If You Built It, They Will Come

© JAMF Software, LLC
If You Build it, They Will Come

1:30 - 2:15 PM
UP NEXT

View Slide

View Slide

Mark Lamont
Professional Services Engineer

Jigsaw24
Jack Hollister
Apple Enterprise Solutions Architect

Jigsaw24

View Slide

If You Build it, They Will Come!
Presentation agenda:
Overview
Automated Device Enrolment builds
Automated NON Device Enrollment builds
Policy driven reprovisioning

View Slide

Are you an organisation with…
Devices of various OS levels
Some assigned in ABM/ASM and Jamf
Some, probably lots, not….
Need a common build and rebuild method
Then this talk is for you..

View Slide

First Up
Out of the box DEP build….

View Slide

Automated Device Enrolment Build
How to setup automated provisioning of a
DEP ready Mac
Ideal for use with Jamf Connect Login, NoMAD or AD
Binding

No end user account created during the build

View Slide

Automated Device Enrolment
Firstly a custom package is needed….

View Slide

Automated DE Build - Package
Required components
NoMAD Login

NoMAD settings proﬁle

Branding graphics

View Slide

Automated DE Build - Package
Package Post Install Script

View Slide

Enrollment Prestage
A prestage is needed….

View Slide

Max image dimensions
Automated DE Build - Prestage
Add the package to
Enrollment packages

View Slide

Max image dimensions
Automated DE Build - Prestage
Set local User
account creation
to
Skip Account Creation

View Slide

Post Enrollment Policy
A build policy is needed….

View Slide

Automated DE Build - Policy
One policy required to
run the build
run on Enrollment Complete
ongoing frequency
Runs the build script

View Slide

Automated DE Build - Script
What does it do?
waits until any required input is
made
Runs policies using custom
triggers
Displays status updates
Sets login window type

View Slide

Automated DE Build - Master Script
Let’s break it down

View Slide

Wait until user input completed

View Slide

Write to Notify screen

View Slide

Install an application

View Slide

Reset Login window

View Slide

Automated DE Build - Demo Time

View Slide

Part 2…. Non Device Enrollment Build
Teaching (your) grandmother
to suck eggs is an English
language saying that refers to a
person giving advice to another
person in a subject with which the
other person is already familiar
(and probably more so than the
ﬁrst person)

View Slide

NON DE Build - Uses
What’s this used for?
For devices NOT DEP capable but you…

Want a common OS level

Want to erase with a common method

Want to build with same build as the DEP devices

View Slide

NON DE Build - Overview
Stages:
1. Wipe and install clean macOS

2. Install extra workﬂow packages

3. Enroll in Jamf

4. Apply build

It’s OK, it’s mostly automated!

View Slide

Let’s get started
Back to basics…..

View Slide

NON DE Build - Your starter for 10
How do we get this process started?
Mac Deploy Stick

https://twocanoes.com/products/mac/mac-deploy-stick/

View Slide

The Extras
A couple of packages…..

View Slide

NON DE Build - Package #1
Components:
NoMAD Login

NoMAD settings proﬁle

QuickAdd.pkg

Control script

LaunchDaemon for script

View Slide

Post install script
LaunchDaemon has to be loaded during package install

Post install script does this

View Slide

QuickAdd Package
Management user diﬀerent to the DEP user

Used in Smart Group later

View Slide

Graphics
Common graphics package

View Slide

The Extras
The control script…..

View Slide

NON DE Build - Control Script
Check _mbsetupuser is active

View Slide

Setup NoMAD

View Slide

Check Jamf contactable

View Slide

Switch Login Window to NoMAD Login
Create .AppleSetupDone

Kill loginwindow

View Slide

Install the QuickAdd package
Enrolls device in Jamf

Sends enrollment trigger

Starts the build process

View Slide

User Logon post build
It’s built, now what happens?
User logs in using:
Jamf Connect

NoMAD

AD Bound

View Slide

MDM Proﬁle Approval
MDM Proﬁle needs approving
Full MDM functionality not available without this

