If you are using the notify screen as part of an automated device enrollment onboarding, a simple enable method is to include a configuration profile with an Applications & Custom Settings payload scoped to the domain com.jamf.connect.authchanger with the following .plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Arguments</key>
<array>
<string>-reset</string>
<string>-JamfConnect</string>
<string>-Notify</string>
</array>
</dict>
</plist>The postinstaller script checks if the authchanger configuration profile exists and then executes the listed commands. For more information, see authchanger.
The Notify mechanism can also be enabled with the authchanger command. This can be executed as part of a custom installer package postinstaller script when installed as part of a Prestage enrollment package.
/usr/local/bin/authchanger -reset -JamfConnect -Notify
Advanced Options
The -Notify flag initiates the login window to start the notify screen after the user has logged in to the identity provider and before the user's macOS session is started. The script defined by the RunScript key executes immediately before the notify screen has started and holds the user in the notify screen until the Quit command is written to the command file.
Advanced administrators may choose to activate the Notify and RunScript login mechanisms before the user is logged in. For example, an administrator may choose to design an "almost zero-touch" device onboarding. In that scenario, an IT member would turn on the device for the first time, enroll it into the MDM, and then allow the RunScript and Notify mechanism to run a group of policies to install essential software. Once the setup is complete, the Notify window mechanism quits, and the Jamf Connect login window appears to allow the new user to create their own account. The IT team member could shut down the computer and ship it to the user.
Advanced administrators can use a custom set of authchanger commands to modify the order of operations. The following example will execute the Notify mechanism before login and then the RunScript mechanism after the user has authenticated to the identity provider:
/usr/local/bin/authchanger -reset -prelogin JamfConnectLogin:Notify -JamfConnect
In the above example, some method other than the RunScript mechanism is responsible for updating the notify screen elements and quitting the notify screen. An example may be a Jamf Pro policy with a trigger set to run on Enrollment Complete or Reoccurring Check-in.
While the authchanger command can be used to fully customize the order of operations, administrators should take the required precautions when modifying default configurations and test extensively on non-production test machines to avoid potential data loss.