DEPNotify Or Something Else? Suggestions Please

Levi_
Contributor II

Hey Everyone,

I'm looking at setting up DEPNotify again but I'm wondering if this is the best way to go with Apple's changes they've made and DEPNotify hasn't been updated in a while. What I do like about DEPNotify is that you can pop it before logging in. Looking through the MacAdmins Slack I see reports of the window getting cut off and there isn't really a way to resize it per the channel. This isn't really a deal breaker but appearances, right? There are suggestions for Dan Snelsons swiftDialog - swiftDialog. I saw his post on here a month or so back and it looked like a good alternative too.

I know of IBM Notifier, DEPNotify and swiftDialog. My goal with either of these assistants right now really is to just capture some input from the tech to set the Device Name and preferably Asset Tag so the machine can get the right policies based on the naming convention of the device. Connecting it to my Jamf Pro instance via API is not necessary right now hence Asset tag is preferable. I'm not opposed to using any of these tools to trigger policies but right now I would like to just have JAMF do all that. In my environment, not everyone gets the same software even within the same departments so pre-installing anything other than the base applications isn't needed right at this moment.

Later on, I would like to explore one-touch deployments to employees but I still have concerns with the first account logging in not being the local admin account and it not getting the secure token for FileVault. If anyone is currently doing this and has any input I would gladly appreciate whatever you have to share. 

Thank You Everyone

19 REPLIES 19

steve_summers
Contributor III

Hey @Levi_ .  In my org, we use an app called Octory.  It's free, although there is a pro version.  It's very robust and may suit your needs, or it may not.  

You're looking for alternatives, it certainly is one.  https://octory.io 

Thank you Steve. Octory is really slick looking and I love the real-time editor. The free version includes most of everything I want I just wish it had the option to execute scripts or maybe I'm understanding it incorrectly. If you include a button let's say "click here to install" can it be set to execute a jamf policy? 

Hey @Levi_ .  In my org, Octory was setup and running when I arrived on scene.  I've had to tear it apart and rebuild it, so I'm pretty familiar with it and can say that it only monitors, it doesn't execute policies.  As far as executing a script, I know there is a daemon as part of it, so maybe?  I've never looked into it to doing that...If I wanted a script to run, I'd just setup it all up via my Jamf instance and roll with it that way but monitor it (if it was for our staging process) with Octory.  The developers of it will correspond with you out on MacAdmins via Slack if you needed them.  I've met virtually with them, they're pretty nice.  

Good luck man!  Let me know if you have any further questions.  

sdagley
Esteemed Contributor II

@Levi_ Unless you're not going to allow your users to have admin rights, and will be blocking access to the Sharing panel in System Preferences/Settings, I'd strongly discourage you from using the device name to determine applicable software install policies. Jamf Pro's Department attribute would be much better for that, and how to change that is much more opaque to (most) users.

Levi_
Contributor II

Very good point. I use Smart Groups to tie together employees in departments for the reason being not going in too much detail the departments are kind of granular IE) Anything graphics or design. I have asked employees what department they're in and unfortunately, they're wrong more than they're right. The software required between some of these departments is not universal so that makes it more frustrating lol. What I should do is just generalize it and anything they need outside of the department setup can be snagged from self service. Thank you for making me think more on this 😃.

sdagley
Esteemed Contributor II

@Levi_ Personally my approach is that unless software requires approval for specific users or a license before it can be installed I just make it available in Self Service for all. That greatly reduces the number of titles that have to be specifically enabled. For those titles I use a Static Groups to enable each title's install Policy (and I have a script runnable via Self Service for our Support staff to enable software when needed)

r0blee
New Contributor III

I always liked cocoaDialog due to the variety of options but that's not been updated in some time either. Maybe take a look at IBM Notifier - https://marketplace.jamf.com/details/mac-ibm-notifications as it's something with a lot of options and something I was considering at one point. 

pbenware1
Release Candidate Programs Tester

I started out looking at DEPNotify, but was also concerned about lack of recent updates.  I discovered a cool product called SplashBuddy, which I started building out before I got sidetracked to another project.  not so long ago I came across Dan Snelson's Setup Your Mac with Swift Dialogs; the more recent iterations have encouraged me to take a much closer look at it, and so far I'm loving it.

