Posted on 08-05-2015 03:02 PM
Is it possible to enroll a new laptop using DEP, and then (somehow) have that laptop become managed, without me touching the device? I was told to avoid imaging, so all of the packages I need to install will be done after the laptop becomes managed.
Thanks
Solved! Go to Solution.
Posted on 08-06-2015 10:42 AM
DEP will get a much needed boost of reliability and admin level control once El Cap is released, but as mentioned above by others, in its current form there are a couple of loopholes and gotchas that can leave your Macs un-enrolled to your JSS, so you just need to be aware of the caveats if you decide to use it today and not wait for the next revision.
Posted on 08-06-2015 06:46 AM
DEP will do what you're wanting. Just make sure that your packages can be accessed wherever the laptop gets powered on. We have setup a policy and a smartgroup to make sure those machines get the thin image. The smartgroup is just DEP devices(can't remember the criteria off top of my head) while the policy is everything in the image except for the OS/Recovery stuff. Caches and then installs from there.
Posted on 08-06-2015 06:59 AM
DEP enrolled laptops will become managed, if it's cool for the user to run through Setup Assistant, be an admin, and you can make sure they always have Internet access when they startup, then you'll be good using DEP.
Posted on 08-06-2015 08:25 AM
The "short" answer is: yes....but...
Saying that you don't want to touch the device makes me assume you'll be shipping this directly to the user. So, while you can assign a MacBook in a DEP PreStage enrolment and have it enrolled (and therefore automatically run policies on it) as part of the setup, the user will have the ability to skip the profile installation and avoid the DEP process. If you make the MDM Profile mandatory in the PreStage, they will be repeatedly prompted to install it but they can keep ignoring this and avoid the DEP enrolment.
@adamcodega correctly mentioned a few other issues above, although you could run a script to remove admin rights from the logged-in user as part of your post-enrolment process. Still, not the cleanest solution and surely not the best possible user experience.
DEP in iOS is a lot tighter and the AD integration makes it a complete tool for zero-touch deployment. The advantage of course is the lack of a multiple user context in iOS. In OS X there are still issues to be addressed, but no-doubt this will happen gradually in future updates.
Posted on 08-06-2015 10:42 AM
DEP will get a much needed boost of reliability and admin level control once El Cap is released, but as mentioned above by others, in its current form there are a couple of loopholes and gotchas that can leave your Macs un-enrolled to your JSS, so you just need to be aware of the caveats if you decide to use it today and not wait for the next revision.