View Slide

MDM Proﬁle Approval
So how can we force approval?
Can’t force approval but…

Can guide

Repeatedly until they give up…

View Slide

UAMDM Smart Group
Smart Group to scope approve MDM policy
User Approved MDM not Yes
Managed by non-DEP management user

View Slide

UAMDM Policy
Approve MDM Policy
Scoped to the Smart Group

Runs at login and checkin

View Slide

UAMDM Script
What does the script do?
Checks if the MDM proﬁle is approved

Runs the user facing approval screens

View Slide

UAMDM Script
Check MDM Proﬁle approved

View Slide

UAMDM Script
Run the approval process
If approved - do nothing

If not - Start user process

View Slide

UAMDM Script
The process
Launch Jamf Helper

Alternatively use DEP Notify

Open Proﬁles pane

Approve!

View Slide

Non DE Build - Finally its Demo time

View Slide

Part 3…… Rinse and Repeat

View Slide

That was amazing…What now?
Now the devices are in Jamf
Deploy policy driven erase and rebuild

Self Service or remote execution policy

Conditionally deploy the NON DEP workﬂow packages

Automatically switch between Non DEP and DEP
!50

View Slide

Policy Driven Device Reprovisioning
What’s required?
Graham Pugh’s Erase-install script

https://github.com/grahampugh/erase-install

A couple of Extension Attributes

and of course smart groups and policies!

View Slide

Erase-Install script
What does it do?
Downloads the appropriate OS install package

Can be locked to a speciﬁc version if required

Will perform the erase and install

Displays user messaging when starting

It has other functionality but not talking about them today

View Slide

Required Extension Attributes
Two extension attributes required….

View Slide

Extension Attribute #1
Installer valid EA
To record if OS installer is:

1. Downloaded

2. Valid version

Equal to or higher than installed OS version

View Slide

Extension Attribute #2
Is the device DEP capable?
EA that records if device has DEP record in Apple

Proﬁles show -type enrollment

View Slide

Required Package
One package required….

View Slide

Package Required
Deploy Extras package
Need to deploy the non-DEP packages

Deployed as a single package

View Slide

Required Smart Groups
Four Smart Groups required….

View Slide

Smart Group #1
Installer download required
OS > 10.13.4

Add APFS requirement if HFS devices in estate

Installer not downloaded or not valid

View Slide

Smart Group #2
Non DEP Extra packages required
Have valid OS installer

Not DEP capable

View Slide

Smart Group #3
Erase Ready Groups
Two separate groups for erase ready

One for DEP devices

One for Non DEP devices

View Slide

Smart Group #4
One last group….
Non-DEP to DEP

View Slide

Required Policies
Four policies are required….

View Slide

Policy #1
OS Installer download
Downloads the OS installer

Overwrites existing

Scoped to download required

Version options set

Runs inventory when complete

View Slide

Policy #2
Deploy Extras package
Deploy the extras packages

Scoped to extras required smart group

View Slide

Policy #3
Remove Extras package

When devices added to DEP

Delete the extras package

Build method will now be DEP

View Slide

Policy #3
Remove Extras package
Removes the packages

Removes Jamf receipt

View Slide

Policy #4
The big one!
Erase and install

Can be Self Service

Can be force deployed

Can be event trigger

Scoped to the Erase ready groups

View Slide

Wrap up
Nearly there ….

View Slide

Process Flow Diagram

View Slide

Before you ask..
Does this work with 10.15?
YES!

View Slide

Live uses
Has this been deployed?

Ark schools trust

30 + school locations

Few new DEP Macs

Several hundred non DEP Macs

Devices from 2012 and up

View Slide

And ﬁnally some links
1. Neil Martin's MacADUK 2019 Presentation
2. twocanoes.com mac-deploy-stick
3. Graham Pugh's erase-install
4. montysmacmusings blog

View Slide

Thank you for listening!
Give us feedback by
completing the 2-question
session survey in the JNUC
2019 app.
UP NEXT
Your Internal Beta Test Program
2:45 PM

View Slide

If You Built It, They Will Come

If You Built It, They Will Come

Jamf

More Decks by Jamf

Featured

Transcript