Deploying Base Applications on DEP, Best practice?

ferrispd
New Contributor III

Hello all, I am finally getting our environment to use DEP for enrollment/provisioning. I'm looking for some best practices, what are you doing in your environment?

Our current enrollment process has the user (a tech) initiated enrollment. We have configuration profiles, and policies (trigger set enrollment complete).

We have more than a few Configuration Profiles. I curious how many most of you are deploying.

The Enrollment policies contain several packages and scripts. I have a suspicion that this is NOT the best way to be doing this. Is it better to deploy packages separately or in smaller groups?

We are binding our Macs to Active Directory (not my choice). With DEP, how do I bind these computers? My thought is that I need something to change the computer name first. Then a policy that targets unbound devices with correctly formatted names that are on network or on VPN to bind to AD. Thoughts?

Notes: Currently on Jamf Pro 10.10
hopefully upgrading to 10.12 in next two weeks

Thanks in advance

3 REPLIES 3

Not applicable

In our environment I am changing everything to DEP enrolled and setup devices. Having a bunch of config profiles can get confusing yet if each one is a DIFFERENT configuration it makes changes much easier as it doesn't have to refresh the whole payload. on average I have about 10 profiles that do various things on machines, something big to keep in mind is if you have a config profile for your WiFi keep it separate so you don't unintentionally drop the devices when trying to change a profile. As for packages - I found that dumping them all at enrollment can cause a network bottleneck - I have a few that kick off at enrollment that are small and then on check in it will bring down the larger Apps like Office, that way if it gets stuck you can remotely kick the machine and force it to check in. We also bind our devices to AD and I found the lack of being able to name the device prior an issue. What I did is at enrollment a policy triggers that renames the computer for its serial number and then waits about 15seconds, then a custom trigger kicks off the bind to the appropriate OU(which is already setup within another policy). I found this keeps the names unique and considering all AD is really good for is logins, it suits the need here. You can create a script that properly names the device for your environment prior to bind yet I've had various levels of success. Whatever you do, try not to put the bind as a config profile especially with using DEP - it'll make the AD folks extremely mad that everything is named iMac or MacBook Pro. Good Luck!

ferrispd
New Contributor III

Npotter, Thanks for the info. I was looking for a good way to automate renaming these computers to our standard naming convention (Department-Asset Tag Number). I found this kewl blog about doing just that with a Google Doc.
https://www.macblog.org/post/automatically-renaming-computers-from-a-google-sheet-with-jamf-pro/

-Pat

Not applicable

@ferrispd I have used that google doc method before and it works pretty well. Good luck with everything!