I've been testing the Zero Touch Deployment directions that I have received from Apple, in preparation for the Fall semester. Previously we would image each device with our Configuration. That way everything is set up for our students so they could just turn the device on, log in with a generic password, and get to work.
But in an effort to cut down how much time we are spending per device over the Summer months. We want to give our students some responsibilities on their end. Specifically we will allow them to create their own non admin user account, and they will only be able to install only the software they need through Self Service or the App Store.
During my testing of the Zero Touch Deployment setup I have run into a couple of alarming problems.
The biggest problem I have run into is, occasionally the test device fails to get assigned to our JSS during the Apple Setup process. This means that the end user will be an administrator, and the device will not be managed by our JSS at all. I do not know why my test device fails to download the configuration occasionally, I just know what happens when it does fail.
The only work around I have found is going into the Pre-Stage settings, unchecking the box for the test computer in the Scope settings, and then re-checking the box. If I do that it works for a number of times, but will eventually fail the enrollment process
Another problem I have run into is Self Service doesn't launch If the device does get the Configuration Profile successfully installed. I have the Pre Stage enrollment process set to have Self Service launch when the setup process has completed.
Finally there is the issue if the device has been enrolled too many times. Since I am testing the Zero Touch Deployment process on one machine there have been times where the device fails to create a user account. It has successfully enrolled itself with our JSS, but when it gets to the User Creation process it occasionally fails to create a user. I do not know if this is because the MDM Capable Users field has filled up with multiple test accounts, or if it's another reason. But I have seen other posts on here asking if that field could be cleared when the device enrolls itself.
I am running Casper Server 9.98 and I am testing the Zero Touch Deployment process on the 10.12 OS .
I know this post is from 2017, and that’s why I am hoping that maybe it was resolved. Do you happen to have an update on this or does anyone know a solution to get past having to uncheck and re-check the computer within pre-stage to get it to work properly? Currently running into this issue and it’s caused us to abandon zero touch altogether given the complications we encounter during the initial set up
@nick.conway Are all of the devices you're trying to enroll on macOS Catalina 10.15.7 or later? There is a known problem with macOS Catalina 10.15.6 and earlier often failing to trigger the Device Enrollment process. Apple's recommendation is to drop into the Terminal window at the Language Chooser screen (that'll have you running as the root user) and run
softwareupdate -iaR to install the latest updates to Catalina. There's a thread regarding that somewhere on Jamf Nation, but the search functionality and I aren't getting along at the moment and I haven't been able to find it otherwise I'd include a link.