If You Built It, They Will Come

Transcript

1. © JAMF Software, LLC If You Build it, They Will

   Come 1:30 - 2:15 PM UP NEXT
2. None

3. © JAMF Software, LLC Mark Lamont Professional Services Engineer Jigsaw24

   Jack Hollister Apple Enterprise Solutions Architect Jigsaw24

4. © JAMF Software, LLC If You Build it, They Will

   Come! Presentation agenda: Overview Automated Device Enrolment builds Automated NON Device Enrollment builds Policy driven reprovisioning

5. © JAMF Software, LLC Are you an organisation with… Devices

   of various OS levels Some assigned in ABM/ASM and Jamf Some, probably lots, not…. Need a common build and rebuild method Then this talk is for you..

6. © JAMF Software, LLC First Up Out of the box

   DEP build….

7. © JAMF Software, LLC Automated Device Enrolment Build How to

   setup automated provisioning of a DEP ready Mac Ideal for use with Jamf Connect Login, NoMAD or AD Binding No end user account created during the build

8. © JAMF Software, LLC Automated Device Enrolment Firstly a custom

   package is needed….

9. © JAMF Software, LLC Automated DE Build - Package Required

   components NoMAD Login NoMAD settings profile Branding graphics

10. © JAMF Software, LLC Automated DE Build - Package Package

    Post Install Script

11. © JAMF Software, LLC Enrollment Prestage A prestage is needed….

12. © JAMF Software, LLC Max image dimensions Automated DE Build

    - Prestage Add the package to Enrollment packages

13. © JAMF Software, LLC Max image dimensions Automated DE Build

    - Prestage Set local User account creation to Skip Account Creation

14. © JAMF Software, LLC Post Enrollment Policy A build policy

    is needed….

15. © JAMF Software, LLC Automated DE Build - Policy One

    policy required to run the build run on Enrollment Complete ongoing frequency Runs the build script

16. © JAMF Software, LLC Automated DE Build - Script What

    does it do? waits until any required input is made Runs policies using custom triggers Displays status updates Sets login window type

17. © JAMF Software, LLC Automated DE Build - Master Script

    Let’s break it down

18. © JAMF Software, LLC Automated DE Build - Script Wait

    until user input completed

19. © JAMF Software, LLC Automated DE Build - Script Write

    to Notify screen

20. © JAMF Software, LLC Automated DE Build - Script Install

    an application

21. © JAMF Software, LLC Automated DE Build - Script Reset

    Login window

22. © JAMF Software, LLC Automated DE Build - Demo Time

23. © JAMF Software, LLC Part 2…. Non Device Enrollment Build

    Teaching (your) grandmother to suck eggs is an English language saying that refers to a person giving advice to another person in a subject with which the other person is already familiar (and probably more so than the first person)

24. © JAMF Software, LLC NON DE Build - Uses What’s

    this used for? For devices NOT DEP capable but you… Want a common OS level Want to erase with a common method Want to build with same build as the DEP devices

25. © JAMF Software, LLC NON DE Build - Overview Stages:

    1. Wipe and install clean macOS 2. Install extra workflow packages 3. Enroll in Jamf 4. Apply build It’s OK, it’s mostly automated!

26. © JAMF Software, LLC Let’s get started Back to basics…..

27. © JAMF Software, LLC NON DE Build - Your starter

    for 10 How do we get this process started? Mac Deploy Stick https://twocanoes.com/products/mac/mac-deploy-stick/

28. © JAMF Software, LLC The Extras A couple of packages…..

29. © JAMF Software, LLC NON DE Build - Package #1

    Components: NoMAD Login NoMAD settings profile QuickAdd.pkg Control script LaunchDaemon for script

30. © JAMF Software, LLC NON DE Build - Package #1

    Post install script LaunchDaemon has to be loaded during package install Post install script does this

31. © JAMF Software, LLC NON DE Build - Package #1

    QuickAdd Package Management user different to the DEP user Used in Smart Group later

32. © JAMF Software, LLC NON DE Build - Package #2

    Graphics Common graphics package

33. © JAMF Software, LLC The Extras The control script…..

