DEP workflow

DeployAdam
New Contributor III

Hello fellows,

Could anyone share their workflow for using DEP with JAMF Pro please? Below what we'd like to achieve:

  • iMac assigned to Apple DEP
  • JAMF Pro Installation removes ALL setup screens and enrolls the machine in JAMF Pro.
  • Create a local admin user on the machine
  • Get the Jamf Binary on the machine

Until now we manage to enroll the machine but Jamf Pro says it is still unmanaged and there is no user created.

Any insight would be helpful since we never worked with DEP before. We (until now) use Deploy studio for a basic image with binary and then Jamf Pro takes over.

You must also know we are in a school environment with shared iMacs where we can not let the students execute any installation. So it must be as "zero touch" as can be.

Thanx for any input

1 ACCEPTED SOLUTION

DeployAdam
New Contributor III

Eventually, we figured out the cause of the problem. It was due to the fact a few ports were disabled on our network by our Network engineer. After he opened a few extra ports everything worked out fine concerning the Jamf Binary enrollment in combination with a DEP device.

View solution in original post

14 REPLIES 14

kerouak
Valued Contributor

Good day,

In the JSS, go to Computers, then select PreStage Imaging

You will find everything you need in there.

You can then scope this via Serial Number, Mac Address or Network segment.

cheers!

Retrac
Contributor

How far along are you with DEP? Have you got it setup at deploy.apple.com?

kerouak
Valued Contributor

Of course, you need to enroll them as per @Retrac

DeployAdam
New Contributor III

We have Apple DEP in place with some test machines. Also the connection with Jamf Pro is working. We created a pre-stage enrollment but there is no Jamf Binary installed on the computer.

Retrac
Contributor

Do you have user-initiated enrollment enabled? and then in the pre-stage account settings a management account configued to match?

DeployAdam
New Contributor III

I have entered details about a management account in the user-initiated section AND in the pre stage enrollment section but the machines should not be enrolled by the user-initiated url but automatically when started for the first time.

Should the binary be installed automatically or do I have to do some extra configuration for this to happen somewhere?

dtommey
New Contributor III

What OS version is the iMac running? I have seen what you are describing with DEP on 10.11. The machine would remain unmanaged in JAMF unless it was logged into.

rdwhitt
Contributor II

What version of the JSS are you running? 9.101 has a product issue that can prevent the jamf binary if the Accounts payload is configured in a prestage.

[PI-003771] When the Account Settings payload is configured for a computer PreStage enrollment, the MDM profile is installed on the computer, but the jamf binary may not install due to a timeout.

This seems to be fixed in 10, but it was extremely frustrating in 9.101.

robertliebsch
Contributor

I think you need to create a smart group. The prestage enrollment only gets you so far. I have a Smart Computer Group that has the criteria "Enrollment Method: Prestage enrollment is DEPname." Then I have a policy scoped to that Smart Group that installs all software packages, scripts, printers, dock items, and menu items. The policy is triggered by enrollmentComplete.

DeployAdam
New Contributor III

I assumed the binary was installed with DEP Prestage enrollment but if that is not the case, I will create a smartgroup with prestage enrollment is DEPname and target a policy to this group to install the binary.

BTW, from watching this JNUC 2017 session @ 4:15 there is no mention about getting the binary on the machine with some policy or whatso ever. Or am I missing something here? [https://www.youtube.com/watch?v=vrYXgoOwbtw](link URL)

scottlep
Contributor II

I have been having major issues testing DEP and prestage enrollments. The binary should enroll during the PSE. In my testing it works less than half the time. You know it isn’t going to work when you don’t get the “Configuration Available”, “This Mac will be configured by “XXXXXX” screen, which means that the computer has/hasn’t been recognized as being in DEP. At that point if you look at the scope of the PSE it shows as complete for that computer even though nothing has happened and the entire DEP/PSE process has failed. I have a case open with JAMF support. I have had the same failures with v9.101 and v10.0.0. Not sure if this is an Apple DEP problem, a JAMF problem, or a combination of both.

DeployAdam
New Contributor III

Could it perhaps be due to the need for a valid signed certificate for the binary?

scottlep
Contributor II

My issues are sporadic. Sometimes I can get DEP to work, other times I cannot. Tested it this morning and the JSS crashed. Send the crash logs to Jamf in the case I already have open.

DeployAdam
New Contributor III

Eventually, we figured out the cause of the problem. It was due to the fact a few ports were disabled on our network by our Network engineer. After he opened a few extra ports everything worked out fine concerning the Jamf Binary enrollment in combination with a DEP device.