I'm really curious how different organizations manage onboarding new users, and how I could being using Jamf to better automate my redundant tasks. Are you completely zero touch? If so, how do you automate some of the necessary tasks? Or (like myself) are you fairly hands on when setting up new machines? For instance, some of my steps include:
create the user's account
ensure it enrolls via our DEP
rename the machine
launch Self Service and install different apps (Chrome, Slack)
ensure FV2 is enabled
and then run a quick command in Terminal to prompt the user to change their password upon first signing in
So, I do a lot. And I'm mostly curious if any other organizations manage some of these tasks using automation. Love to hear your thoughts!
We support faculty, staff, and students and there's a separate workflow for each, but in general, for State 1 (our "Rendevouz" stage) we create a service ticket and talk to the end user to ascertain the make & model, get proof of purchase, and identify the "responsible party" for the device (not necessarily the same person as the end user). We also identify the end user and determine whether the device is going to be used "1 to 1" or shared. We configure devices in accordance with the sensitivity of the data on the device so we ask about what kind of data will be stored on the device. If the device is a replacement we have a discussion about migration options and the pros & cons of each. We also find out if they have any apps on the old machine that may not function or be appropriate for the new machine.
For Stage 2 we go through the OOBE, create the first user, set the hostname, and enroll in Casper. Once the device is enrolled in Casper the rest of the process is largely automated. We have a list of supported software and all of that software can be installed automatically ( with the exception of certain apps--I'm looking at you Sophos.)
We order from our vendor and they are placed directly on DEP for us. The device is shipped to the office the user works in, and depending on how important the user is, it gets sent to a help desk technician for setup instead of a user.
Once it is unboxed, the user starts the setupassistant and forced to enroll on DEP, and the prestage package is deployed to the device. Then, right after that, setupassistant is force quit and the nomad login window appears. User authenticates with their AD credentials to have an account created automatically.
Once the user logs in and Self Service pops up, DEPNotify takes over and runs through my provisioning task. I install some required apps, enable FV2, a couple scripts for things like naming computer and assigning to user with no input, set time zone, etc. Once the DEPNotify workflow completes, the user is prompted to reboot. On next login, timezone/location services is properly configured, computer has correct hostname and does a recon with this info, and fv2 begins its encryption process.
Overall it is a pretty simple workflow with a lot of moving parts that continuously create random conflicts. Due to our environment, the Mac must be on ethernet for NoMAD Login to work properly. This is complicated by USB-C only devices and finding docks/dongles that work 100% of the time at the NoMAD Login screen. This is usually the biggest hiccup we have, but overall it is a lot quicker to assist setting up these one-offs every now and again compared to my old workflow before we invested in Jamf:
I receive Mac from vendor
I unbox and set it up
Create an admin account manually
Create a user account manually
Install our management software agent manually
Start the provisioning process for that manually
Manually make sure the latest security updates are installed before shipping out
Pack it all up and ship
Each device used to take anywhere from 30 minutes to 2 hours to set up in my office and then have shipped out. Now even when our DEP deployments go wrong, we can usually get a solution in place to get the user logged in within 10 minutes or so, and then everything else works like it is supposed to.
More info on DEPNotify:
I have a script that is in the prestage package with nomad login, with a launchdaemon as well. Postinstall script for that package ensures the launchdaemon tries to execute depnotify every 10 seconds until the user is at the desktop and it tries to launch. The script writes a bom file upon completion and deletes the launchdaemon to make sure it only kicks off like this once.
On the Jamf side, I have a policy set up that is scoped to a smartgroup of computers in the DEP Prestage and do NOT have DEPNotify installed. This is set to execute at the recurring check in and responds to a custom command that is referenced in the script. This makes sure that even if the script doesn't deploy properly (which I have seen happen...), it will at least get pulled in by recurring check in trigger.
If DEPNotify fails, easy enough to restart by dropping the computer in a policy that deletes the log from /var/tmp and deletes /Applications/Utilities/DEPNotify.app, then does an inventory update. This will put it right back in the smartgroup to run again in 5 minutes.
Onboarding where I'm at now is pretty much non-existent where MDM is concerned. MacBooks are all set up for end users as individual systems. I'm honestly looking for some good OB workflows to help out. Hopefully we'll be going with Jamf (or another MDM provider) soon to make this whole process easier.
Create User accounts: active directory then sync out to Google/OneLogin. Create Slack/AdobeCC/Box/Code42 accounts/memberships
Unbox and power on: DEP pre-enrollment creates the UserAccount then auto creates admin/ssh and installs all software with SplashBuddy out front.
Accept the Box/Sophos/GoogleDriveStream/HP security exceptions.
Change computer name
Hand off computer, have user change password in NoMAD and enable 2FA at OneLogin.
If the computer is a redeploy, we have a USBC with Mojave to wipe and reinstall. If the computer is not DEP then QuickAdd.pkg. This brings up SplashBuddy for easy progress monitoring