Deploying Non-DEP Macs

bassic
New Contributor III

Hi All

We are using Jamf Connect with Apple Business Manager to do Zero-Touch deployments on all our new Macs, and this is working really well, however we still have a need to occasionally redeploy a legacy Mac that predates our Apple Business Manager setup.

We would like to bootstrap Jamf Connect with its settings and license profiles so that the user can log in with their company email address to create the initial account, and then have them self enrol in Jamf. We would add the serial numbers of these Macs to a static group and scope the DEP Notify setup program to take over from there.

Previously I had this working well with Mac Deploy Stick, but it doesn't seem to support profiles with Big Sur anymore, and actually just can't get it working, it just hangs during the install.

Is there a clever method anyone else is using? I wondered if it may be able to harness the eraseinstall command with the -installpackages argument somehow- is anyone doing this?

Thanks!

 

 

8 REPLIES 8

KyleEricson
Valued Contributor II

When I deploy Macs that are not in ABM this is what I do.
1. Wipe the Mac and create the local IT admin account or end-user account
2. Enroll in to Jamf Pro.
3. My first policy that hits this Mac is to install Jamf Connect and org branding with a force logout.
4. The Mac logs out and the user logs into Jamf Connect.
5. Then DEPNotify kicks in.

Not perfect but works pretty good.

 

Read My Blog: https://www.ericsontech.com

bassic
New Contributor III

Hi Kyle, thanks for this- may i ask how you are triggering DEPNotify after the Jamf Connect login? Also does the account created through Jamf Connect have a secure token?

 

KyleEricson
Valued Contributor II

I use this great post-install script form here: @bassic 
https://gist.github.com/arekdreyer/a7af6eab0646a77b9684b2e620b59e1b 

Read My Blog: https://www.ericsontech.com

bassic
New Contributor III

Thanks @KyleEricson, I'll check this out!

 

sdagley
Esteemed Contributor II

@bassic macOS Big Sur requires user authentication in the System Preferences Profiles panel to install a Configuration Profile, and it's no longer possible to install them silently via a script (as you've discovered). It won't matter if you wrap them in a .pkg.

Depending on the age of the Mac's that aren't in your ABM account you may find a solution arriving with macOS Monterey which will allow you to manually add a Mac to your ABM account similar to how you can currently do with iOS based devices.

frootion
New Contributor III

Adding older Macs to ABM via Apple Configurator (like iOS devices) will only work for T2 or Apple Silicon models.

sdagley
Esteemed Contributor II

Thanks @frootion, I'd missed the T2 requirement for manual ADE enrollment.

Tribruin
Valued Contributor II

If you can determine who you purchased the older Macs from, you could go back to the vendor and ask if they will retroactively add the computers to your ABM account. 

 

I have never tried this, but you could try writing the com.jamf.connect.login preferences via the defaults command via a script as part of the install package since you can't silently install profiles. I would be interested if that actually works.