Computer PreStage Enrollments

A PreStage enrollment allows you to create enrollment configurations and sync them to Apple. This enables you to enroll new computers with Jamf Pro, reducing the amount of time and interaction it takes to prepare computers for use.

Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the computers that should be enrolled using the PreStage enrollment and automatically add computers newly associated with the Device Enrollment instance to the PreStage Enrollment. Only computers with macOS 10.10 or later that are associated with the Automated Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

If user-initiated enrollment is enabled for macOS in Jamf Pro, computers with macOS 10.10 or later enrolled using a PreStage enrollment are automatically managed and the User-Initiated Enrollment settings are applied to the PreStage. For more information, see User-Initiated Enrollment Settings.

Jamf Pro automatically refreshes information about the computers in the PreStage enrollment. If there is updated information about the computers in Automated Device Enrollment, this information is displayed in Jamf Pro. This information is automatically refreshed every two minutes.

Note:

There can be up to a two minute delay on the information refresh which can result in outdated information displayed in Jamf Pro. In addition, environment-specific factors can affect the refresh of information.

A PreStage enrollment is one of the methods that result in a User Approved MDM state for eligible computers. This state is required for managing certain security and privacy settings on macOS. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro article.

Computer PreStage Enrollment Settings

When you create a PreStage enrollment, you use a payload-based interface to configure settings to apply to devices during enrollment. The following table displays the enrollment settings available in a PreStage enrollment:


Payload	Description
General	This payload allows you to configure basic settings for the PreStage enrollment, specify authentication and management requirements, add an Enrollment Customization configuration, and customize the Setup Assistant experience.
Account Settings	You can use the Account Settings payload to specify account information for the user account created in the Setup Assistant. This payload also can define a managed administrator account to be created at setup.
Configuration Profiles	You can use the Configuration Profiles payload to select profiles to distribute to computers during enrollment. This allows the profiles to be installed on computers before the user completes the Setup Assistant.
User and Location	You can use the User and Location payload to specify user and location information to store in Jamf Pro for each computer enrolled using a PreStage enrollment. Note: Using Inventory Preload or authentication during enrollment can automatically populate this information for computers. This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.
Passcode (deprecated)	The Passcode payload is only displayed for existing PreStage enrollments that were configured using this payload in Jamf Pro 10.9.0 or earlier. To specify passcode requirements for computers during enrollment using Jamf Pro 10.10.0 or later, create a configuration profile with a Passcode payload configured, and then add that profile to a PreStage enrollment using the Configuration Profiles payload.
Purchasing	You can use the Purchasing payload to specify purchasing information for the computers. This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.
Attachments	You can use the Attachments payload to upload attachments to store for computers. This information is stored in Jamf Pro for each computer enrolled using a PreStage enrollment.
Certificates	You can use the Certificates payload to establish trust during enrollment if your Jamf Pro instance uses an SSL certificate that is not natively trusted by Apple products. The computer attempts a secure connection with Jamf Pro using only this certificate to enroll. For more information about the certificates that are trusted by Apple, see Available trusted root certificates for Apple operating systems from Apple's support website. Note: If your Jamf Pro instance uses an SSL certificate that was created by the Jamf Pro built-in CA, an anchor certificate for enrollment is automatically added to this payload. If your Jamf Pro server URL ends with "jamfcloud.com" you should not configure this payload.
Directory (deprecated)	The Directory payload is only displayed for existing PreStage enrollments that were configured using this payload in Jamf Pro 10.9.0 or earlier. To choose a directory server for computers during enrollment using Jamf Pro 10.10.0 or later, create a configuration profile with a Directory payload configured, and then add that profile to a PreStage enrollment using the Configuration Profiles payload.
Enrollment Packages	You can use the Enrollment Packages payload to choose packages to deploy to computers during enrollment. Installation commands for the selected packages are deployed to computers before the user completes the Setup Assistant.

