Posted on 08-12-2024 07:48 PM
A couple of questions that are interconnected:
1. Jamf needs a user to log in first in order to escrow the secure boot token required to be able to wipe the device from Jamf, right?
2. What's the best way to create an auto login user during the provisioning process? I'd like to use this account to run DEPNotify (as it doesn't run without a user apparently; happy to be corrected if wrong) immediately upon enrollment completion and then delete the auto log in user and itself once it has completed it's run. This will also hopefully cause Jamf to escrow the secure boot token.
Posted on 08-12-2024 08:43 PM
I'm not sure this will work.
You want this account to be the first to log in, however, the first account to log in also becomes the volume owner. You don't want to delete that account. You need it to perform major macOS upgrades.
Also, the purpose of DEPNotify is to display progress to a person sitting in front of the computer. Why go to the trouble of trying to automatically log in an account to display DEPNotify only to automate deleting the account when it's done? Just run your policies without DEPNotify.
Posted on 08-12-2024 11:57 PM
Hi Moose,
I was taking a page out of John Mahlman's JNUC presentation on DEPNotify where he indicated that he used a package that generated a user, logged in as that user, ran DEPNotify and deleted the user. Unfortunately, the tool that generated the auto login user no longer works on anything above Monterey.
So, maybe we'd then need to change the workflow so that the first user that logs in is an account that would not be deleted but would then later be LAPS managed?
As for using DEPNotify, we were using it for Macbooks and thought we'd just extend that to the lab iMacs so that our policies are simpler and just involve policies that had custom triggers + a policy that ran DEPNotify. It also has the advantage of showing the lab tech where each iMac is in the deployment process without having to get into Jamf. But if it adds more problems then definitely we'll drop it.
Posted on 08-14-2024 04:16 AM
DEPNotify has not been updated in 3 years, I would not attempt to develop any workflows for this zombieware. Instead look at other solutions like Setup-Your-Mac.