Posted on 02-25-2018 07:14 PM
HI All,
Hoping someone might be able to point me in the right direction……there is a little bit of a story to our imaging and we need to move towards a DEP automated deployment, so here is what I do now, and what I had hoped for, and what I have tried to do.
what we do now for Lab deployment:
simple boot casper imaging, pycreateuserpkjg autologin, script ran while tempavccount is logged in to, set time server, time zone, create local admin account, lock screen (lockscreen.app), flush policies, call policies through JSS, AD binding (name done through Casper IMaging), delete temop account and restart
this works fine
now with 10.13.4 coming and new iMac Pro hardware, I need to try to get DEP working with a labs build, so this means no naming and no script forced through casper imaging on boot
so here is what I would like to see
DEP process going through a few steps of the startup process and accepting DEP enrolment, this is where user input stops, machine gets all of the policies to install apps, named correctly, AD login, time server etc, add to correct static groups, reboot at login window for students ready for next day
what I have tried……
DEP startup, accept MDM enrolment, only 1 script on enrolment complete which runs the policies as we are doing now but this will fail after mdm acceptance
or
DEP startup, accept MDM enrolment, only 1 script on enrolment complete which creates launch Daemon and script then reboot. reboot happens, runs script to install policies.
This hangs directly after accepting MDM enrolment
Tried, adding the pycreateuserpkg, but as I have a profile which disabled autologin, this does not work either
Thought about just going back to the old way of just putting a second policy for all apps based on the enrolment complete but this is time consuming and requires updates for both policies, not only that, but it is not very reliable with some pkgs just not installing
Then I could just scope to smart group to say if this is not installed then install it, but again, very time consuming for the 40-50 apps for lab machines
So I know it was a long story but if anyone has any ideas on how they would do this nicely through DEP any help would be great
Posted on 02-26-2018 06:01 AM
I've developed one that is deadly-specific to my environment right now. I have it working, but the script makes a lot of assumptions that you or others may not agree with.
For instance, a tech or contractor is required to provision all of our machines (even labs) as a matter of business policy. As such I bring up AppleScript prompts that ask the tech some basic questions they would have had to answer in Jamf Imaging anyway with pull down menus or customized tasks.
I hope to fine-tune my script to one day not make that assumption, but right now it does what I ask it to do here for a DEP workflow. I also assume our district's naming convention and how we achieve it. I also assume that anyone enrolled in our Jamf Pro server will have the existence of a file on the unit after it has been provisioned.
Now the lab machine version of my script will let me skip some of the questions I ask a tech upon imaging but I cannot avoid them all. Our machine naming convention here is:
<building cost code>-<asset tag>Mac
Much of my script is dedicated to parsing someone's choice of building into numbers and inputting the correct asset tag. Based on all of that, I can calculate the right OU and bind the device (yes we still bind our stuff).
In short, my script code to achieve what @BOBW works for my environment, but is very gangly at best. I'm willing to post, but will have to try to genericize a lot before doing so.
Things I haven't figured out yet:
How to automate the choice of language and keyboard language in the setup assistant and how to set Location Services to on. I can't skip the setup assistant as I want the DEP parts to work.
I will look at the scripts today and see if I can post them as I would also love to get feedback on them, but I'm almost afraid to because they are somewhat ugly.
Posted on 02-26-2018 12:17 PM
This is what I am doing for student/lab machines using DEPNotify. I have a different workflow with a modified version of ADEPT for staff machines. The script could use some tweaking but it is working for now so it is on the list for later. After the first few setup screens the computer will restart. On reboot it auto logs into our local admin account. DEPNotify takes over and runs all the policies needed to setup the computer. The Room field is edited thus removing the computer from the smart group then restarts.