Enrollment Experience Customization

You can customize the enrollment experience for the user with the following features in the PreStage enrollment:

Enrollment Customization configurations—You can use the General payload to add an Enrollment Customization configuration to the PreStage enrollment. For example, you can add an Enrollment Customization configuration to display an End User License Agreement (EULA) during enrollment or other custom messaging as the user advances through the Setup Assistant. For more information, see Enrollment Customization Settings.
To add an Enrollment Customization configuration to the PreStage enrollment, you must have at least one configuration in the Enrollment Customization settings. Enrollment Customization configurations are applied to computers with macOS 10.15 or later only.
Configuration profiles—You can use the Configuration Profiles payload to distribute profiles that define settings and restrictions for computers during enrollment. This allows the profiles to be installed on computers before the user completes the Setup Assistant, enabling the user to access resources on your network immediately after their computer is enrolled with Jamf Pro. For example, you can distribute a profile that enables a user to automatically join your network during enrollment.
To add configuration profiles to the Configuration Profiles payload, you must create the profile prior to configuring the PreStage enrollment. For more information, see Computer Configuration Profiles. In addition, when you create the computer configuration profile, you must ensure that the scope of the profile contains the computers that are in the scope of the PreStage enrollment.
Note:
Configuration profiles that contain payload variables are not replaced with the attribute values for the variable. If you want to distribute profiles that contain payload variables, it is recommended that you distribute the profile after the computer is enrolled with Jamf Pro.

Enrollment packages—You can add as many packages to the Enrollment Packages payload per PreStage enrollment instance that fits your environment (multiple packages apply to computers with macOS 10.14.4 or later). This enables you to install packages that are needed in your provisioning workflow (e.g., Jamf Connect).
Setup Assistant steps—You can use the General payload to select Setup Assistant screens that you want the user to skip during enrollment (e.g., Apple ID login). When you select a step, that screen is not presented to the user during enrollment. For more information about the screens that can be skipped during enrollment, see Setup Assistant pane options in Apple devices in Apple's Mobile Device Management Settings.
Account creation—You can create a local administrator account and specify the type of account for the user to create on the computer during enrollment. You can pre-fill and lock the account information so when a user enrolls their computer, the Full Name and Account Name will be pre-populated in the Account Creation screen of the Setup Assistant.

Enrollment Packages

You can use the Enrollment Packages payload to choose packages to deploy to computers during enrollment. You can install software on the computer that is critical to the enrollment workflow before the user completes the Setup Assistant or before the Jamf binary is installed during enrollment with Jamf Pro.

Consider the following when configuring the Enrollment Packages payload:

Signed distribution packages—
You must upload a signed distribution package to Jamf Pro prior to configuring the PreStage enrollment. You can use Composer or a third-party packaging tool to build a signed PKG. For more information about building packages using Composer, see the Composer User Guide. After building a PKG, you must sign and convert it to a distribution package.
Note:
Packages must be signed using a certificate that is trusted by the device at the time of enrollment. It is recommended that the package is signed with a certificate generated from either the Jamf Pro built-in CA or from an Apple Developer Program account. For more information, see the Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and Packages article.
Multiple packages—
You can add multiple packages to the Enrollment Packages payload to be deployed to computers with macOS 10.14.4 or later. Order of package installation is determined by the package priority. If multiple packages have the same priority, packages are installed in alphabetical order based on the package name. Earlier versions of macOS can only install one package and will install the package with the lowest priority number. For example, a package with a priority of "1" is installed instead of the package with a priority of "5". These packages are installed on the computer during the Setup Assistant process and larger packages (e.g., Microsoft Office) may slow the enrollment process.
Package hosting—
To deploy an enrollment package to computers using a distribution point other than a cloud distribution point, the distribution point must use HTTPS and cannot use any authentication. You can also secure the download of the enrollment package from an external distribution server using a JSON Web Token (JWT) in Jamf Pro. This ensures that enrollment packages are downloaded securely to users' computers from external distribution servers. For more information, see JSON Web Token for Securing In-House Content.
Custom manifest file—
Packages must have a corresponding manifest file (XML plist format) that contains the URL to download the package from an HTTPS server and other required information for the package. By default, Jamf Pro creates this file when you upload it directly to Jamf Pro or add it to Jamf Admin. If your environment uses an HTTPS server that is not a Jamf Pro HTTPS-capable distribution point to host your packages, you can create a custom manifest file and upload it along with the package to Jamf Pro. To use a custom manifest file, ensure that you upload the file when you upload the package. For more information about uploading packages to Jamf Pro, see Package Management.
For more information about creating and hosting a manifest file, see the Preparing to distribute in-house macOS apps in Apple's Deployment Reference for Mac.