34. © JAMF Software, LLC NON DE Build - Control Script

    Check _mbsetupuser is active

35. © JAMF Software, LLC NON DE Build - Control Script

    Setup NoMAD

36. © JAMF Software, LLC NON DE Build - Control Script

    Check Jamf contactable

37. © JAMF Software, LLC NON DE Build - Control Script

    Switch Login Window to NoMAD Login Create .AppleSetupDone Kill loginwindow

38. © JAMF Software, LLC NON DE Build - Control Script

    Install the QuickAdd package Enrolls device in Jamf Sends enrollment trigger Starts the build process

39. © JAMF Software, LLC User Logon post build It’s built,

    now what happens? User logs in using: Jamf Connect NoMAD AD Bound

40. © JAMF Software, LLC MDM Profile Approval MDM Profile needs

    approving Full MDM functionality not available without this

41. © JAMF Software, LLC MDM Profile Approval So how can

    we force approval? Can’t force approval but… Can guide Repeatedly until they give up…

42. © JAMF Software, LLC UAMDM Smart Group Smart Group to

    scope approve MDM policy User Approved MDM not Yes Managed by non-DEP management user

43. © JAMF Software, LLC UAMDM Policy Approve MDM Policy Scoped

    to the Smart Group Runs at login and checkin

44. © JAMF Software, LLC UAMDM Script What does the script

    do? Checks if the MDM profile is approved Runs the user facing approval screens

45. © JAMF Software, LLC UAMDM Script Check MDM Profile approved

46. © JAMF Software, LLC UAMDM Script Run the approval process

    If approved - do nothing If not - Start user process

47. © JAMF Software, LLC UAMDM Script The process Launch Jamf

    Helper Alternatively use DEP Notify Open Profiles pane Approve!

48. © JAMF Software, LLC Non DE Build - Finally its

    Demo time

49. © JAMF Software, LLC Part 3…… Rinse and Repeat

50. © JAMF Software, LLC That was amazing…What now? Now the

    devices are in Jamf Deploy policy driven erase and rebuild Self Service or remote execution policy Conditionally deploy the NON DEP workflow packages Automatically switch between Non DEP and DEP !50

51. © JAMF Software, LLC Policy Driven Device Reprovisioning What’s required?

    Graham Pugh’s Erase-install script https://github.com/grahampugh/erase-install A couple of Extension Attributes and of course smart groups and policies!

52. © JAMF Software, LLC Erase-Install script What does it do?

    Downloads the appropriate OS install package Can be locked to a specific version if required Will perform the erase and install Displays user messaging when starting It has other functionality but not talking about them today

53. © JAMF Software, LLC Required Extension Attributes Two extension attributes

    required….

54. © JAMF Software, LLC Extension Attribute #1 Installer valid EA

    To record if OS installer is: 1. Downloaded 2. Valid version Equal to or higher than installed OS version

55. © JAMF Software, LLC Extension Attribute #2 Is the device

    DEP capable? EA that records if device has DEP record in Apple Profiles show -type enrollment

56. © JAMF Software, LLC Required Package One package required….

57. © JAMF Software, LLC Package Required Deploy Extras package Need

    to deploy the non-DEP packages Deployed as a single package

58. © JAMF Software, LLC Required Smart Groups Four Smart Groups

    required….

59. © JAMF Software, LLC Smart Group #1 Installer download required

    OS > 10.13.4 Add APFS requirement if HFS devices in estate Installer not downloaded or not valid

60. © JAMF Software, LLC Smart Group #2 Non DEP Extra

    packages required Have valid OS installer Not DEP capable

61. © JAMF Software, LLC Smart Group #3 Erase Ready Groups

    Two separate groups for erase ready One for DEP devices One for Non DEP devices

62. © JAMF Software, LLC Smart Group #4 One last group….

    Non-DEP to DEP

63. © JAMF Software, LLC Required Policies Four policies are required….

64. © JAMF Software, LLC Policy #1 OS Installer download Downloads

    the OS installer Overwrites existing Scoped to download required Version options set Runs inventory when complete

65. © JAMF Software, LLC Policy #2 Deploy Extras package Deploy

    the extras packages Scoped to extras required smart group

66. © JAMF Software, LLC Policy #3 Remove Extras package When

    devices added to DEP Delete the extras package Build method will now be DEP

67. © JAMF Software, LLC Policy #3 Remove Extras package Removes

    the packages Removes Jamf receipt

68. © JAMF Software, LLC Policy #4 The big one! Erase

    and install Can be Self Service Can be force deployed Can be event trigger Scoped to the Erase ready groups

69. © JAMF Software, LLC Wrap up Nearly there ….

70. © JAMF Software, LLC Process Flow Diagram

71. © JAMF Software, LLC Before you ask.. Does this work

    with 10.15? YES!

72. © JAMF Software, LLC Live uses Has this been deployed?

    Ark schools trust 30 + school locations Few new DEP Macs Several hundred non DEP Macs Devices from 2012 and up

73. © JAMF Software, LLC And finally some links 1. Neil

    Martin's MacADUK 2019 Presentation 2. twocanoes.com mac-deploy-stick 3. Graham Pugh's erase-install 4. montysmacmusings blog

74. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Your Internal Beta Test Program 2:45 PM