Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

© JAMF Software, LLC John Mahlman Network Systems Administrator The University of the Arts, Philadelphia • Over 10 years in Mac IT • Write bad code • Brew good beer • Play Tabletop Games • Love Philly sports teams Find me: @jmahlman (slack, git, jamfnation) Website: https://yearofthegeek.net

Slide 3

Slide 3 text

© JAMF Software, LLC LDEPNAJPFDD Presentation agenda: • The recent past (Imaging) • What happened? It happened… • Options we considered • Find the process • What we built • What’s next?

Slide 4

Slide 4 text

© JAMF Software, LLC UArts at a Glance • Approximately 1,800 students • 6 Academic buildings • Over 200 “student-facing” public Macs • Offices, faculty/staff, Students (BYOD) — 97% Macs • Computers range from 2009-2018 models • On-Prem Jamf Pro since 2012 • Over 1,700 managed systems

Slide 5

Slide 5 text

© JAMF Software, LLC Where did we start? Let’s go back in time a few years..er..months…weeks?

Slide 6

Slide 6 text

© JAMF Software, LLC Imaging… (not too long ago) ~$ sudo bless --netboot --nextonly --server bsdp:// ~$ sudo shutdown -r now

Slide 7

Slide 7 text

© JAMF Software, LLC Imaging… (not too long ago) Send command or set policy… Go home… Have beverage!

Slide 8

Slide 8 text

© JAMF Software, LLC Imaging… (not too long ago) Send command or Set policy…. Go home… Have beverage!

Slide 9

Slide 9 text

© JAMF Software, LLC And then it happened… You all know what I’m talking about…

Slide 10

Slide 10 text

© JAMF Software, LLC It happened “Apple doesn't recommend or support monolithic system imaging as an installation method, because the system image might not include model-specific information such as firmware updates.” Apple, https://support.apple.com/en-us/HT208020 (Obtained 8/7/18)

Slide 11

Slide 11 text

© JAMF Software, LLC User-Approved Kernel Extension Loading (UAKEL, Ukulele)

Slide 12

Slide 12 text

© JAMF Software, LLC User-Approved MDM (UAMDM)

Slide 13

Slide 13 text

© JAMF Software, LLC Apple T2 chip/Secure Boot “Secure Boot offers three settings to make sure that your Mac always starts up from a legitimate, trusted Mac operating system…Full Security is the default Secure Boot setting…” Apple, https://support.apple.com/en-us/HT208330 (Obtained 8/7/18)

Slide 14

Slide 14 text

© JAMF Software, LLC Is imaging dead? Let’s google!

Slide 15

Slide 15 text

© JAMF Software, LLC

Slide 16

Slide 16 text

© JAMF Software, LLC

Slide 17

Slide 17 text

© JAMF Software, LLC

Slide 18

Slide 18 text

© JAMF Software, LLC

Slide 19

Slide 19 text

© JAMF Software, LLC ^ MOSTLY TM

Slide 20

Slide 20 text

© JAMF Software, LLC So, what are we going to do? -Me, 2017

Slide 21

Slide 21 text

© JAMF Software, LLC Option 1: Stay on 10.12 + Most of our software works fine on 10.12 + Our current workflow works fine - Security Updates will eventually stop - New Machines will come with 10.13 - Some Apple software already updated to 10.13 only Option 2: In-Place Upgrade + Quick process + No more imaging at all on public systems - Computers will have leftover bits from software - A lot more manual work than desired

Slide 22

Slide 22 text

© JAMF Software, LLC Option 3: In-place Upgrade then image in future + Firmware is installed at upgrade + Workflows are already good + Same issues as Option 2 (leftovers, more work) - UAMDM will not automatically work - UAKEL will not work until we manually allow MDM (AV software, sound drivers, etc.)

Slide 23

Slide 23 text

© JAMF Software, LLC Really, what are we going to do? -Also me, 2018

Slide 24

Slide 24 text

© JAMF Software, LLC Apple School Manager Jamf Pro = Device Enrollment + Device Enrollment The Tools

Slide 25

Slide 25 text

© JAMF Software, LLC SplashBuddy DEPNotify + Beautiful/Informative UI + Lots of functionality + Allowed User Input - More setup required - More info than we need + Highly-Customizable UI + Really Simple Setup - No User Input And then came Frederico Deis (@fgd) + User Input!