Setup Assistant Steps

You can select Setup Assistant screens that you want the user to skip during enrollment. When you select a step, that screen is not presented to the user during enrollment.

This option prevents any of the Setup Assistant screens from being displayed to the user during enrollment. When advancing through the Setup Assistant, the computer defaults to Pacific Time Zone (PT) after it enrolls with Jamf Pro. If you automatically advance through the Setup Assistant, you can configure the language and region so the locale on the computer is automatically configured.

For more information about the screens that can be skipped during enrollment, see Manage Setup Assistant for Apple devices in Apple Platform Deployment.

Account Creation

You can use the Account Settings payload to create a managed administrator account and specify the type of local user account to create for computers with macOS 10.10 or later enrolled via the PreStage enrollment. You can also pre-fill and lock the account information for the user during the Account Creation screen of the Setup Assistant for computers with macOS 10.15 or later.

Note:

A managed administrator created is eligible to receive a SecureToken when it logs in to a computer with macOS 10.15 or later if a Bootstrap Token has been escrowed to Jamf Pro. For more information about Bootstrap Token, see Using Bootstrap Token in Apple's Deployment Reference for Mac.

For more information about how to manually create and escrow the Bootstrap Token on the computer and to allow Jamf Pro to store the token, see the Manually Leveraging Apple's Bootstrap Token Functionality article.

You can create the following settings:

Create a local administrator account—
When you create a local administrator account, you enter the username and password. You can choose to hide this account from the user. If you do not enter information for this account, Jamf Pro automatically populates this information from the User-Initiated Enrollment settings; however, you can edit the information.
Create a local user account—
You can choose the following types of local user accounts you want the user to create during enrollment:
- Administrator Account—This option makes the user the administrator for the computer.
- Standard Account—This option makes the user a standard user for the computer. You must create the local administrator account when choosing this option.
- Skip Account Creation—The user does not create an account during enrollment. You must create the local administrator account when choosing this option and the local administrator is the only user on the computer.

When you create the local user account, you can pre-fill and lock the primary account information on computers during enrollment. When users enroll their computers, the Full Name and Account Name will be pre-populated in the Account Creation screen during the Setup Assistant. If you lock the account information, users cannot change it during the Account Creation screen in the Setup Assistant.

You can choose the following options to pre-fill this information:

Custom Details—
This option allows you to enter the account full name and the account name for the computer. This information is applied to all computers enrolled via the PreStage.
Device Owner's Details—
This option sets the account name and account full name based off of the Username and Full Name values in the computer's inventory information at the time of enrollment. If authentication is required during enrollment, the user's information is associated with the device using a lookup from Jamf Pro to LDAP.

Note:

If you add an Enrollment Customization configuration that uses a Single Sign-On Authentication PreStage Pane and an LDAP directory lookup is not available, Jamf Pro will be informed of only the Username and will not be able to define a Full Name for the Setup Assistant user's account creation. The username information from your identity provider (IdP) is populated by the `NameID` attribute defined within your IdP's SAML application. Check with your IdP for options to customize this value.

If your environment has an LDAP server set up, you can enter user variables in the Account Full Name and Account Name fields when configuring the Pre-Fill Primary Account settings. This allows the user variables to populate with the value for the LDAP attribute during the account creation screen in the Setup Assistant. To enable the user variables to populate with the value for the LDAP attribute, you need an LDAP server set up in Jamf Pro. For more information, see LDAP Directory Service Integration.

You can enter the following variables:

$USERNAME
$FULLNAME
$REALNAME
$EMAIL
$PHONE
$POSITION
$ROOM
$EXTENSIONATTRIBUTE_#

Note:

If a blank value is returned for the user variable, locking primary account information is ignored. Users can edit the account fields during account creation in the Setup Assistant.
User extension attributes can be used when configuring the Pre-Fill Primary Account settings. Computer and mobile device extension attributes are not supported.

Computer Management Capability Settings

You can use the General payload to enable additional management capabilities. The following do not impact the user's enrollment experience, but do offer you additional remote management when applied:

User Authentication—
To increase the security of sensitive user information, it is recommended that you require users to authenticate during computer setup using an LDAP directory account or a Jamf Pro user account. If users authenticate with an LDAP directory account, user and location information is submitted during enrollment.

