Configuring Remote Management Settings During Automated Device Enrollment

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

PreStage enrollments allow you to configure common remote management and security settings for computers during Automated Device Enrollment.
Note:

Computers with macOS 11 or later are automatically supervised and require users to install the MDM profile when enrolled via Automated Device Enrollment. For more information about supervision, see About Apple device supervison in Apple Platform Deployment.

Requirements

To require user authentication during enrollment, you must integrate Jamf Pro with LDAP or a cloud IdP. For more information, see LDAP Directory Service Integration or Cloud Identity Providers.

  1. On the PreStage Enrollments page, do one of the following:

    • Click New to create a new PreStage enrollment.

    • Select an existing PreStage enrollment and click Edit .

  2. Select the Require Authentication checkbox to require users to enter a username or password to enroll and set up the computer.

    LDAP authentication during enrollment also automatically populates user and location information in the device's inventory information.

    Note:If you add an Enrollment Customization configuration and have computers assigned to the PreStage enrollment that are capable of running a macOS version earlier than 10.15, Jamf recommends selecting the Require Authentication setting as a fail-safe to ensure those computers are not inadvertently enrolled without authentication. For computers with macOS 10.15 or later, the Enrollment Customization settings will transparently overwrite this setting.
  3. Select the Make MDM Profile Mandatory checkbox.

    This setting requires users to install the MDM profile during enrollment. Users are automatically required to apply the MDM profile on computers with macOS 10.15 or later.

  4. Select the Allow MDM Profile Removal checkbox.

    This setting allows users to remove the MDM profile after enrollment. Removing the MDM profile prevents Jamf Pro from sending remote commands or distributing configuration profiles to the computer.

  5. (macOS 10.15 or later only) Select the Prevent user from enabling Activation Lock checkbox.

    This ensures users cannot enable Activation Lock. For more information, see the Leveraging Apple's Activation Lock Feature with Jamf Pro article.

  6. (Apple silicon with macOS 11.5 or later only) Select the Set Recovery Lock Password checkbox, and then choose an option from the Set Password Method pop-up menu.
    This ensures users cannot access recoveryOS on computers without a password. recoveryOS password methods include the following:
    • "Manually enter password (applies to all computers)"Enter a recoveryOS password that applies to all computers in the scope of the PreStage enrollment.
    • "Automatically generate random password for each computer"Generate a unique password for each computer in the scope of the PreStage enrollment. This password is stored in each computer's inventory information in Jamf Pro. If you also select Rotate Recovery Lock password, the password is changed each time it's viewed in Jamf Pro.
  7. Click Save .