Issue Description
This article will discuss troubleshooting User-Initiated Enrollment.
Warning: Do not use the same username for the management account created in user-initiated enrollment settings and a managed local administrator account created in a PreStage enrollment. If the same username is used for both, those accounts may not be created correctly during Automated Device Enrollment, and unexpected errors may occur. In addition, the password for the local administrator password solution (LAPS) will not be retrievable in the Jamf Pro API.
Important: The management account must be created to allow use of local administrator password solution (LAPS) functionality, which you can use to manage the management account password. For more information, see the Local Administrator Password Solution for Jamf Pro technical paper.
To configure Auto-Enrollment/Prestage enrollment we do need to have User-Initiated Enrollment configured within the Jamf Pro settings.
Troubleshooting Steps
1. Verify User-Initiated Enrollment is enabled within Jamf Pro under Settings > Global > User-Initiated Enrollment.
macOS - check box for Enable user-initiated enrollment for computers
iOS - check box for Enable for institutionally owned devices
Verify device requirements have been met
macOS requirements
Account-driven Device Enrollment:
Computers with macOS 14 or later
Managed Apple IDs and a service discovery configuration. For more information, see Prepare for Account-Driven Enrollment with Managed Apple IDs and Service Discovery.
(LDAP login only) An LDAP server set up in Jamf Pro For more information, see LDAP Directory Service Integration.
(SSO login only) Single Sign-On Authentication enabled in Jamf Pro, with the Enable Single Sign-On for User Authentication during Enrollment checkbox selected. For more information, see Single Sign-On (SSO).
iOS requirements
Jamf Pro and personally owned device versions: Note: Personally owned mobile devices must also have free storage space for corporate data.
Account-driven User Enrollment
Jamf Pro 10.33.0 or later
iOS or iPadOS 15 or later
Profile-driven User Enrollment
Jamf Pro 10.17 or later
iOS or iPadOS 13.1 or later
(account-driven User Enrollment) Managed Apple IDs and a service discovery configuration. For more information, see Prepare for Account-Driven Enrollment with Managed Apple IDs and Service Discovery.
LDAP login only) An LDAP server set up in Jamf Pro. For more information, see LDAP Directory Service Integration in the Jamf Pro Documentation.
(SSO login only) Single Sign-On Authentication enabled in Jamf Pro, with the Enable Single Sign-On for User Authentication during Enrollment checkbox selected. For more information, see Single Sign-On (SSO).
Verify at which point in the User-Initiated Enrollment experience we are seeing an error at:
Device enrollment experience for Computers
Institutionally owned User-Initiated Enrollment experience for Mobile Devices
For both Computers and Mobile Devices:
If experiencing an error when authenticating with a Jamf Pro user account in the first step, verify we are using an account that at minimum has enrollment-only permissions within Jamf Pro under Settings System > User accounts and groups. This would include LDAP user groups and local user/group accounts for Jamf Pro.
If using an SSO account for authenticating, we would need to verify the Enable Single Sign-On for User Authentication during Enrollment checkbox selected. For more information, see Single Sign-On (SSO).
For Mobile Devices:
Step 5 of the User-Initiated Enrollment experience would only populate if we are using personally-owned enrollments vs institutionally-owned enrollments.
Once we have authenticated and selected our enrollment site, if applicable, the MDM profile will be downloaded to the device to be viewed within the settings menu of the device or computer.