PreStage
- Account setup local admin
- User and Location Room set to DEP Student used as a flag for Smart Group membership
- Directory Bind
Policies
DEP First Run Student
- Scoped to Smart Group based on Room
-Trigger enrollment Complete
-Payload Package with kcpassword file going in /etc
Postinstall script with these two commands
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser <local account username>
shutdown -r now
-This allows for an auto login on the restart
DEP Unattended Launch
-Triggers Login, Self Service, Custom “depunattended”
-Payload Script
Student First Login
-Files and Processes
jamf recon -room "DEP Complete" (Exit for smart group)
-Restart
#!/bin/bash
#install depnotify
jamf policy -event installdepnotify
#install district icons
jamf policy -event kisdicons
caffeinate -i -s -d -t 18000 &
file="/var/tmp/depnotify.log"
if [ -f "$file" ];then
echo "Found"
rm /var/tmp/depnotify.log
fi
touch "/var/tmp/depnotify.log"
jamf flushPolicyHistory
echo "[$(date)] Start Setup" >> "/Library/Application Support/JAMF/bin/DEP/dep.log"
/Library/Application Support/JAMF/bin/DEP/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen &
echo "Command: Image: /Library/Application Support/JAMF/bin/KISDColorseal.png" >>/var/tmp/depnotify.log
echo "Command: QuitKey: j" >>/var/tmp/depnotify.log
echo "Command: MainText: Setup Process in Progress. This will take approximately 20 minutes. At the end the computer will restart to finalize settings." >>/var/tmp/depnotify.log
echo "Command: WindowStyle: NotMovable" >>/var/tmp/depnotify.log
echo "Command: WindowTitle: KISD Mac System Admin" >>/var/tmp/depnotify.log
echo "Command: Determinate: 11" >> /var/tmp/depnotify.log
echo "Status: Installing Office..." >> /var/tmp/depnotify.log
jamf policy -event installoffice
echo "Status: Installing Chrome and Firefox..." >> /var/tmp/depnotify.log
jamf policy -event installchrome
jamf policy -event installfirefox
echo "Status: Installing PrintInstaller..." >> /var/tmp/depnotify.log
jamf recon
jamf policy -event installprintinstaller
echo "Status: Installing Symantec..." >> /var/tmp/depnotify.log
jamf policy -event depinstallsymantec
echo "Status: UI Settings..." >> /var/tmp/depnotify.log
#disable Fast User switching
defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO
#Set Login Window to username and password boxes
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
# Turn on remote login
systemsetup -setremotelogin on
# Create the com.apple.access_ssh group
dseditgroup -o create -q com.apple.access_ssh
# Add the admin group to com.apple.access_ssh
dseditgroup -o edit -a admin -t group com.apple.access_ssh
# Enable Remote Management
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users <your local admin account> -privs -all -restart -agent -menu
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
echo "Status: Setting Time Zone and Server..." >> /var/tmp/depnotify.log
#set Time Zone and Time Server
/usr/sbin/systemsetup -settimezone "America/Chicago"
/usr/sbin/systemsetup -setnetworktimeserver time.killeenisd.org
/usr/bin/killall SystemUIServer
echo "Status: Renaming Computer..." >> /var/tmp/depnotify.log
# Rename computer############
jamf policy -event deprenamestudent
echo "Status: Installing Plugins..." >> /var/tmp/depnotify.log
jamf policy -event installflash
jamf policy -event installjava
echo "Status: Cleaning Up..." >> /var/tmp/depnotify.log
#Remove Outlook from student machines
rm -rf /Applications/Microsoft Outlook.app
jamf policy -event activateoffice
jamf manage
rm -f /etc/kcpassword
#Remove iWork Applications
if [ -d "/Applications/Pages.app" ];then
echo "Pages Found" >> "/Library/Application Support/JAMF/bin/DEP/dep.log"
rm -rf /Applications/Pages.app
rm -rf /Applications/Numbers.app
rm -rf /Applications/Keynote.app
rm -rf /Applications/iMovie.app
rm -rf /Applications/GarageBand.app
fi
echo "[$(date)] Setup Complete" >> "/Library/Application Support/JAMF/bin/DEP/dep.log"
exit 0
Posted on 02-26-2018 01:14 PM
So it looks like there may be no choice but to have someone log into the machine..... there is no DEP magic which will get me through...
I thought about it some more yesterday and figured this was the case.
I don't think any script is "ugly" especially if you look at some of mine, they are just "distinct"..... the good thing about distinct scripts is sometimes they can be easier to read and to learn from.
So I am thinking abut using a script that will do everything I need it to do once the machine is logged in. Once I work it out, hopefully today, I will post.
Posted on 02-27-2018 12:00 PM
I am actually loving reading about ADEPT right now....I have tried to implement the same thing using BASH and AppleScript and while I got past the whole getting a user logged in thing, I like the cleaner interface better of ADEPT. Too bad I'm no coder.
While I'll still need time to "genericize" my scripts. I have one script that is executed on enrollmentcomplete which does nothing but enroll the Mac into Jamf Pro as is, install a dummy user account, turn off the iCloud/crash reporter functions of the setup assistant and reboots. After a reboot, I have a one time run policy executed at login that if I use the full version of it (I have many slight modifications to avoid asking too many questions, but sometimes our techs would rather fill in these prompts than mess around in the JSS:
It all does work and has been tested, but I have variants that I'm testing that ask the user less stuff if I dont' need it. Again, I'll have to genericize it if will help anyone, but it's my current workflow that's almost made it out of testing. User then logs in as themselves and uses Self Service to get up to speed if we have a single user device. If it's a lab device, the department setting will trigger more policies to install specfic software to those specific labs.
Hope this helps...also +1 to pycreateuserpkg...I used that to generate the autologged in user...problem is, it doesn't auto login until the machine reboots so I have one more reboot than I'd like in the scripts.
Posted on 07-25-2018 02:45 PM
Hi @m.donovan
Your DEP method for lab environments is very close to what I've been working on, thumbs up to you for providing your script. Have you got a way as part of that process to Deploy VPP apps such as Final Cut Pro to the lab machines either during the initial setup script or before the first student logs in?
In my environment, any VPP (device licensed) content scoped to the computer fails to install until a user first logs in - I believe this is related to MDM Enabled Users?
