What is Your Deployment Process?

JCCL
New Contributor III

Hi Everyone -

Help.

I am new to Jamf and for the past several weeks have been working on a zero-touch deployment for 120 Macbooks.

Here is what I have:

  • New Macbooks purchased directly from Apple in early September 2020.
  • Macbooks entered into ASM (DEP) by Apple on 9/13/20.
  • ASM (DEP) connected to Jamf as of 8/27/20.
  • A prestage enrollment is setup in Jamf.
  • Macbooks have been set in the scope of the prestage enrollment.

My desired/intended workflow is/was:

  • User receives a MacBook new in the box
  • User boots Macbook, selects the language & wireless network
  • Macbook is kicked over to Jamf to do the prestage.
  • Prestage completes, Mac presents the user with the Jamf Connect login dialog (backed by Azure AD) and allows the user to log in.
  • User logs in, DEPNotify runs and finishes the setup (user prompted to enter inventory info, remaining software is installed, etc.).

I did all of the setup and testing using VMs (Fusion with vfuse) without a second thought. Everything worked great. In my 20+ years of being a Windows admin, VMs have always been reliable for this type of thing. Today doing a final run-through on an actual Macbook, and then several Macbooks after that, I found out the zero-touch process doesn't actually work reliably if at all on the actual Macbooks. They are not picking up ASM (DEP) activation, and I cannot send out 120 Macbooks and have them fail to work properly. I've tried using wired and wireless, several different Macbooks, different ethernet adapters, different wireless networks/locations, charging the batteries to 100%, howling at the moon, and even kissing frogs. None of that worked, and I have since spent several hours browsing Jamf Nation and found dozens and dozens of people with the same experience. Like many of them stated, having to use terminal commands or repeatedly reinstall the OS until ASM (DEP) activates the device properly isn't practical and makes the term zero-touch become ironic. I've reviewed every configuration setting from ASM (DEP) to the prestage configuration and I am fairly confident everything is correct. My thinking is that the VM testing would have failed if it wasn't properly configured.

I'd love your help by getting your feedback/advice/suggestions about what your deployment workflow is. I need to come up with a new plan in short order. My goal is to have the amount of end-user interaction be as minimal as possible, have Jamf Connect be the only login option presented to the end-user, and have the DEPNotify process run after the first login. I look forward to learning from all of you, and thank you in advance for your input.

22 REPLIES 22

sdagley
Honored Contributor III

@JC_CLCSD You've mentioned seeing the issue discussed on Jamf Nation so I won't rehash the cause. Apple's recommended "fix" is to update a Mac to macOS Catalina 10.15.7 prior to sending to the the user for enrollment by following these steps:
1) Drop into Terminal as root at the Language Chooser screen via the Command-Option-T (or Control-Command-Option-T - I forget which was the trick)
2) Run this command to update the Mac to 10.15.7: softwareupdate -iaR (that's a minus in case the forum software makes it a dash)
3) Once the Mac completes the 10.15.7 update and restarts back into Setup Assistant use Command-Q to shut down the Mac and it should be ready to be sent to a user

tsylwest
Contributor

We've experienced the random times where the Remote Management popup doesn't actually pop up. The only fix was to re-install MacOS to the latest version and it would always come up.

@sdagley running softwareupdate -iaR comes up with:

Passing --restart requires root privilege.

Anyone know the mbsetupuser password? (I jest, no-one knows that* password!)

Just have to shutdown Terminal and the mac setup screen with the usual Cmd-Q buttons :-)

jameson
Contributor II

Vmware fusion works for me terrible unstable when going through Pre-stage setup. Simply works every 2nd or 3rd time, so really is difficult to know if this is wmware issue or it is setup issue

JCCL
New Contributor III

@jameson I have run through it dozens of times using Fusion (12 Pro) and haven't had it fail once when everything was set up correctly in Jamf. Regardless, I appreciate your feedback and that is good to know that others don't have the same experience and I'll remember that going forward.

JCCL
New Contributor III

@sdagley Thank you!! I've come across a lot of hands-on required "fixes", maybe my goal of a true zero-touch is just a pipe dream. I was able to set up a zero-touch with our new iPads that worked great. I just handed out the boxes, pointed the users to directions in our KB, and went on with my day. I didn't have a single issue, exceptions being those that cannot or chose not to follow directions.

JCCL
New Contributor III

@tsylwest I am running the command suggested by @sdagley right now and it is working, updates are downloading and being installed. Terminal automatically launched as the root user for me. This is straight out the box, booted, and used the keyboard shortcut to launch terminal at the country selection screen (it didn't work on the language selection screen for me). Fingers crossed, I can deal with this minimal interaction before giving devices out.

sdagley
Honored Contributor III

@tsylwest When you access Terminal from the Setup Assistant with that key sequence you're running as root so the mbsetupuser account doesn't come into play

@JC_CLCSD Glad to hear it's working for you. There's definitely some inconsistencies in the instructions on how to get into Terminal, but my understanding was the Language Chooser was critical to the process so very interesting that's not where you ended up accessing Terminal.

