Casper Imaging (no erase) initial deployment .. vs. Policy deployment

Doing everything policy based here. Base image done with Autodmg with no additions. We can net boot/Image a machine, enroll a new machine out of the box that won't net boot in the case that it's newer that the NBI or we can restore a machine from Recovery HD then enroll and get the same results. The second 2 options can also be done off site for us as we have our JSS hosted in AWS with cloud DP.

More work to setup initially but much better to manage ongoing.

For me the casper imaging GUI's problems of showing EVERYTHING is the biggest problem.
We can't trust the end users(techs) who are deploying machines to not mess things up. So instead Im a huge fan of deploy studio because it has the functionality that allows you to set permissions on which workflows are allowed to run.
Then I just use a first boot policy that sets up the machine and installs the base software.

Casper Imaging needs immediate attention. They way of controlling all the settings for Casper Imaging should be through JSS. When someone selects a configuration it should automatically fill the details according to the settings stored in JSS.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2186.

Some of the features we need now;

1)Update Casper Imaging - Give it some LOVE
https://jamfnation.jamfsoftware.com/featureRequest.html?id=1155

2) Casper Imaging settings to be preconfigured in JSS
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2186

3) Hide or scope configurations to specific groups
https://jamfnation.jamfsoftware.com/featureRequest.html?id=170

3) Ability to look for the first available disk instead of the target drive name(we had to run some scripts to achieve this)
https://jamfnation.jamfsoftware.com/featureRequest.html?id=61

4) Imaging logs to contain who imaged the machine.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=145

5) Imaging logs to contain the configuration used for imaging and record in the inventory or able to read from an EA.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=841

All good feedback. Probably my biggest issue with policy based deployment is the lack of GUI, prompting for computer rename, client identification (fake receipt methods) and lack of CS6 / adobeuser workarounds.

Good know know what people prefer for this. Are deploying policies based on "once per computer" or utilising other fake receipt "deployDone" or ext attribute to populate once deployment is complete.

We have about 300 policies and almost all are scoped to smart groups and most of them are set to ongoing.

We are also making use of static groups as application groups like you mentioned. Our help desk staff add a machine to a static group via a custom API page and the software gets installed, if they remove the computer from the group the software gets removed. If they re image the machine it always gets the correct software.

I've used once per computer, but I really like the method @timjd4 has suggested, when I have a new site to setup if jamf hasn't drastically improved the way things are done now I think that is how I'm going to go about it, i really like the web app using the api to assign machines to a group for software deployment

For new machines we do something similar to a "policy deployment" but rather than having something totally automated on the enrollment trigger we use custom policy triggers. So when we enroll a machine some basic software is installed that is included for all users, then in the terminal we run

sudo jamf policy -trigger oob_enroll

…and it runs some other policies built specifically for what we call Out of Box (OOB) enrollment. It also places a dummy receipt (http://www.kitzy.org/blog/2013/10/5/making-smarter-dummy-receipts-with-plists)
on the machine that specifies that it was an OOB enrollment so we can then customize policies for machines configured by an OOB enrollment. It's a tad less automated but we find it gives us more control over the process. It also ensures that when we run imaging using Casper Imaging that the policies aren't redundant.

I've been tinkering with deployment strategies recently also and sliding slowly towards policy based. It seems to me that JAMF is encouraging this also and I have a feeling the Imaging app. won't be significantly developed much further. But, it's still my personal preferred method due to the flexibility it offers.

I've got two 'Imaging' configurations. They're nearly identical except one contains an AutoDMG base image (for re-imaging, erase drive) and the other does not (for new machines, don't erase drive.)

I have several nit picks with the Imaging app as others have mentioned, but most of my problems with it are operational and come down to user issues. My tier 2 support staff that are deploying machines are not always using the current version and/or can't seem to understand how to use it properly no matter how simple I try to make it. "It was a brand new machine? Yes. And your using the no-OS config. Yes. So why did you erase the drive?…"

So to solve that 'problem' I created a custom triggered, deployment policy for new machines. Again, including most everything that's in my Imaging Configurations.
1. unbox, boot, run QuickAdd package.
2. run custom trigger package.

This solves several problems, but is a bit more difficult to engineer the order of operations.

Here, with a large global tier 2 staff deploying machines I have to develop to drop-dead-simple. Policy based deployment also eliminates the need to boot from an external drive, which seems to be a challenge for some folks. And Netboot is a ridiculous hassle to maintain at more than one or two locations. I give up on that mess.

I expect I'll end up fine tuning the policy based method and then turning it over to end-user self provisioning.

Lessons learned to date on this topic, simplify. In 12-18 months you'll probably need to change it.

We're doing policy-based setup here, triggered by a LaunchDaemon that runs on first boot.

Workflow is Netboot to a custom script, answer a few deployment questions (deployment type, location, etc), a name is auto-generated, LaunchDaemon and custom gui is installed to Macintosh HD and the computer is rebooted. Then LaunchDaemon throws up the GUI and runs a quickadd in the background. After that a setup policy is called which makes one or more decisions based on where a computer is on the network.

Reimaging is essentially the same process: Netboot -> custom script -> LD and reboot. Only difference is it restores a factory dmg of that model to get a clean, base, Apple-ified, never booted image again. From the techs point of view there is no difference except what NBI to use.

The biggest challenges here are keeping up with the OS and any Apple "Fork U's" with netbooting, keeping a stable of dmgs to restore from (really not that big a deal at the end of the day), and the fact that every once in a while a policy will be called while post-setup is running that will mount another copy of the CasperShare, then unmount it, screwing up the setup. To that end I have an EA that gets populated to block all other policies except the post-setup policy, then removes that EA once finished.

