Computer PreStage Enrollments

A PreStage enrollment allows you to store enrollment and Mac computer setup settings in Jamf Pro and use them to enroll new Mac computers with Jamf Pro. This reduces the amount of time and interaction it takes to prepare Mac computers for use.

A PreStage enrollment is one of the methods that result in a User Approved MDM state for eligible computers. This state is required for certain performance and security enhancements, like managing kernel extensions. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

Before you can use a PreStage enrollment, you need to integrate Jamf Pro with Device Enrollment (formerly DEP). This creates a Device Enrollment instance in Jamf Pro. For more information, see Integrating with Automated Device Enrollment. Only computers associated with a Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

After creating a Device Enrollment instance, you need to create a PreStage enrollment in Jamf Pro for the computers you want to enroll. Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the computers that should be enrolled using the PreStage enrollment. In addition, you can specify that computers newly associated with the Device Enrollment instance be automatically added to the PreStage enrollment.

When computers with macOS 10.10 or later are enrolled using a PreStage enrollment, they are also automatically managed if user-initiated enrollment is enabled for macOS in Jamf Pro. When enabled, User-Initiated Enrollment settings apply to computer PreStage enrollments, including management account and QuickAdd package settings, and whether to automatically launch Self Service. For more information, see User-Initiated Enrollment Settings and Installing Jamf Self Service for macOS.

Computers with macOS 10.9 or earlier (and computers with macOS 10.10 or later if user-initiated enrollment is not enabled) can be managed using one of the following methods after they are enrolled with Jamf Pro using a PreStage enrollment:

Computer PreStage Enrollment Settings

When you create a PreStage enrollment, you use a payload-based interface to configure settings to apply to devices during enrollment. The following table displays the enrollment settings available in a PreStage enrollment:

Payload

Description

Requirements

General

This payload allows you to configure basic settings for the PreStage enrollment and customize the user experience of the Setup Assistant, including adding an Enrollment Customization configuration.

To increase the security of sensitive user information, it is recommended that you require users to authenticate during computer setup using an LDAP directory account or a Jamf Pro user account. If users authenticate with an LDAP directory account, user and location information is submitted during enrollment.

To require LDAP users or Jamf Pro users to authenticate during setup, you need an LDAP server set up in Jamf Pro. For more information, see Integrating with LDAP Directory Services.

To add an Enrollment Customization configuration to the PreStage enrollment, you must have at least one configuration in the Enrollment Customization settings. Enrollment Customization configurations are applied to computers with macOS 10.15 or later only. For more information, see Enrollment Customization Settings.

Account Settings

You can use the Account Settings payload to specify the accounts to create for computers with macOS 10.10 or later if they are enrolled via a PreStage enrollment and user-initiated enrollment for macOS is enabled in Jamf Pro.

Note: If a computer is not bound to a directory service, only the management account and the first local administrator account created for that computer can log in to the computer.

In addition, you can pre-fill the primary account information on computers during enrollment. When users enroll their computers, the Full Name and Account Name will be pre-populated in the Setup Assistant.

You can choose the following options to pre-fill this information:

  • Custom Details—This option allows you to enter the account full name and the account name for the computer. This information is applied to all computers enrolled via the PreStage.

  • Device Owner's Details—If you configure a PreStage enrollment to require authentication or you add an Enrollment Customization configuration that enables the user to sign in using their Identity Provider (IdP) credentials, this option pre-fills the account information with the credentials the user signed in with.

You can choose to lock the account information so a user cannot change it during the Account Creation screen in the Setup Assistant.

To pre-fill account information with the device owner's details, you must require authentication or add an Enrollment Customization configuration that enables the user to sign in using their IdP credentials during enrollment.

 

Configuration Profiles

You can use the Configuration Profiles payload to select profiles to distribute to computers during enrollment. This allows the profiles to be installed on computers before the user completes the Setup Assistant.

To add configuration profiles to the Configuration Profiles payload, you must create the profile prior to configuring the PreStage enrollment. For more information, see Computer Configuration Profiles.

In addition, when you create the computer configuration profile, you must ensure that the scope of the profile contains the computers that are in the scope of the PreStage enrollment.

Note: Configuration profiles that contain payload variables are not replaced with the attribute values for the variable. If you want to distribute profiles that contain payload variables, it is recommended that you distribute the profile after the computer has been enrolled with Jamf Pro.

User and Location

You can use the User and Location payload to specify user and location information for the computers.

Note: The User and Location Information payload is only displayed if you do not require LDAP users or Jamf Pro users to authenticate during setup.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

 

Passcode (deprecated)

The Passcode payload is only displayed for existing PreStage enrollments that were configured using this payload in Jamf Pro 10.9.0 or earlier.

To specify passcode requirements for computers during enrollment using Jamf Pro 10.10.0 or later, create a configuration profile with a Passcode payload configured, and then add that profile to a PreStage enrollment using the Configuration Profiles payload.

 

Purchasing

You can use the Purchasing payload to specify purchasing information for the computers.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

 

Attachments

You can use the Attachments payload to upload attachments to store for computers.