Slide 26

Slide 26 text

© JAMF Software, LLC • Reads input echoed into log file • Input sets up UI and controls flow • All UI aspects are controllable echo "Command: MainTitle: New Mac Setup" >> $DNLOG echo "Command: Image: /var/tmp/your-logo.png” >> $DNLOG echo "Command: WindowStyle: NotMovable" >> $DNLOG echo "Command: ContinueButtonRegister: Begin" >> $DNLOG echo "Status: Please click the button below..." >> $DNLOG DEPNotify

Slide 27

Slide 27 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deployment • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) Assignment • Rename machine and assign to user • Enter Asset Tag • Give to user • Enjoy a drink

Slide 28

Slide 28 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deployment • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) Assignment • Rename machine and assign to user • Enter Asset Tag • Give to user • Enjoy a drink

Slide 29

Slide 29 text

© JAMF Software, LLC Preparation… New Machines • Assign to MDM • Setup Prestage • Assign Devices
 to Prestage

Slide 30

Slide 30 text

© JAMF Software, LLC Preparation… New Machines • Assign to MDM • Setup Prestage • Assign Devices
 to Prestage

Slide 31

Slide 31 text

© JAMF Software, LLC Preparation… Existing Machines (APFS) • Package Installer • Script with ‘eraseinstall’ and ‘nointeraction’ flags • Make Policy #!/bin/bash /Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/ startosinstall --applicationpath "/Applications/Install macOS High Sierra.app" --rebootdelay 30 --nointeraction $4 <—For additional flags!

Slide 32

Slide 32 text

© JAMF Software, LLC Preparation… Existing Machines (HFS) • Internet Recovery!

Slide 33

Slide 33 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deployment • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) Assignment • Rename machine and assign to user • Enter Asset Tag • Give to user • Enjoy a drink

Slide 34

Slide 34 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deployment • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) Assignment • Rename machine and assign to user • Enter Asset Tag • Give to user • Enjoy a drink

Slide 35

Slide 35 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deployment • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) Assignment • Rename machine and assign to user • Enter Asset Tag • Give to user • Enjoy a drink

Slide 36

Slide 36 text

© JAMF Software, LLC The Process… Preparation • New machines get added to DEP then assigned to jamf • Old machines get wiped via internet recovery or policy Deploy and Assign • Boot machines to Setup Assistant • Install Mobile Config • Install software based on cohort (machine type) • Rename machine and assign to user • Enter Asset Tag

Slide 37

Slide 37 text

© JAMF Software, LLC The Process… Enrollment Trigger • Install DEPNotify • App Package • Logo • Provisioning Script Run Script to do things! • Install Software • Assign computer to user in Jamf Pro • Crete local account • Rename computer • Install updates

Slide 38

Slide 38 text

© JAMF Software, LLC But…we ran into issues… • Ran behind the login window • Added a “wait for dock” loop • Ran before user was completely logged in • Added timer • Still was not running every time… • Launch Daemon!

Slide 39

Slide 39 text

© JAMF Software, LLC The Process… Enrollment Trigger • Install DEPNotify • App Package • Logo • Launch Daemon • Deployment Script Launch Daemon runs Script • Install Software • Assign computer to user in Jamf • Crete local account • Rename computer • Install updates

Slide 40

Slide 40 text

© JAMF Software, LLC DEPNotify Package

Slide 41

Slide 41 text

© JAMF Software, LLC

Slide 42

Slide 42 text

© JAMF Software, LLC DEPNotify Package

Slide 43

Slide 43 text

© JAMF Software, LLC

Slide 44

Slide 44 text

© JAMF Software, LLC Enrollment Policy

Slide 45

Slide 45 text

© JAMF Software, LLC Enrollment Policy

Slide 46

Slide 46 text

© JAMF Software, LLC The Process… Enrollment Trigger • Install DEPNotify • App Package • Logo • Launch Daemon • Deployment Script Launch Daemon runs Script • Install Software • Assign computer to user in Jamf • Crete local account • Rename computer • Install updates

