Enrollment Customization Settings

The Enrollment Customization settings in Jamf Pro allow you to further customize the experience for a user when they enroll their computer or mobile device with Jamf Pro via a PreStage enrollment. For example, you can display an End User License Agreement (EULA) during enrollment or other custom messaging as the user advances through the Setup Assistant. The Enrollment Customization settings also allow you to apply branding to display a familiar look and feel—such as your company's colors or logos—to users.

Configuring the Enrollment Customization settings creates an Enrollment Customization configuration that you can add to a Computer or Mobile Device PreStage enrollment.

Creating an Enrollment Customization configuration involves configuring the following:
  • PreStage PanesPreStage Panes are groups of settings that allow you to customize how the screens display to users during the Setup Assistant. You can configure authentication screens and custom text screens.
  • Settings for BrandingYou can configure settings that allow you to customize how the Enrollment Customization configuration is displayed by adding an icon and configuring colors to present users with a familiar look and feel.

PreStage Panes

A PreStage Pane is a group of settings that allow you to customize the screens that are displayed to the user during enrollment with Jamf Pro. The PreStage Panes are displayed to the user as screens during the Setup Assistant and are presented after the user chooses a Wi-Fi Network or other connection to the Internet.

The following table describes the types of PreStage Panes that you can configure and how the panes are displayed to the user:

Type of PreStage Pane

Description

User Experience

Single Sign-On Authentication

If you have Single Sign-On enabled in Jamf Pro, configuring this pane automatically applies the settings configured in the Single Sign-On settings to enable the user to authenticate with your Identity Provider (IdP) using SSO. You can choose to allow access to any Identity Provider user or to allow access to only a select group of users in your IdP.

Note:

You can only allow access to one group.

This automatically assigns the user to their device in Jamf Pro. If LDAP is integrated with Jamf Pro, the User and Location information will be fully populated using a lookup from Jamf Pro to LDAP. If LDAP is not integrated with Jamf Pro, the Username field will be the only item populated in the User and Location category, and user lookup will not work during enrollment.

If your environment uses Jamf Connect, you can enable Jamf Pro to pass user information to Jamf Connect. This allows Jamf Pro to pass the Account Name (the username that was used to authenticate with your IdP) and the Account Full Name (the full name of the user) to Jamf Connect. For example, if Samantha Johnson authenticates with your IdP, Jamf Pro passes both the username (e.g., samantha.johnson) and the Account Full Name (e.g., Samantha Johnson) to Jamf Connect. This creates the local account on the computer with the user's Account Full Name. The user can log in to their computer with the Account Name. For more information, see the Managing Jamf Connect and Enrollment Customization with Jamf Pro technical paper.

In addition, you can map the Account Name and the Account Full Name to the fields that your IdP uses to define these attributes. For example, if your IdP uses "Short Name" for the Account Name, you can map "Short Name" to Account Name in Jamf Pro.

Jamf Pro creates a profile with this information and distributes the profile to the computer during enrollment. This information remains on the computer for up to one hour.

Note:

You can only add one Single Sign-on Authentication PreStage Pane to an Enrollment Customization configuration, and you cannot add a Single Sign-On Authentication pane if there is an LDAP Authentication pane currently added.

A screen is presented to the user that displays your IdP's login screen prompting the user to authenticate.

If a user is not part of a group that was given access, an "Access Denied" message is displayed to the user after they authenticate with your IdP.

If you enabled Jamf Pro to pass user information to Jamf Connect, the user is presented with the Jamf Connect Login screen after authenticating to your IdP. At this screen, they must re-enter their password to continue with enrollment.

The Setup Assistant automatically proceeds after the user authenticates.

Note:

If a user is unable to authenticate using their IdP credentials at the Single Sign-On Authentication screen, the enrollment process cannot continue until the correct credentials are entered.

Text

This pane allows you to enter custom text to display to the user during enrollment, such as a EULA. You can also enter text for a title of the page and text to label the navigational buttons to guide the user through each screen.

You can enter text in plain text format or you can customize the text displayed to the user by using Markdown in the text field for the body of the pane. See the Using Markdown to Format Text article for information on limitations to the Markdown syntax that can be used in this pane.

Note:

This pane does not support HTML.

You can configure as many Text PreStage Panes that fit your environment.

After you add a Text pane, you can preview the user experience in Jamf Pro.

A screen is displayed with the text and navigational buttons you configured in Jamf Pro. If you added a title to the pane, the title is displayed as a heading.

 

If you add multiple Text PreStage Panes, the user transitions to each screen by clicking or tapping the navigational buttons. The Setup Assistant automatically proceeds after the user transitions through the last screen you configured.

LDAP Authentication

If you have an LDAP server set up in Jamf Pro, configuring this pane enables the user to authenticate using their LDAP credentials during enrollment. You must enter text for a title of the page, text for the username and password fields, and text to label the navigational buttons to guide the user through the login screen.

