Computer PreStage Enrollments

A PreStage enrollment allows you to store enrollment and Mac computer setup settings in Jamf Pro and use them to enroll new Mac computers with Jamf Pro. This reduces the amount of time and interaction it takes to prepare Mac computers for use.

A PreStage enrollment is one of the methods that result in a User Approved MDM state for eligible computers. This state is required for certain performance and security enhancements, like managing kernel extensions. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

Before you can use a PreStage enrollment, you need to integrate Jamf Pro with the Device Enrollment (formerly DEP). This creates a Device Enrollment instance in Jamf Pro. For more information, see Integrating with Apple's Device Enrollment. Only computers associated with a Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

After creating a Device Enrollment instance, you need to create a PreStage enrollment in Jamf Pro for the computers you want to enroll. Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the computers that should be enrolled using the PreStage enrollment. In addition, you can specify that computers newly associated with the Device Enrollment instance be automatically added to the PreStage enrollment.

When computers with macOS 10.10 or later are enrolled using a PreStage enrollment, they are also automatically managed if user-initiated enrollment is enabled for macOS in Jamf Pro. When enabled, User-Initiated Enrollment settings apply to computer PreStage enrollments, including management account and QuickAdd package settings, and whether to automatically launch Self Service. For more information, see User-Initiated Enrollment Settings and Installing Jamf Self Service for macOS.

Computers with macOS 10.9 or earlier (and computers with macOS 10.10 or later if user-initiated enrollment is not enabled) can be managed using one of the following methods after they are enrolled with Jamf Pro using a PreStage enrollment:

Computer PreStage Enrollment Settings

When you create a PreStage enrollment, you use a payload-based interface to configure settings to apply to devices during enrollment. The following table displays the enrollment settings available in a PreStage enrollment:

Payload

Description

Requirements

General

This payload allows you to configure basic settings for the PreStage enrollment and customize the user experience of the Setup Assistant.

To increase the security of sensitive user information, it is recommended that you require users to authenticate during computer setup using an LDAP directory account or a Jamf Pro user account. If users authenticate with an LDAP directory account, user and location information is submitted during enrollment.

To require LDAP users or Jamf Pro users to authenticate during setup, you need an LDAP server set up in Jamf Pro. For more information, see Integrating with LDAP Directory Services.

Account Settings

You can use the Account Settings payload to specify the accounts to create for computers with macOS 10.10 or later if they are enrolled via a PreStage enrollment and user-initiated enrollment for macOS is enabled in Jamf Pro.

Note: If a computer is not bound to a directory service, only the management account and the first local administrator account created for that computer can log in to the computer.

Configuration Profiles

You can use the Configuration Profiles payload to select profiles to distribute to computers during enrollment. This allows the profiles to be installed on computers before the user completes the Setup Assistant.

To add configuration profiles to the Configuration Profiles payload, you must create the profile prior to configuring the PreStage enrollment. For more information, see Computer Configuration Profiles.

In addition, when you create the computer configuration profile, you must ensure that the scope of the profile contains the computers that are in the scope of the PreStage enrollment.

Note: Configuration profiles that contain payload variables are not replaced with the attribute values for the variable. If you want to distribute profiles that contain payload variables, it is recommended that you distribute the profile after the computer has been enrolled with Jamf Pro.

User and Location

You can use the User and Location payload to specify user and location information for the computers.

Note: The User and Location Information payload is only displayed if you do not require LDAP users or Jamf Pro users to authenticate during setup.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

 

Passcode

You can use the Passcode payload to specify passcode requirements for the computers.

Note: A user can manually remove the passcode policy from a computer.

 

Purchasing

You can use the Purchasing payload to specify purchasing information for the computers.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

Attachments

You can use the Attachments payload to upload attachments to store for computers.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

 

Certificates

If the SSL certificate you are using is signed by an external CA (your organization's CA or a trusted third-party CA), use the Certificates payload to upload a certificate for the CA that you want computers to trust at enrollment.

Note: The anchor certificate is only displayed if the SSL certificate you are using is signed by the Jamf Pro built-in CA.

