Help

After Enrollment Trigger

nvandam
Contributor II

Posted on ‎04-18-2017 10:56 AM

We use DEP enrollment and have a policy that runs right after the user gets to the desktop. The trigger currently is "Enrollment Complete". It works great on ethernet, but not on (our corporate) WiFi. The user authenticates to the WiFi network, authenticates again to kick off the enrollment, but at some point between the setup assistant and the user getting to the desktop, the WiFi disconnects, and once at the desktop, reauthenticates and connects. Because of this, the "Enrollment Complete" trigger doesn't happen. I'd like a way to reliably kickoff the policy right when the user gets to the desktop, similar to how IBM does it in their enrollment. .

Thanks.

0 Kudos
2 REPLIES 2

strider_knh
Contributor II

Posted on ‎04-18-2017 12:30 PM

During the setup process the OS treats it as being logged in as a special user. If you put in credentials to connect to a network during setup, those credentials are for that user only (think of them being saved to that special user's keychain). Once you are kicked to the login screen or past, those credentials are no longer usable since that special user is no longer logged in (no more keychain access).

We use an 802.1x network and have this problem during set of DEP. I spoke with Apple and they verified that this is how the process work. This is also why many people I have spoken too use an open network for setup.

My problem was that the enrollment process never finished before I finished the DEP process and so ended up at the login screen with no AD binding, no local account and no network. If I left the laptop at the time zone screen for 20 seconds the DEP enrollment finished and out 802.1x configuration profile was able to get installed.

Fun.

0 Kudos

PatrickD
Contributor II

Posted on ‎04-18-2017 03:13 PM

Hi @nvandam,

I too was struggling with this and was hoping to have a really seamless setup. I found in the Jamf logs on the machine that the Enrollment Complete trigger doses actually occur however it happens during that time that the Wi-Fi is disconnected. This means when Enrollment Complete trigger occurs, the machine tries to contact the JSS however there is no Wi-Fi so it fails and just moves on.

I tinkered with the idea of having the "custom DEP setup policy" to execute on the "Network State Change" trigger at an "Ongoing" frequency scoped to a smart group with the criteria of "Is DEP enrolled" and "Does not have <xyz App which is installed in the policy>" and this ensures it wont continue to execute, you could do once per machine but I think there was a reason why I didn't do that. Just make sure the policy is configured to do a Inventory Update as well so it will fall out of the smart group.

The "Network State Change" Trigger was my way of ensuring as soon as the machine got back on the Wi-Fi the policy would execute.

Hope this helps. Really wish the Enrollment Complete trigger was more robust and would continue to trigger every minute until a successful JSS connection.

Cheers,

Pat