Handling Zero touch deployments Domain environment-

New Contributor III


I am in a bit of a rut in terms of getting a successful true "Zero Touch" to work in my work environment. We are a pretty heavy corporation, so we have to have Domain accounts logging onto the machine for my end users. One of the things that we were supposed to get working early on was a Zero touch solution for people at our remote offices. I have hodge-podged a "Kinda" zero touch. The workflow is as follows:

Machine enrolls in DEP
Receives configuration
Configuration has a local account that gets installed on top of the JSSAdmin account. (That is a necessity as we cannot have local accounts due to company policy.) The client signs into Self Service and runs a policy that basically runs a jamf policy -trigger TRIGGER that kicks off a set of policies to install things that the machines need to become "Domain Ready" 1. Simple script that asks the client for Asset Tag information, and deduces the machine type to derive the machine name. EX: MacBook pro would be LM1234. 2.Install Agent for BMC Footprints
3. Install Security Software
4. Installs Centrify and Joins to domain. etc, etc. Reboot
Client can sign in.

One of my colleagues was working on this, he wanted to know what we could do to make it truly automagically happen, whether we could have the local account automatically sign in and then launch the program with minimal interaction.

I haven't taken my CCE yet, so I am completely in the dark with what the JAMFHelper command can do for me, and I have an inkling that this would be the route I should take.

I am open to any and all suggestions.

We are currently running JSS 9.91.


Contributor III

We have recently started using DEP for staff machines. I was really excited about “zero touch” deployment, but soon realised it’s more “minimal touch” instead!

Our process is similar.

  • Client turnes Mac on
  • Initial setup process enrols Mac into DEP
  • Mac binds to AD
  • Client logs in with AD account
  • Login policy kicks off to install settings and apps
  • Client manually enters the asset ID when prompted
  • Mac restarts and now has an SOE look

Our login policy works off a smart group based on what computers have the PreStage Enrollment available.

We use jamfHelper to let the user know software is being installed. For example, a full screen notification then the policy kicks off

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -description "Your computer is preparing for initial setup" -icon /Library/Application Support/Images/dep.png &

Unfortunately due to AD binding, this process is limited to having a connection to our internal network. I was also unable to get auto login working to perfect the “zero touch” solution!

It's a work in progress and staff seem to be happy with the experience. Hopefully revision 2 of this process overcomes the above issues.

Hope this helps!


Contributor III

We have discussed this as well. The suggestion from Apple was using the JSS to deploy a VPN connection as part of the initial DEP connection.

Valued Contributor III

Just curious about the "asset ID" you guys are talking about, are you talking about a company barcode or similar?
We have these and they are in a an asset database that the machines can reference using curl by serial number to have it returned to them, we then pull it from the client machine as an extension attribute, we give them their machine names using the same method. All this is only on our internal network but there is probably nothing too complex to make it happen externally or once you have established a VPN or similar.

Contributor III

Yes, the asset ID is the company barcode for that device. We also use it to name the computer. This is done as a prompt for the user to input. The users input is then applied as the computer name and the jamfHelper takes over the screen to complete configuration.

In future revisions of our DEP process, I hope to automate this!


I know this is old.. but has any one figured this out..?

Contributor II

Inventory Preload is my next step...

For now I can get Lab Macs to Zero Touch by keeping the volume name when they eraseinstall. This means they can Bind to AD using the VolumeName, great for re-installs, not great for new deployments.

For new deployments either the operator boots to Recovery and renames the disk (risk of human error). Next step is to use inventory preload. For me it should just be a case of modifying what I upload to our Asset Manager system.