To require LDAP users or Jamf Pro users to authenticate during setup, you need an LDAP server set up in Jamf Pro. For more information, see LDAP Directory Service Integration.

If an Enrollment Customization configuration is added to this PreStage, this setting is ignored for computers with macOS 10.15 or later.
MDM Profile—
The MDM Profile enables you to remotely manage computers using Jamf Pro. Users are automatically required to apply the MDM profile on computers with macOS 10.15 or later during enrollment with Jamf Pro. If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer. You can use Jamf Pro to prevent a user from removing this profile after enrollment.
Activation Lock functionality—
You can prevent a user from enabling Activation Lock for compatible computers with macOS 10.15 or later during enrollment. When computers are enrolled with Jamf Pro, the user cannot enable Activation Lock on the computer if they enable the Find My Mac service.

For more information about Activation Lock and macOS compatibility, see About Activation Lock on your Mac from Apple's support website.
Recovery Lock functionality—
You can set Recovery Lock for computers with Apple silicon (i.e., M1 chip) with macOS 11.5 or later during enrollment. Enabling this feature prevents access to macOS Recovery without a password, providing additional security for the computers in your environment. Jamf Pro allows you to create and store this password for each computer. You can view the information in the computer's inventory information. For more information about Recovery Lock, see Use macOS Recovery on a Mac with Apple silicon from Apple's macOS User Guide.

You can select one of the following methods to configure the Recovery Lock password:
- Manually enter a password that is applied to all computers in the scope of the PreStage
- Enable Jamf Pro to generate a random password that is unique to each computer in the scope
  
  To enhance the security of the Recovery Lock password, you can configure Jamf Pro to generate a new, random Recovery Lock password 60 minutes after the password is viewed in a computer’s inventory information.

Configuring a Computer PreStage Enrollment

Requirements

Before you can use a PreStage enrollment, you must do the following:

Integrate Jamf Pro with Automated Device Enrollment (formerly DEP). This creates an Automated Device Enrollment instance in Jamf Pro.  For more information, see Automated Device Enrollment Integration.
Enable user-initiated enrollment for macOS in Jamf Pro  For more information, see User-Initiated Enrollment Settings.

To deploy packages during enrollment, it is recommended that the package is signed with a certificate generated from either the Jamf Pro built-in CA or from an Apple Developer Program account. For more information, see the Creating a Signing Certificate using Jamf Pro’s Built-in Certificate Authority article.

In Jamf Pro, click Computers at the top of the sidebar.
Click PreStage Enrollments in the sidebar.
Click New .
Use the General payload to configure basic settings for the PreStage enrollment. In addition, you can do the following on the General pane:
- To require that users authenticate with their username and password, select the Require Authentication checkbox.
  Note:
  The Require Authentication checkbox is only displayed if an LDAP server has been set up in Jamf Pro.
- To customize the user experience of the Setup Assistant, do the following:
  - Choose an Enrollment Customization configuration to apply to computers.
  - Select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the computer is configured unless otherwise restricted. To prevent any Setup Assistant screens from displaying, select Automatically advance through Setup Assistant (macOS 11 or later only).
  Note:
  The computer must be connected to the Internet during the Setup Assistant. Connection via Ethernet cable and a power source is recommended.
Configure additional payloads as needed based on the goals you are trying to achieve with the PreStage.
Click the Scope tab and configure the scope of the PreStage enrollment by selecting the checkbox next to each computer you want to add to the scope.
The computers listed on the Scope tab are the computers that are associated with the Automated Device Enrollment instance (formerly DEP) via the server token file (.p7m) you downloaded from Apple. If you clone a PreStage enrollment, computers in the scope of the original PreStage enrollment are not included in the scope of the cloned PreStage enrollment.
You can use the Select All button to add all associated computers to the scope. This adds all computers associated with Automated Device Enrollment via the server token file regardless of any results that have been filtered using the Filter Results search field. The Deselect All button removes all associated computers from the scope.
Note:
If you want to add computers to the scope automatically as they become associated with the Automated Device Enrollment instance, select the Automatically assign new devices checkbox in the General payload.
Click Save .

	Jamf Pro Documentation
	Version 10.37.0 \| Other Versions