This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.

Certificates

If the SSL certificate you are using is signed by an external CA (your organization's CA or a trusted third-party CA), use the Certificates payload to upload a certificate for the CA that you want computers to trust at enrollment.

Note: The anchor certificate is only displayed if the SSL certificate you are using is signed by the Jamf Pro built-in CA.

 

Directory (deprecated)

The Directory payload is only displayed for existing PreStage enrollments that were configured using this payload in Jamf Pro 10.9.0 or earlier.

To choose a directory server for computers during enrollment using Jamf Pro 10.10.0 or later, create a configuration profile with a Directory payload configured, and then add that profile to a PreStage enrollment using the Configuration Profiles payload.

Enrollment Packages

You can use the Enrollment Packages payload to choose packages to deploy to computers during enrollment. The selected package is installed on computers before the user completes the Setup Assistant.

Packages that you deploy during enrollment include a manifest file that defines the contents of the package in an XML plist format. The computers can download and install the package using the defined URL contained in the manifest file. By default, Jamf Pro creates the manifest file for each package; however, you can create a custom manifest file that you can upload to Jamf Pro. If you upload a custom manifest file, this file is used instead of the default manifest file. For more information about creating a custom manifest file for a package, see Apple's macOS Deployment Reference:
https://help.apple.com/deployment/macos/#/apd86abb79d9

Note: You can only add one package to the Enrollment Packages payload per PreStage enrollment instance.

To configure the Enrollment Packages payload, you must upload a signed package to Jamf Pro prior to configuring the PreStage enrollment. If you want to use a custom manifest file, ensure that you upload the file when you upload the package. For more information about uploading packages to Jamf Pro, see Managing Packages. You can use Composer or a third-party packaging tool to build a signed PKG. For more information about building packages using Composer, see the Composer User Guide.

To deploy an enrollment package to computers, you must have a cloud distribution point configured as the master distribution point in Jamf Pro. For more information, see Cloud Distribution Point.

To install a package during enrollment, the package must be signed with an installer certificate (.p12) obtained from Apple using Xcode or the Apple Developer Member Center. For more information on how to obtain an installer certificate from Apple using Xcode, see the Obtaining an Installer Certificate from Apple Knowledge Base article.

In addition, computers in the scope of the PreStage enrollment must have a Certificate Authority intermediate certificate from Apple in the System keychain in Keychain Access.

Configuring a Computer PreStage Enrollment

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click PreStage Enrollments.

  4. Click New images/download/thumbnails/79185073/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the PreStage enrollment. In addition, you can do the following on the General pane:

    • To require that users authenticate with their username and password, select the Require Authentication checkbox.

      Note: The Require Authentication checkbox is only displayed if an LDAP server has been set up in Jamf Pro.

      If an Enrollment Customization configuration is added to this PreStage, this setting is ignored for computers with macOS 10.15 or later. If your environment requires users to authenticate with an LDAP directory account or a Jamf Pro user account, it is recommended that you do not add an Enrollment Customization configuration to the PreStage enrollment.

    • To customize the user experience of the Setup Assistant, do the following:

      • Choose an Enrollment Customization configuration to apply to computers.

      • Select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the computer is configured unless otherwise restricted.

      Note: The computer must be connected to the Internet during the Setup Assistant.

  6. Click the Scope tab and configure the scope of the PreStage enrollment by selecting the checkbox next to each computer you want to add to the scope.
    The computers listed on the Scope tab are the computers that are associated with Automated Device Enrollment (formerly DEP) via the server token file (.p7m) you downloaded from Apple.
    You can use the Select All button to add all associated computers to the scope. This adds all computers associated with Automated Device Enrollment via the server token file regardless of any results that have been filtered using the Filter Results search field. The Unselect All button removes all associated computers from the scope.

    Note: If you want to add computers to the scope automatically as they become associated with the Automated Device Enrollment instance, select the Automatically assign new devices checkbox in the General payload.

  7. Click Save.

Further Considerations

  • Jamf Pro automatically refreshes information about the computers in the PreStage enrollment. If there is updated information about the computers in Automated Device Enrollment (formerly DEP), this information is displayed in Jamf Pro. This information is automatically refreshed every five minutes.

    Note: There can be up to a five minute delay on the information refresh which can result in outdated information displayed in Jamf Pro. In addition, environment-specific factors can affect the refresh of information.

  • When cloning a PreStage enrollment, computers in the scope of the original PreStage enrollment are not included in the scope of the cloned PreStage enrollment.

  • Users are automatically required to apply the MDM profile on computers with macOS 10.15 or later. For computers with macOS 10.14.4 or earlier, it is recommended that you manually enable the Make MDM Profile Mandatory setting to maintain full management capabilities of computers.

Related Information

For related information, see the following Jamf Knowledge Base video:

Creating a DEP PreStage for macOS Devices in Jamf Pro

For related information, see the following section in this guide:

Integrating with Automated Device Enrollment
Find out how to configure an Automated Device Enrollment (formerly DEP) instance.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.