Hey all! this may sounds like a dumb question, I am new to this, but I am wondering how one would configure a default admin user via Automatic Device Enrollment (DEP)? I have a JSON file setup by following these steps: https://fleetdm.com/guides/macos-setup-experience#macos-setup-assistant and the further documentation from apple here: https://developer.apple.com/documentation/devicemanagement/profile I have this working and it is deploying to the new workstations.

{
  "profile_name": "Enrollment Profile",
  "allow_pairing": false,
  "is_mdm_removable": true,
  "is_mandatory": true,
  "is_multi_user": false,
  "org_magic": "1",
  "language": "en",
  "region": "US",
  "skip_setup_items": [
    "AppleID",
    "AppStore",
    "Diagnostics",
    "EnableLockdownMode",
    "FileVault",
    "iCloudDiagnostics",
    "iCloudStorage",
    "Intelligence",
    "Location",
    "Payment",
    "Privacy",
    "Restore",
    "ScreenTime",
    "Siri",
    "TermsOfAddress",
    "TOS",
    "UnlockWithWatch"
  ],
  "support_email_address": "email@email.com",
  "await_device_configured": true
}

but I'm wondering how would would run DEP commands, such as ones listed here: https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command https://developer.apple.com/documentation/devicemanagement/account_configuration The main goal of this would be to not allow users to be admins and force the

setPrimarySetupAccountAsRegularUser

key to true

Hey @Billy H, I would take a look at this MDM command: https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command/autosetupadminaccountitem

Thanks @Dale Ribeiro. I guess my question is, how do I deploy these commands as part of the setup experience for fleet? I have a XML command file written that should do everything I want, I just don't know how to incorporate it. For example, if I try to use the xml example plist in the 2nd link you sent, that file cannot be uploaded directly to the Custom Settings page as it is not properly formatted.

Ah, got it. If I were building this, I think I'd do something like this: • In the Fleet UI, go to Controls > Setup experience > Setup assistant > Show advanced options > ✅ the box for Release device manually. This will let you send MDM commands to the device before it proceeds through the setup assistant. • Use the Fleet API to send the Account Configuration MDM command with this endpoint: https://fleetdm.com/docs/rest-api/rest-api#run-mdm-command • After that command is delivered, release the device from configuration using Release Device from Await Configuration an MDM command. Use the same Fleet run MDM command endpoint to deliver this to the host

Got it, this is gonna be a much more complex setup than I had hoped for. Is there any plans to integrate commands into the Fleet portal and not just the API in the future? Been trying to keep this entire process self hosted and signing up for additional providers is gonna make that messy

Hey @Billy H, yep that's the article I was looking for! There's a global activities webhook that'll fire off for device enrollments

Thanks @Dale Ribeiro! So actually this is something I meant to reach out to support about, I don't seem to be able to see the Activities page that is described here: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Audit-logs.md I am a full admin in Fleet so I don't think it's a permissions issue

What version of Fleet are you running? The activities feed should be available to the right side of the main dashboard after you log in. Automations was added in 4.51

Oh man I feel really dumb... I guess I was expecting it to be a tab. Welp thanks for pointing it out haha thanks!

No problem! 😄