JCCL
New Contributor III

@sdagley Your suggestion to use the softwareupdate command work without issue. The computer rebooted, I verified it was on 10.15.7, that the serial was scoped to the prestage, and it is still not picking up DEP wireless or wired. I think I may just go back to the last setup I had that worked that presented the macOS login dialog, have Jamf create a dummy admin account the end-user can log in with initially to launch DEPNotify then have Jamf remove that dummy account via policy. Frustrating for sure.

tsylwest
Contributor

@sdagley that's weird... It dropped me at a normal non-root prompt, it was definitely not a # prompt. I don't think the error I posted would have appeared had I been at a root prompt. Curiouser and curiouser... going to double check it again and will report back :-)

sdagley
Honored Contributor III

@JC_CLCSD How are you delivering the DEPNotify binary? Is it part of your PreStage Enrollment, or is installed by a policy triggered on Enrollment Complete? I use the latter approach with a Smart Group containing Macs enrolled via a specific PreStage so the appropriate version of my driver script for DEPNotify runs. My PreStage configuration limits Setup Assistant to the Account Setup screen where the user creates their account, and I don't use the Account Settings payload so that the user's account will be 501

JCCL
New Contributor III

Update on things. I streamed the system log while going through setup assistant using a post I found, and I noticed the message "device enrollment record info unavailable" appeared several times. This told me that there was at least an attempt at communication with the activation servers. After a little more searching here, I found a post suggesting the command “sudo profiles renew -type enrollment" from the terminal. I ran that, restarted, and the setup process worked as I expected! I'll continue testing this with Macbooks I still have in the box to make sure it wasn't a fluke.

An odd (to me) behavior I've found with terminal access during setup assistant is that the shortcut key sequence to open terminal in 10.15.6 only worked for me on the country selection screen. That does not work for me in 10.15.7, I had to be on the language selection screen as @sdagley stated.

@sdagley my DEPNotify binary is part of prestage, and that seems to work great. My issue is that Jamf Connect doesn't - or wasn't - firing up as the login screen for the users. The Jamf Connect and launch agent packages along with our branding package are also part of the prestage. I had help setting all that up during my onboarding training so I hope that is done correctly because that training was expense! If I can get things to stay consistent after running the command above, I think I am set. I hope!

I appreciate all of you, your input has helped tremendously with this issue and made me really think about things!

tsylwest
Contributor

@sdagley seems they (read:Apple) may have changed something...!

bf7b8e226be64937bfd1c996d66bd9d3

sdagley
Honored Contributor III

@JC_CLCSD Glad to help. Just paying it forward since Jamf Nation is such a useful resource (Never create from scratch what you can steal borrow from someone who has previously travelled the path you're taking)

@tsylwest That looks like the Country, not Language, selection screen. The root access to Terminal sequence has to be done on the Language selection screen which will normally only appear the very first time a Mac is booted. This page shows how you can make it re-appear: Resetting Device Enrollment cache without reinstalling macOS

tsylwest
Contributor

@sdagley Thank you so much for that! Root access: granted.

Some more Apple 'mists' have now been cleared, much appreciated.

ovortiz
New Contributor II

@sdagley How do you connect the mac to the internet successfully while in root mode pre-setup, I tried several USB-C ethernet dongles, and had no luck.

sdagley
Honored Contributor III

@ovortiz The only USB-C adapter I’ve used is from Belkin and it just works. No driver or configuration required.

dng2000
Contributor

@JCCL I think your environment is still ahead of mine because my environment is still officially on user-initiated enrollment by authorized IT staff as my Windows-centric organization (and University as a whole) is still resistant to enabling ADE for prestaging from our ASM (DEP) through now which I'm working towards to achieve. The functionality is there, including enrollment customization for macOS Catalina, but it's a matter of getting the green light to make that official in my environment.

sdagley
Honored Contributor III

@dng2000 Does your current workflow utilize DEPNotify and the DEPNotify Starter script? Even if you're not yet using ASM/DEP to automatically enroll machines you can leverage DEPNotify and the DEPNotify Starter script to build a manually initiated workflow. That's what I did in my current environment while working on getting the necessary approvals for ABM/DEP, and when that was done the process of changing from manual to PreStage based enrollment was pretty simple.

dng2000
Contributor

@sdagley Yes it does.

sdagley
Honored Contributor III

@dng2000 Good luck on getting the ASM/DEP process approved then. My previous role was in edu, and I faced the same issue with a Windows-centric organization never quite getting to where they would provide the approvals/support necessary.

JCCL
New Contributor III

@ovortiz I also use the Belkin adapter but have found it only begins working after the Mac is connected to wireless for a few minutes. Something is happening in the background, but I don't know what.

JCCL
New Contributor III

@dng2000 ASM is a key component for sure. I am in a smaller organization and do the approvals for myself so it was a lot faster to get going :)