I've come across Splash Buddy as well but forgot about it I admit. I think Dan Snelson's swiftDialog is what I will start testing more with. Thank You.

Jason33
Contributor III

I will give a +1 to Octory, as I have used it in the past.  I'm currently using DEPNotify, but like @pbenware1 says, I'm intrigued with Dan Snelson's Setup Your Mac.  I'm building out a new dev environment and will start playing around with it.

robjschroeder
Contributor

we were using Octory, we are now moving to use Setup Your Mac (uses swiftDialog). For my shop, we’ve packaged it in a way similar to DEPNotify where we can deploy it in a PreStage and make sure everything gets installed once the user is logged in. 

mm2270
Legendary Contributor III

I used to use DEPNotify and got it working well, but the lack of updates over the last couple of years has soured me on using it anymore. I was worried that would happen when I heard Jamf bought Orchard & Grove, and my fears proved to be warranted. Development on DEPNotify has all but halted on it from what I can tell.

Thankfully we now have Bart Reardon's swiftDialog, which is a more robust (and up to date) tool for the type of automated setup you're looking for. I've switched my remote device setup workflow to using swiftDialog at this point. So I also recommend taking a look at it. Although in my case, I built my own custom script around it due to a very specific setup I have to follow for our environment, using @dan-snelson 's Setup Your Mac script would be a great starting point.

kay-_-
New Contributor III

Hey Levi,


I personally use Dan Snelsons' swiftDialog script (Version 1.5.1 in production) and it works great for us. 

I generally configure the department within the PreStage Enrollments and then I run Dan's script (Version 1.5.1, It will wait for the Dock to load which means the user is logged in)

We configured multiple iterations of Dan's Script with different software for different departments and we use Smart Groups to apply it to the specified device. 


I honestly can thank Dan Snelson enough. He saved us a lot of time.

roiegat
Contributor III

Dan Snelson recently updated the script to version 1.6.0.  Adds a lot more validation for each install and totally rocks.  Plus he's very active on the macAdmins chat.

Levi_
Contributor II

Thank you everyone for your input I'm very appreciative. I wish I could accept all of your answers as the solution. It really sounds like a lot of you are using a one-touch deployment scenario. I want to do this too but I'm concerned about the first account that logs in getting the secure token with Filevault. I've been burned in the past when the local administrator account did not have the secure token and could not reset local passwords on user accounts or authorize prompts. So I have been holding out. I know it's off-topic but can you guys tell me how it's been going for you or any tips to avoid the issue with the admin account not being able to authenticate admin prompts properly if it's not the first to login? 

sdagley
Esteemed Contributor II

@Levi_ If you're talking about the Management account that Jamf Pro can create, that account should never be used to log in to the Mac (and if you're using randomized passwords as Jamf recommends then you can't) so this shouldn't be an issue. I have my PreStages set to enable "Pre-fill primary account information" and "Lock primary account information" so that the user account is automatically created based on the enrolling user's AD credentials (which they have to enter to trigger the enrollment). Since that's the account the enrolling user will then use for the initial log in it will get all of the appropriate volume ownership and a secure token.

Levi_
Contributor II

Sorry for the late reply! No I don't use the Management account, I was referring to a local admin account we create. I should of been more clear that's my fault. Thank you for all the info and pointers, it really helps. 

emanueldiaz_09
New Contributor III

If you need an admin account, you can create one using a policy that's triggered by Setup Your Mac. I don't use Setup Your Mac, at least not yet, but I do this with Depnotify. The admin account is created after so it doesn't grab the secure token. 

What we use for login authentication is Nomad Login. Hopefully we can use Jamf Connect soon, but since we use AD credentials for users, Nomad Login allows users to login before anyone else. 
Our workflow:
Device enrolls into jamf > Depnotify installs, Nomad Installs > Login window is switched to Nomad > user logs in first to grab secure token > Once user is logged in Depnotify runs to install software, create accounts, then reboots.