Provisioning Local Accounts During Automated Device Enrollment

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

You can create a managed local administrator account, also known as the "managed administrator", and configure the local account information for the primary user during Automated Device Enrollment.

On computers with macOS 10.15 or later, you can also configure the following:

  • Pre-fill the primary user's local account full name and account name. If your environment includes an LDAP or cloud IdP server, you can enter user variables. You can also prevent the enrolling user from editing this information during enrollment.

  • Managed administrators can receive a secure token during login if a Bootstrap Token is escrowed to Jamf Pro.
Requirements

To enable the user variables to populate with the value for the LDAP or cloud identity provider (IdP) attribute, you need an LDAP or cloud IdP server configured in Jamf Pro. For more information, see LDAP Directory Service Integration and Cloud Identity Providers.

  1. On the PreStage Enrollments page, do one of the following:

    • Click New to create a new PreStage enrollment.

    • Select an existing PreStage enrollment and click Edit .

  2. (Optional) In the Account Settings pane, do the following to create a local administrator account (managed administrator):
    Note:

    Jamf does not recommend using MDM LAPS for password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon. Rotating a managed local administrator account password from the PreStage enrollment that has become cryptographically enabled with a secure token will result in the login password being changed. However, the new password will not work for cryptographic user authentication purposes.

    1. Select the Create a managed local administrator account before Setup Assistant checkbox.
    2. Complete the Username and Password fields, and then verify the password.
      Warning:

      Do not use the same username for the managed local administrator account created in user-initiated enrollment settings and a managed local administrator account created in a PreStage enrollment. If the same username is used for both, those accounts may not be created correctly during Automated Device Enrollment, and unexpected errors may occur. In addition, the password for the local administrator password solution (LAPS) will not be retrievable in the Jamf Pro API.

    3. Select the Hide managed administrator from Users & Groups.
      This prevents users from seeing or interacting with the managed administrator account in System Settings (macOS 13 or later) or System Preferences (macOS 12 or earlier).
    4. Select the Make the local administrator account MDM-enabled checkbox.
      This makes the managed administrator account MDM-enabled.
      Warning:

      Making the managed administrator MDM-enabled prevents the subsequent local user account from being MDM-enabled. If the primary local account is not MDM-enabled, user-level configuration profiles cannot be installed for the user. For more information, see MDM-Enabled Local User Accounts.

  3. Select one the following to configure the primary user's local account type:
    • Administrator Account

      Creates the primary user as a local administrator

    • Standard Account

      Creates a standard user account

    • Skip Account Creation
      Skips account creation during enrollment. Select this option when:

      • Another solution, such as Jamf Connect, is configured to create primary user local accounts during Automated Device Enrollment.

      • You only want to create the managed administrator during enrollment.

  4. Select the Pre-fill primary account information checkbox, and then choose one of the following options:
    • Custom Details
      This option allows you to enter the account full name and the account name for the computer. This information is applied to all computers enrolled via the PreStage enrollment. If LDAP or a cloud IdP are integrated with your Jamf Pro environment, you can use variables to dynamically populate user information from LDAP or an IdP. The following variables are supported:

      • $USERNAME

      • $FULLNAME

      • $REALNAME

      • $EMAIL

      • $PHONE

      • $POSITION

      • $ROOM

      • $EXTENSIONATTRIBUTE_#

      Note:

      • If a blank value is returned for a variable, the Lock primary account information setting is ignored to allow users to enter the missing user account information.

      • Only user extension attributes are available as variables. Computer and mobile device extension attributes are not supported.

    • Device Owner's Details

      This option sets the account full name and account name based on the Username and Full Name values in the computer's inventory information at the time of enrollment. If authentication is required during enrollment, the user's information is associated with the device using a lookup from Jamf Pro to LDAP or your cloud (IdP).

      Note:

      If the PreStage enrollment includes an Enrollment Customization configuration with the Single Sign-On Authentication PreStage Pane, and then an LDAP directory or cloud IdP lookup is not available, Jamf Pro only receives the account name and cannot obtain the full name during account creation. The username information from your IdP is populated by the NameID attribute defined within your IdP's SAML application. Check your IdP for options to customize this value.

  5. Select the Lock primary account information checkbox to prevent users from changing the pre-filled account name and account full name during Setup Assistant.
  6. Click Save .