Posted on 12-02-2019 06:31 AM
I'm trying to better my districts provisioning methods for employees receiving a MacBook. I want to run a script that will ask the user what to name their new MacBook and then bind it to active directory. I want to have the script run before they log in for the first time, so preferably during or right after the setup assistant. So I thought that the "enrollment complete" trigger would be perfect. However, the policy does not run while testing. I set up new MacBooks and nothing happens after what I think would be the point of "enrollment complete".
I have "network state change" disabled as recommended by others. Are there limitations to what scripts could run during setup assistant? Or am I just misunderstanding when the "enrollment complete" would trigger?
Thanks in advance for any help!
Posted on 12-02-2019 06:43 AM
Posted on 12-02-2019 06:48 AM
@ferriterj1 Are you using Apple School Manager so you can run a Device Enrollment based enrollment for your Macs? If so, you should create a Smart Group using your PreStage Enrollment as the criteria, and then have your policy scoped to that smart group with Enrollment Complete as the trigger.
Even if you aren't using DEP, you should look at DEPNotify and DEPNotify-Starter as they will make your initial configuration process much simpler.
Posted on 12-02-2019 07:00 AM
Why are you binding to AD? If your Mac computers are only going to be used by a single person, binding to AD is not the recommended solution. Most folks are now using Enterprise Connect (now built-in to Catalina) or NoMAD (more features than EC) instead of the headaches that come with a Mac bound to AD. Both tools also integrate better when trying to implement an Automatic Enrollment workflow.
Posted on 12-02-2019 07:24 AM
@kevinmwhite Binding to AD is still useful/necessary for 802.1x machine auth, and DFS namespace access.
Posted on 12-02-2019 07:35 AM
@kevinmwhite We plan on looking at NoMAD for our next deployment of staff MacBooks but that isn't an option for us right now. Trust me.. I'm well aware of the headaches with AD binding.
@sdagley We are using ASM! I will try that and report back if it works. Thank you for the advice!
Posted on 12-02-2019 07:51 AM
@sadgley I'm aware of those needs for AD, also any customer who needs multiple logins (a computer Lab). I just always ask "why" and often find that many customers don't actually need the bind... they just think they do.
@ferriterj1 It's important to note that tools like DEPNotify require that a user is already logged into a session. In other words, your requirement to ask the user for information (like a computer name) and bind before login presents a classic chicken-before-the-egg scenario. In my experience, if you want to make sure the system is bound prior to the first login, you either need to have a tech create a local admin account to complete your bind workflow, or use a method wherein Jamf pre-sets the computer name (something like the Inventory Preload option) before the system is bound automatically. Neither is ideal, but it's required if you want to bind the computer with a specific name before the end user is allowed to login for the first time.
Posted on 12-02-2019 08:08 AM
I have a script that mostly does what you're looking for. The caveat is that it needs to run as the _mbsetupuser user. What I've found works pretty well is to instruct the user to wait at the Time Zone setup assistant screen until the computer name prompt comes up. The downside is that it's not intuitive to have the user wait at that screen so if they proceed through setup assistant before the enrollment complete trigger kicks in, they will miss the computer name prompt.
I have another script that is much more tailored to our environment that uses the Jamf API to grab the username that the user enrolled with. It then builds a computer name based on their username and automatically binds to AD with it.
Posted on 12-02-2019 08:11 AM
Our solution to binding and names is to use serial number when binding to AD and placing them in a container. Our naming convention is LT##### / DT##### - I make that policy available in Self Service to all computer techs. I also have a smart group of computers whose name is not like DT or LT and have the naming script run at login. Granted our environment is very small and we are only 64 Macs out of the estimated 150 are in Jamf.
#!/bin/bash ComputerName=`/usr/bin/osascript <<EOT tell application "System Events" activate set ComputerName to text returned of (display dialog "Please Input New Computer Name" default answer "" with icon 2) end tell EOT` #Set New Computer Name echo $ComputerName scutil --set HostName $ComputerName scutil --set LocalHostName $ComputerName scutil --set ComputerName $ComputerName echo Rename Successful