In addition, you can restrict enrollment access to only a select LDAP group or groups. Only the selected LDAP group is allowed to enroll devices using the PreStage enrollment. You can add as many LDAP groups to the pane as your environment requires.

This automatically assigns the user to their device in Jamf Pro. The User and Location information will be fully populated using a lookup from Jamf Pro to LDAP.

Note:

You can only add one LDAP Authentication PreStage Pane to an Enrollment Customization configuration, and you cannot add an LDAP Authentication pane if there is a Single Sign-On Authentication pane currently added.

A screen is presented to the user that displays a login screen prompting the user to authenticate with their LDAP credentials.

The Setup Assistant automatically proceeds after the user authenticates.

You can drag-and-drop PreStage Panes in the order you want them displayed to the user. If you added a Single Sign-On Authentication PreStage Pane and a Text PreStage Pane, the transition between each type of pane is accomplished when the user authenticates in the IdP login screen or uses the navigational buttons.

Settings for Branding

Jamf Pro allows you to configure settings that customize elements within the Enrollment Customization configuration to present end users with a familiar look and feel. You can customize the elements in the Text and LDAP Authentication PreStage Panes.

You can upload an icon that displays at the top of all Text and LDAP Authentication PreStage Panes throughout the enrollment process. When uploading an icon, it is required that you use a file with the GIF or PNG format and recommended that the size is 180x180 pixels.

The following elements can be customized by entering a six digit hexadecimal color code or by using the color picker:

  • Body Text Color—This color is applied to the text in the pane.

  • Button Color—This color is only applied to the navigational button the allows users to move forward in the enrollment process.

  • Button Text Color—This color is only applied to the text on the navigational button that allows users to move forward in the enrollment process.

  • Background Color—This color is displayed in the background, behind the panes during the enrollment process.

The preview field to the right of the Branding settings automatically displays your changes so you can finalize your configuration before saving.

Note:

The preview functionality for a Single Sign-On Authentication PreStage Pane is a generic authentication preview. This user experience is dependent on your Identity Provider.

Creating an Enrollment Customization Configuration

Requirements

To add a Single Sign-On Authentication PreStage Pane, you must have Single Sign-on enabled in Jamf Pro. For more information, see Single Sign-On.

Enabling Jamf Pro to pass user information to Jamf Connect requires Jamf Connect 1.12.0 or later. In addition, you must ensure Jamf Connect is configured and integrated with your identity provider (IdP). For more information, see the Managing Jamf Connect and Enrollment Customization with Jamf Pro technical paper.

To add an LDAP Authentication PreStage Pane, you need an LDAP server set up in Jamf Pro. For more information, see LDAP Directory Service Integration.

The Enrollment Customization settings apply to the following:

  • Mobile devices with iOS 13 or later, and iPadOS 13 or later

  • Computers with macOS 10.15 or later

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click Enrollment Customization .
  3. Click New .
  4. Enter a display name and description for the Enrollment Customization configuration.
  5. Choose a site to add the Enrollment Customization configuration to from the Site pop-up menu.
 Adding an Enrollment Customization configuration to a site allows you to add the configuration to a PreStage enrollment in that same site.
    Note:

    If you have site access only, the profile is assigned to the applicable site automatically and the Site pop-up menu is not displayed.

  6. Add PreStage Panes to display screens to the end user:
    1. Click Add Pane.
    2. In the Add Pane dialog, enter a display name for the pane that will identify it in the list of PreStage Panes.
    3. Choose the type of PreStage Pane you want to add from the Pane Type pop-up menu.
    4. Configure the settings for the PreStage Pane.
      Note:

      • If you are configuring a Text PreStage Pane as the first screen presented to the user in the configuration, the button for navigating back in the enrollment process is not displayed. If the pane is the last screen in the configuration, the button to navigate forward initiates the enrollment process.

      • If you enable Jamf Pro to pass user information to Jamf Connect, you can map the attributes of your Identity Provider to Account Name and Account Full Name. For example, if your IdP uses "Short Name" for the Account Name, you can type "Short Name" in the Account Name field so when the user enters their username (Account Name) during enrollment, Jamf Connect maps the Account Name to the "Short Name" in the IdP.

        Values entered in the Account Name and Full Account Name fields must be entered exactly as they appear in your IdP.

    5. Click Apply.
  7. Repeat step 7 to add additional PreStage Panes to the Enrollment Customization configuration.
  8. Click the Branding and Preview tab to customize the enrollment experience and configure the settings on the page.
 Once a change is made, it automatically displays in the preview field.
  9. Click Save .

After you create an Enrollment Customization configuration, you can add the configuration to a PreStage enrollment. For more information, see Computer PreStage Enrollments or Mobile Device PreStage Enrollments.

Note:

You cannot delete an Enrollment Customization configuration if the configuration has been added to a PreStage enrollment. To delete the configuration, you must first remove it from the PreStage.