Hi Everyone -
I am new to Jamf and for the past several weeks have been working on a zero-touch deployment for 120 Macbooks.
Here is what I have:
My desired/intended workflow is/was:
I did all of the setup and testing using VMs (Fusion with vfuse) without a second thought. Everything worked great. In my 20+ years of being a Windows admin, VMs have always been reliable for this type of thing. Today doing a final run-through on an actual Macbook, and then several Macbooks after that, I found out the zero-touch process doesn't actually work reliably if at all on the actual Macbooks. They are not picking up ASM (DEP) activation, and I cannot send out 120 Macbooks and have them fail to work properly. I've tried using wired and wireless, several different Macbooks, different ethernet adapters, different wireless networks/locations, charging the batteries to 100%, howling at the moon, and even kissing frogs. None of that worked, and I have since spent several hours browsing Jamf Nation and found dozens and dozens of people with the same experience. Like many of them stated, having to use terminal commands or repeatedly reinstall the OS until ASM (DEP) activates the device properly isn't practical and makes the term zero-touch become ironic. I've reviewed every configuration setting from ASM (DEP) to the prestage configuration and I am fairly confident everything is correct. My thinking is that the VM testing would have failed if it wasn't properly configured.
I'd love your help by getting your feedback/advice/suggestions about what your deployment workflow is. I need to come up with a new plan in short order. My goal is to have the amount of end-user interaction be as minimal as possible, have Jamf Connect be the only login option presented to the end-user, and have the DEPNotify process run after the first login. I look forward to learning from all of you, and thank you in advance for your input.
@JC_CLCSD You've mentioned seeing the issue discussed on Jamf Nation so I won't rehash the cause. Apple's recommended "fix" is to update a Mac to macOS Catalina 10.15.7 prior to sending to the the user for enrollment by following these steps:
1) Drop into Terminal as root at the Language Chooser screen via the Command-Option-T (or Control-Command-Option-T - I forget which was the trick)
2) Run this command to update the Mac to 10.15.7:
softwareupdate -iaR (that's a minus in case the forum software makes it a dash)
3) Once the Mac completes the 10.15.7 update and restarts back into Setup Assistant use Command-Q to shut down the Mac and it should be ready to be sent to a user
We've experienced the random times where the Remote Management popup doesn't actually pop up. The only fix was to re-install MacOS to the latest version and it would always come up.
@sdagley running softwareupdate -iaR comes up with:
Passing --restart requires root privilege.
Anyone know the mbsetupuser password? (I jest, no-one knows that* password!)
Just have to shutdown Terminal and the mac setup screen with the usual Cmd-Q buttons :-)
@jameson I have run through it dozens of times using Fusion (12 Pro) and haven't had it fail once when everything was set up correctly in Jamf. Regardless, I appreciate your feedback and that is good to know that others don't have the same experience and I'll remember that going forward.
@sdagley Thank you!! I've come across a lot of hands-on required "fixes", maybe my goal of a true zero-touch is just a pipe dream. I was able to set up a zero-touch with our new iPads that worked great. I just handed out the boxes, pointed the users to directions in our KB, and went on with my day. I didn't have a single issue, exceptions being those that cannot or chose not to follow directions.
@tsylwest I am running the command suggested by @sdagley right now and it is working, updates are downloading and being installed. Terminal automatically launched as the root user for me. This is straight out the box, booted, and used the keyboard shortcut to launch terminal at the country selection screen (it didn't work on the language selection screen for me). Fingers crossed, I can deal with this minimal interaction before giving devices out.
@tsylwest When you access Terminal from the Setup Assistant with that key sequence you're running as root so the mbsetupuser account doesn't come into play
@JC_CLCSD Glad to hear it's working for you. There's definitely some inconsistencies in the instructions on how to get into Terminal, but my understanding was the Language Chooser was critical to the process so very interesting that's not where you ended up accessing Terminal.
@sdagley Your suggestion to use the softwareupdate command work without issue. The computer rebooted, I verified it was on 10.15.7, that the serial was scoped to the prestage, and it is still not picking up DEP wireless or wired. I think I may just go back to the last setup I had that worked that presented the macOS login dialog, have Jamf create a dummy admin account the end-user can log in with initially to launch DEPNotify then have Jamf remove that dummy account via policy. Frustrating for sure.
@JC_CLCSD How are you delivering the DEPNotify binary? Is it part of your PreStage Enrollment, or is installed by a policy triggered on Enrollment Complete? I use the latter approach with a Smart Group containing Macs enrolled via a specific PreStage so the appropriate version of my driver script for DEPNotify runs. My PreStage configuration limits Setup Assistant to the Account Setup screen where the user creates their account, and I don't use the Account Settings payload so that the user's account will be 501
Update on things. I streamed the system log while going through setup assistant using a post I found, and I noticed the message "device enrollment record info unavailable" appeared several times. This told me that there was at least an attempt at communication with the activation servers. After a little more searching here, I found a post suggesting the command “sudo profiles renew -type enrollment" from the terminal. I ran that, restarted, and the setup process worked as I expected! I'll continue testing this with Macbooks I still have in the box to make sure it wasn't a fluke.
An odd (to me) behavior I've found with terminal access during setup assistant is that the shortcut key sequence to open terminal in 10.15.6 only worked for me on the country selection screen. That does not work for me in 10.15.7, I had to be on the language selection screen as @sdagley stated.
@sdagley my DEPNotify binary is part of prestage, and that seems to work great. My issue is that Jamf Connect doesn't - or wasn't - firing up as the login screen for the users. The Jamf Connect and launch agent packages along with our branding package are also part of the prestage. I had help setting all that up during my onboarding training so I hope that is done correctly because that training was expense! If I can get things to stay consistent after running the command above, I think I am set. I hope!
I appreciate all of you, your input has helped tremendously with this issue and made me really think about things!
@JC_CLCSD Glad to help. Just paying it forward since Jamf Nation is such a useful resource (Never create from scratch what you can
steal borrow from someone who has previously travelled the path you're taking)
@tsylwest That looks like the Country, not Language, selection screen. The root access to Terminal sequence has to be done on the Language selection screen which will normally only appear the very first time a Mac is booted. This page shows how you can make it re-appear: Resetting Device Enrollment cache without reinstalling macOS
@JCCL I think your environment is still ahead of mine because my environment is still officially on user-initiated enrollment by authorized IT staff as my Windows-centric organization (and University as a whole) is still resistant to enabling ADE for prestaging from our ASM (DEP) through now which I'm working towards to achieve. The functionality is there, including enrollment customization for macOS Catalina, but it's a matter of getting the green light to make that official in my environment.
@dng2000 Does your current workflow utilize DEPNotify and the DEPNotify Starter script? Even if you're not yet using ASM/DEP to automatically enroll machines you can leverage DEPNotify and the DEPNotify Starter script to build a manually initiated workflow. That's what I did in my current environment while working on getting the necessary approvals for ABM/DEP, and when that was done the process of changing from manual to PreStage based enrollment was pretty simple.