured, etc? Also are you guys either on premise or cloud hosted with JAMF that have this working correctly?

@lynnaj: Have you tried removing your current Prestage Enrollment config and creating a new one? I've heard that can make a difference but it hasn't for me.

Like
SOLVED Posted: by BOBW

I have Make MDM mandatory, skip all setup except for : location services and file vault, skip account creation turned on, Directory Services Configured and creation of a second account.

Im not 100% sure creating a second prestage is a great answer though.

What happens to all the machines which were enrolled in the previous prestage? Do you delete the previous prestage or leave it there?
We have automatically assign devices enabled So I figure I would turn it off on the original one and turn it on with the new one. We have some delays in machines getting added which means we need to check if a machine is enrolled prior to turning on, which means we have to check both prestage scopes.

I have tried the edit / save without making any changes but doesn't make any difference.

Like
SOLVED Posted: by SWicks

This week I went from 10.2.1 to 10.2.2 to 10.3 in the hope of resolving this issue. No luck as yet, have a support call open with Jamf, but they seem as puzzled as me.

@mgsheppard
I'm as curious as you to find that some have no issues at all, but I've never had consistent results.

Like
SOLVED Posted: by jnm1

I am on 10.2.1 and seeing the issue as well. I have Locations services set to show and the Account creation set to skip. Most of the computer we enroll will still show the account creation and not show the location services. Every once an a while one will show the location services and skip the account creation. This happened today with two identical new in box MacBook Pros. One worked as it should and one did not.

I have tried all the different combos of creating an additional admin account and hiding/showing the Management account.

I did create the prestage enroll a few versions back so I deleted it and made a new one. The account creation still DID NOT skip.

Update: after talking with Jamf Support they sent up the following:

After doing some digging into that PI-004473 it seems it is still open and not confirmed closed although users reported that Mac OS 10.11.6 running Jamf Pro 10.1 did not have the issue. Another option we could try would be to log into MySQL on the jamfsoftware database and run the following queries: select count*, command from mobile_device_management_commands where apns_result_status='' group by command; delete from mobile_device_management_commands where command IN ("DeviceInfoAccountHash","DeviceInfoITunesActive","ProfileList") and apns_result_status="";"

That seemed to fix the issue. At least for now. I have done 8 Prestage enrolls and they all skipped the user account creation.

Like
SOLVED Posted: by james179

Hi @jnm1 could you please confirm this is still working for you? I've spoken with Jamf Support earlier and they didn't state that as a workaround, but stated they would get back to me once they can confirm.

Like
SOLVED Posted: by SWicks

@jnm1 I can confirm that this worked in my environment after Jamf support suggested the same to me. Now getting other niggles but things are moving forward.

Like