I'd love to be able to use a truly GUI-based deployment tool again like CI, but with all the bugs that CI experienced with v8.x I abandoned it quickly. Plus I think that JAMF is going to kill it since it hasn't gotten ANY love since sometime back in the v7 days I think...

I'm again thinking out loud about how patchoo can implement deployment.

Patchoo actually already has a bootstrap mode that does the loginwindow feedback, so attached a few more modes to augment a policy based workflow should be possible.

The approach of tagging a machine with fake receipts to identify it to the JSS appeals to me. (eg. deploy-accountsdept). They are easily scopable and also easily read and created by a script. It could be accomplished by ext attributes, but not really necessary.

In the same vein and Patchoo's software deployment tracks are tied to group membership, using custom update triggers, you could your mac to a deploy configuration identifier that is appended to a trigger.. eg.

trigger: deploy - would fire your stand configuration policy
trigger: deploy-accountsdept - would fire your accounts depart policy

Or you can just tie it all to smart groups... eg.

Smart Group:
deployAccountsDept
Installed by Casper is deploy-accountsdept
Installed by Casper is NOT deploy-accountsdept.done

It moves some of the smarts to the client and requires somewhat less work within the JSS.

I'd like to build something that's usable in as many environments as possible. This method requires interaction during deployment, building something to simply touch the filesystem is easy... but...

but I do like the approach @timjd4 is using with static groups. That build data also being persistent if the mac is reimaged by adding the Mac to static groups.

I am battling with how I can both provide these two workflows:

- New computer, unbox, enrol - Tech Selects necessary builds (that's fine, can build UI and group/fake receipt script)
- New computer, unbox, enrol - Mac is "PreStaged" and allocated build based on static group membership to deploy build (not easy / possible?)

Since Casper doesn't have a placeholder concept like some other MDMs, you can only leverage this kind of workflow via PreStage imaging, or basing your deployment rules on network segment or other metadata ... which brings me back to Casper Imaging again and we are butting against some fundamental designs of Casper.

I can see there are lot of places where people might want to dropship a Mac to remote office, send a URL or they have a USB stick with quickadd... and then get an end user to enroll. In this case you might not want a bunch of choices around the configuration being delivered.

Does your workflow handle this situtation @timjd4 ? I can't figure out how I can manage that.

We use the JSS Departments to some degree. We support multiple lines of business as our IT is run by a holding company. So a department is a line of business. If a new machine gets imaged/enrolled with no dept then it will miss a few items until the dept is set. This only needs to be done once so not a big deal. We also move computers between businesses so help desk can just change the dept and the machine will update with the correct software login window icon etc.. Anything outside of dept software is static group managed.

For patching we're just using 'Patch - SoftwareName' policies and smart groups. For software that can update while still being open, like Firefox, we just let it run in the background. For others we prompt the user with the policy notification explaining they can defer for a certain period of time then it will be forced.

We wrote a deployment app in AppleScriptObjC. So we have offices all over the world so new machine comes in for end user. Non-Apple tech IN that office takes machine out of box, creates the initial admin account, then runs our app.

They see a few text fields for computer name, drop downs for what domain the user is a part of and what software load they need, their user account, their office location. They enter that info and hit configure.

A script runs that renames the computer, configures the built in Cisco VPN and then installs a quick add package and enrolled in Casper. The script then runs "jamf policy <what policy we chose in the interface>" and runs the policy installing all our software and runs all of our scripts, binds to AD, etc, and shows all the progress to the tech using Cocoa Dialog.

So ultimately it's nice since the tech only has to know a few pieces of info which is mostly the info they would use to configure a windows box.

The question is really what are the dependancies in your environment. AD, FDE, backup…. and how do you configure/install them without you onsite team or users having to do anything ( zero touch)

We do a combination ….

We use the factory image then have Casper Imaging install .pkgs, not erasing the drive. The imagining is trigger by a prestage. (the onsite team option boots the machine and only has to choose the correct netboot image) One of the .pkgs is a launchd that is trigger by changes to the /Users folder acting as 1st log in script. This script triggers FDE and AD and adds the “admin” account.

I don’t have zero touch yet as, the onsite team or users have to run two scripts that are on the desktop after they log in…one to reboot for FDE and for customize safari and deleting the two Scripts : )

If onsite team has to do a re-image, on the same netboot server as the Casper Imaging netboot image I have a netinstall netboot image..

I think both options are really out of date… Hopefully we will be moving to “enrollment” based deployment for X.10… just like an iPhone using Casper MDM : ) log in to a factory image, go to this url, install this profile, wait X mins and you now have all the supported software and security setting that are required.

C

Really cool to share all of this. Thanks everyone. Patchoo might get some function around a policy based deploy featureset soon with a bunch of this in mind.

I am quite interested in using a combination of a dropdown extension attribute as a "build" identifier and fake pkg receipts to provide a policy and enrollement based workflow.

Using methods like this to read and modify a computer's ext attributes... https://jamfnation.jamfsoftware.com/discussion.html?id=5476 .. and perhaps injecting into the QuickAdd's postinstall script to have hardcoded builds --- eg. QuickAdd-departmentname.pkg.

Hmmm... stay tuned.

I dont know if this is still relevant, but I've been tinkering with the enrollment complete trigger within Casper 9.

Just enroll the machine and it'll trigger the policies and everything I need to have on the machines was laid down. Was pretty neat but I went back to Casper Imaging in the end anyway. I prefer the good ol' nuke and pave method.

Here's my take on it, for those playing at home. https://jamfnation.jamfsoftware.com/discussion.html?id=11849