Thanks
Ryan
Posted on 07-25-2018 03:19 PM
@rypowell88 JAMF is working at supporting Apples new VPP deployment at the login window, my current understanding is this will be in 10.7, I think this just hit beta, but no one has confirmed to me if this is included yet (which maybe hard given that VPP takes a lot of setup so may not exist in beta for a lot of folks).
Posted on 07-25-2018 03:22 PM
In a few days I'll post my scripts that we're going to be using in our labs. It's based on my DEPNotify workflow which I wrote about here. I'm basically going to have a script that lays down an autologin user then if the machine is already in the server it'll continue setup. If it's a machine not in the server it will ask the tech for the name, asset tag, and the machine type, from there it will deploy software. I will probably make another blog post about it on my site, so I'll probably just link to that when it's all done. I'm still working out some kinks.
I will also be presenting on this at JNUC this year, so stay tuned for that :)
Posted on 07-25-2018 07:14 PM
So... due to circumstances beyond my control, I only got ASM/DEP enrollment working in the last week or so. Our JAMF Pro server is running 10.5.0.
I'm considering this a transitional year for us in terms of how we are configuring and deploying Macs. I have limited time, resources, and training windows, and we have some new machines to push out including one whole lab, within the next 30 days.
I've also come to accept that zero-touch is currently not available using ASM/DEP enrollment. I used to have some pretty automated workflows that are now only semi-automated. So be it - it is what it is. I believe Apple has heard us on this (zero touch) so lets hope they are working on a future solution.
For now, I've come up with a compromise where we have a pre-stage enrollment that is configured on the JSS that we scope our ASM/DEP enrolled systems to. Once the system is enrolled in the JSS, our techs login with the local admin account on the Mac that was created during the enrollment process via pre-stage. We have a few policies scoped to run at enrollment, including kickstarting ARD, and installing the current version of JAMF Imaging. Usually these are completed by the time the tech logs in with the local admin account.
We have Self Service install at enrollment as well. Tech opens Self Service, logs in with LDAP credentials, and sees that "Run JAMF Imaging" is available. This is setup as an ongoing policy, scoped to all systems that have JAMF Imaging Installed, limited to the LDAP credentials of specific techs allowed to configure/image systems. It's essentially a small shell script that opens the JAMF Imaging.app application. Yes - they could navigate to it on the Macintosh HD volume and run it from there, but I want techs to get used to opening Self Service to run configurations/policies during deployment. Plus it allows me to bury the JAMF Imaging app in a location somewhere other than /Applications and not have to worry about techs forgetting where it is or not finding it.
The tech then opens JAMF Imaging, and runs our "thin image" configurations that do not install an operating system. I pre-installed the proper preference files to point to our JAMF Pro JSS server, so they don't need to worry about populating that information as if it's a first launch. Just a login with their credentials (which they were used to from NetBoot imaging workflows), and then providing local admin credentials (again) as well. They can name the systems using JAMF Imaging, just like they are used to. JAMF Imaging runs on whatever OS was already installed on the system. If they need a "clean" install, they have the instructions on how to use built-in Recovery, Internet Recovery, or NetInstall for the systems that still support it.
JAMF Imaging then runs like it normally does, downloads all the packages ands scripts for the configuration they chose, then it reboots. We can also still do pre-stage "imaging" as well. Upon reboot they get the "The Imaging Process is finishing installing software" from the JAMF Helper screen.
So outside of the couple of extra steps at the beginning because the systems are enrolled via ASM/DEP, the process of getting a system configured and deployed remains similar to last year. Hopefully at some point we can get around setting up the country and time zone information, and not have to click on continue/ok to get the configuration rolling. Perhaps Apple will come up with "institution approved MDM" that automates and skips some of these queries right off the bat, and that's how "zero touch" returns.
As others have said, each institution has their own needs. This is my compromise considering that Apple's deployment requirements are moving much faster than some of us can keep up with. JAMF Pro needs to have an easy way to name systems, similar to how JAMF Imaging does it now, or through pre-stage imaging. Perhaps it's something they could build into self service, or pre-stage enrollments, or some sort of configuration profile. Not all of us admins have time and resources to go through the effort that many of the other admins here in JAMF Nation have gone through to handle this process right now. Many of us have institutional naming conventions that have requirements outside of serial number or MAC address. JAMF Imaging and pre-stage imaging handles that task easily. The other feature that keeps me using JAMF Imaging is the ability to update and replace packages in JAMF Admin. In JAMF Admin, I can update my packages with current ones with relative ease, and update my JAMF Imaging configurations. When it's done via policy, if the name of the package changes, you need to go into the policy, and update the package in the policy. It would be nice if policies had their packages updated as well, but thats a feature request that remains "under consideration".
Once the beginning of the semester rush ends, I'll look at building out more policies to transition the configuration from JAMF Imaging into policies and scopes. The discussions here on JAMF Nation have provided me with a lot of good ideas, though some of them might get implemented in a slow methodical manner as time permits. I'm sure we'll see a number of new ASM/DEP features and refinements this fall once Mojave is released as well.
So I hope this provides yet another perspective on deployment workflows now that "imaging" as we know it is dead.
~Ted