Help

auto-enrolling systems for management

Go to solution
jhuls
Contributor III

Posted on ‎09-30-2014 02:52 PM

When a new system comes in, I would like to be able to simply deploy the software and configurations needed to each system using the OS already installed via the imaging app off of an ssd. I also want the system to be automatically enrolled so it can be managed. I believe the device enrollment program can take care of this for me but at the moment I have to work through layers to try making that work and then also sometimes computers are purchased from other than Apple. I thought I might be able to just include quickadd.pkg as one of the deployed packages but it doesn't seem to work on more than one system when I tried it. Just copying the quickadd manually to a different system and running it sees it fail.

Running JSS 9.32 at the moment. Am I missing something obvious?

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-30-2014 02:58 PM

You need to manually generate a QuickAdd.pkg from Recon.app. You can't reuse the one you download when you sign in at the enrollment page since they have unique single use certificates. It sounds like that's what the issue is.
Just open Recon.app, set up everything as you want, including creating any management accounts as needed and build out a new package. Use that to enroll Macs.

From there, you can use policies, custom triggers, Smart Groups, etc to install all the software you need on them. With JSS version 9.x you can even use an event of "on enrollment" for some or all of the policies so they start running right away.

View solution in original post

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎09-30-2014 03:07 PM

So, a machine comes in from your supplier (Apple, CDW, whomever), it gets unboxed and booted from an external drive, Casper Imaging is run from that drive to install software onto the system. That right there should be enough to get the system enrolled into the JSS for management, and as long as your configuration profiles, managed preferences, and any other policies you want are scoped properly, that should work.

I have a Smart Group in my JSS called "First Boot". It is scoped to look for the presence of a file on a system in the Casper Receipts directory (/Library/Application Support/JAMF/Receipts). If that file exists, the machine is dropped into the First Boot smart group. I then have several policies to install software that are scoped to that Smart Group. When a new machine comes in, it is unboxed, the serial number is added to a Pre-Stage Imaging configuration in the JSS, then the machine is booted from an external drive, Casper Imaging runs and installs a postimage package that is set to install on reboot, Casper Imaging reboots the computer, the Casper enroll.sh script enrolls the machine into the JSS which brings down the MDM parts, the machine reboots, my script is then run (it was in the postimage package) that configures some settings and installs all of the software in the policies scoped to the First Boot Smart Group, and finally it reboots the machine. When complete, the machine has all necessary software and is waiting at the login prompt.

As far as the QuickAdd.pkg file, if you are downloading it via the web browser from a computer, that QuickAdd file is only good on that computer. To generate one that can be used over again, you'll want to open the Recon app and generate the QuickAdd.pkg file from in there.

And as far as DEP is concerned, you won't be able to go full circle with your workflow. The DEP will enroll the machine into the JSS, but it will not be managed until you run a QuickAdd or run it through Casper Imaging. At least not yet. Hopefully Apple will update the spec so that JAMF can add that functionality.

Does that help? Do you need further clarification?

View solution in original post

0 Kudos
Reply
3 REPLIES 3

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-30-2014 02:58 PM

You need to manually generate a QuickAdd.pkg from Recon.app. You can't reuse the one you download when you sign in at the enrollment page since they have unique single use certificates. It sounds like that's what the issue is.
Just open Recon.app, set up everything as you want, including creating any management accounts as needed and build out a new package. Use that to enroll Macs.

From there, you can use policies, custom triggers, Smart Groups, etc to install all the software you need on them. With JSS version 9.x you can even use an event of "on enrollment" for some or all of the policies so they start running right away.

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎09-30-2014 03:07 PM

So, a machine comes in from your supplier (Apple, CDW, whomever), it gets unboxed and booted from an external drive, Casper Imaging is run from that drive to install software onto the system. That right there should be enough to get the system enrolled into the JSS for management, and as long as your configuration profiles, managed preferences, and any other policies you want are scoped properly, that should work.

I have a Smart Group in my JSS called "First Boot". It is scoped to look for the presence of a file on a system in the Casper Receipts directory (/Library/Application Support/JAMF/Receipts). If that file exists, the machine is dropped into the First Boot smart group. I then have several policies to install software that are scoped to that Smart Group. When a new machine comes in, it is unboxed, the serial number is added to a Pre-Stage Imaging configuration in the JSS, then the machine is booted from an external drive, Casper Imaging runs and installs a postimage package that is set to install on reboot, Casper Imaging reboots the computer, the Casper enroll.sh script enrolls the machine into the JSS which brings down the MDM parts, the machine reboots, my script is then run (it was in the postimage package) that configures some settings and installs all of the software in the policies scoped to the First Boot Smart Group, and finally it reboots the machine. When complete, the machine has all necessary software and is waiting at the login prompt.

As far as the QuickAdd.pkg file, if you are downloading it via the web browser from a computer, that QuickAdd file is only good on that computer. To generate one that can be used over again, you'll want to open the Recon app and generate the QuickAdd.pkg file from in there.

And as far as DEP is concerned, you won't be able to go full circle with your workflow. The DEP will enroll the machine into the JSS, but it will not be managed until you run a QuickAdd or run it through Casper Imaging. At least not yet. Hopefully Apple will update the spec so that JAMF can add that functionality.

Does that help? Do you need further clarification?

0 Kudos
Reply

Go to solution
jhuls
Contributor III

Posted on ‎10-03-2014 01:58 PM

That helps...thanks!

I actually had tried the Recon created quickadd to begin with some time ago and it seemed to not work. I can't remember the details but moved on as the guy who was responsible here for support with the server was on leave. Since then there's been some work done on the server with Jamf involved and I neglected to test the recon generated quickadd before posting this. I've only tested it now on one system but it worked immediately so I'm crossing my fingers and hope to test it on some others soon.

@stevewood Thx for the additional info. I'll have to sit down soon long enough to digest some of it. As far as DEP, yeah, that makes sense. I've not really looked into it. An apple rep had mentioned last week that they saw a demo where casper was used for a new Mac and made it sound like everything would be automatic without the need of someone running quickadd. Maybe he was a little excited and missed that part...don't know. It's on my list of things to check out though.

Thanks again.

0 Kudos
Reply