 

Directory

You can use the Directory payload to choose a directory server for the computers.

To create an account for users to log into their computer when it is connected to another network, select the Create mobile account at login checkbox.

Note: An account synchronization tool such as Jamf Connect Sync (formerly NoMAD Pro) or Apple’s Enterprise Connect can be used to sync computers with the directory.

Enrollment Packages

You can use the Enrollment Packages payload to choose packages to deploy to computers during enrollment. The selected package is installed on computers before the user completes the Setup Assistant.

Packages that you deploy during enrollment include a manifest file that defines the contents of the package in an XML plist format. The computers can download and install the package using the defined URL contained in the manifest file. By default, Jamf Pro creates the manifest file for each package; however, you can create a custom manifest file that you can upload to Jamf Pro. If you upload a custom manifest file, this file is used instead of the default manifest file. For more information about creating a custom manifest file for a package, see Apple's macOS Deployment Reference:
https://help.apple.com/deployment/macos/#/apd86abb79d9

Note: You can only add one package to the Enrollment Packages payload per PreStage enrollment instance.

To configure the Enrollment Packages payload, you must upload a signed package to Jamf Pro prior to configuring the PreStage enrollment. If you want to use a custom manifest file, ensure that you upload the file when you upload the package. For more information about uploading packages to Jamf Pro, see Managing Packages. You can use Composer or a third-party packaging tool to build a signed PKG. For more information about building packages using Composer, see About Composer.

To deploy an enrollment package to computers, you must have a cloud distribution point configured as the master distribution point in Jamf Pro. For more information, see Cloud Distribution Point.

To install a package during enrollment, the package must be signed with an installer certificate (.p12) obtained from Apple using Xcode or the Apple Developer Member Center. For more information on how to obtain an installer certificate from Apple using Xcode, see the Obtaining an Installer Certificate from Apple Knowledge Base article.

In addition, computers in the scope of the PreStage enrollment must have a Certificate Authority intermediate certificate from Apple in the System keychain in Keychain Access. For more information on how to obtain this certificate and import it to the System keychain on managed computers, see the Importing a Certification Authority Intermediate Certificate from Apple to the System Keychain Knowledge Base article.

Configuring a Computer PreStage Enrollment

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click PreStage Enrollments.

  4. Click New images/download/thumbnails/31064095/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the PreStage enrollment. In addition, you can do the following on the General pane:

    • To require that users authenticate with their username and password, select the Require Authentication checkbox.
      Note: The Require Authentication checkbox is only displayed if an LDAP server has been set up in Jamf Pro.

    • To customize the user experience of the Setup Assistant, select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the computer is configured unless otherwise restricted.
      Note: The computer must be connected to the Internet during the Setup Assistant.

  6. Click the Scope tab and configure the scope of the PreStage enrollment by selecting the checkbox next to each computer you want to add to the scope.
    The computers listed on the Scope tab are the computers that are associated with Apple's Device Enrollment (formerly DEP) via the server token file (.p7m) you downloaded from Apple.
    Note: If you want to add computers to the scope automatically as they become associated with the Device Enrollment instance, select the Automatically assign new devices checkbox in the General payload.

  7. Click Save.

Further Considerations

  • Jamf Pro automatically refreshes information about the computers in the PreStage enrollment. If there is updated information about the computers in Device Enrollment (formerly DEP), this information is displayed in Jamf Pro. This information is automatically refreshed every five minutes.
    Note: There can be up to a five minute delay on the information refresh which can result in outdated information displayed in Jamf Pro. In addition, environment-specific factors can affect the refresh of information.

  • When cloning a PreStage enrollment, computers in the scope of the original PreStage enrollment are not included in the scope of the cloned PreStage enrollment.

Related Information

For related information, see the following Jamf Knowledge Base video:

Creating a DEP PreStage for macOS Devices in Jamf Pro

For related information, see the following section in this guide:

Integrating with Apple's Device Enrollment
Find out how to configure a Device Enrollment (formerly DEP) instance.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.