Slide 47

Slide 47 text

© JAMF Software, LLC

Slide 48

Slide 48 text

© JAMF Software, LLC

Slide 49

Slide 49 text

© JAMF Software, LLC

Slide 50

Slide 50 text

© JAMF Software, LLC

Slide 51

Slide 51 text

© JAMF Software, LLC

Slide 52

Slide 52 text

© JAMF Software, LLC

Slide 53

Slide 53 text

© JAMF Software, LLC

Slide 54

Slide 54 text

© JAMF Software, LLC

Slide 55

Slide 55 text

© JAMF Software, LLC

Slide 56

Slide 56 text

© JAMF Software, LLC

Slide 57

Slide 57 text

© JAMF Software, LLC

Slide 58

Slide 58 text

© JAMF Software, LLC

Slide 59

Slide 59 text

© JAMF Software, LLC

Slide 60

Slide 60 text

© JAMF Software, LLC

Slide 61

Slide 61 text

© JAMF Software, LLC

Slide 62

Slide 62 text

© JAMF Software, LLC Can I automate this for labs, etc..? -Also also me, 2018

Slide 63

Slide 63 text

© JAMF Software, LLC HECK YEAH! -Me, 3 months ago Neil Martin’s JNRS presentation: https://github.com/neilmartin83/Jamf-Nation-Roadshow-London-2018

Slide 64

Slide 64 text

© JAMF Software, LLC Automate it, yo! Extension Attribute Auto-Login User Is this a known machine? Public Office/Checkout Find machine type Ask for Input Yes No Do the things!

Slide 65

Slide 65 text

© JAMF Software, LLC DEPNotify Package - Automated

Slide 66

Slide 66 text

© JAMF Software, LLC

Slide 67

Slide 67 text

© JAMF Software, LLC

Slide 68

Slide 68 text

© JAMF Software, LLC DEPNotify Package - Automated Thanks, MacUserGenerator! (https://github.com/ninxsoft/MacUserGenerator)

Slide 69

Slide 69 text

© JAMF Software, LLC

Slide 70

Slide 70 text

© JAMF Software, LLC

Slide 71

Slide 71 text

© JAMF Software, LLC

Slide 72

Slide 72 text

© JAMF Software, LLC

Slide 73

Slide 73 text

© JAMF Software, LLC

Slide 74

Slide 74 text

© JAMF Software, LLC

Slide 75

Slide 75 text

© JAMF Software, LLC

Slide 76

Slide 76 text

© JAMF Software, LLC

Slide 77

Slide 77 text

© JAMF Software, LLC

Slide 78

Slide 78 text

© JAMF Software, LLC

Slide 79

Slide 79 text

© JAMF Software, LLC

Slide 80

Slide 80 text

© JAMF Software, LLC

Slide 81

Slide 81 text

© JAMF Software, LLC Why are there two processes?? -You, right now

Slide 82

Slide 82 text

© JAMF Software, LLC

Slide 83

Slide 83 text

© JAMF Software, LLC No… And that’s okay..right?

Slide 84

Slide 84 text

© JAMF Software, LLC I’m not into scripting…any ideas? -You, right now…maybe?

Slide 85

Slide 85 text

© JAMF Software, LLC https://github.com/jamfprofessionalservices/DEP-Notify

Slide 86

Slide 86 text

© JAMF Software, LLC

Slide 87

Slide 87 text

© JAMF Software, LLC The hopeful future! • Hope that Apple gives us a way to have 100% zero-touch • --eraseinstall flag • Skip Setup Assistant? • Better use of snapshots? • DEPNotify at login window • See what Jamf comes up with

Slide 88

Slide 88 text

© JAMF Software, LLC Resources • My GitHub • https://github.com/jmahlman/uarts-scripts/tree/master/DEP%20Scripts • Updated process: https://github.com/jmahlman/DEPNotify-automated • DEPNotify • https://gitlab.com/Mactroll/DEPNotify • Neil Martin’s Presentation/Code from JNRS • https://github.com/neilmartin83/Jamf-Nation-Roadshow-London-2018 • Jamf Professional Services DEPNotify repo • https://github.com/jamfprofessionalservices/DEP-Notify

Slide 89

Slide 89 text

© JAMF Software, LL THANK YOU!