I'm taking on Jamf Pro management for my work.

New Contributor

I've been tasked with establishing a fairly basic management environment for computers.

Only about 10 Macs running Mojave at the moment. Test environment of 1 Mac mini. No directory services. Building to expand in 6 months so I just need to get an onboarding process to do the following:

--As touchless of a setup as possible via pre-stage enrollment scoped via purchase orders.

--Local admin accounts created

--Wallpaper changes on login screen and on user desktop

--Auto launch of PDF for end users that log in

--Certain restrictions on end user account(not too worried about this yet)

--Toughest thing I need to setup, is to get a standard user to mimic the Guest account upon logout i.e. everything in the home folder to purge so that no data carries to the next person logging into that same account.

DEP and ASM already in place so computers appear in my policy scopes.

What would be the optimal workflow here? There is plenty of documentation available, but it's proving a litter harder to get a sense of what needs to happen via policy vs configurations profiles and I don't want to progress too much on an inefficient foundation.


Valued Contributor

My set up here is...
All in DEP/ASM, with a token in the JAMF server to allow the Prestage setup.
For a device new out of the box, we get it out, and add the ethernet address to our DHCP setup, it is also named at this point. Naming them is going to be one of the most problematic issues depending on your set up. We have the ability to read the name set in the DHCP server, and then set the Mac to that.

You connect the Mac up and connect it to the network, We do this in general with Laptops too using an ethernet adaptor. As it boots, it will show you as many of the screens of set up as you want, set in Prestage if I recall. The one you really want to see is the Remote Management one. We get to that and OK it then stop. If you set it to not show you any of these setup screens, you will not see the remote management one either, so you need to have one or two showing up.

The Mac will enroll with JAMF via Apple, so it needs a live internet connection to Apple.

I then have a policy that runs on enrolment, which is a script that calls other policies in turn. This way I control the order of the policies, like Admin account creation and installing Rosetta asap on the Silicon Macs. It also runs a setup script that sets the Mac to how we need it to run for us.

Once completed, the Mac reboots. It is at this point that we always sign in as our admin account. You need to do this to claim the master secure token for your admin account. Without it you will find the first logging in account is the one with the secure token and you cant delete that account, gets to be a real pain if it is a standard account that gets it.
After logging in we log out and let the general policies run to install the Apps required for that lab.

That is about as touchless as I have made the process.

Existing devices, you simply reboot to recovery, and then erase them and you are back to where I started with the new ones out of the box.

Jamf can create Admin accounts for you, no problem, just make sure one of them is always the first one to log in to the Mac.

Wallpaper can be set in Configuration Profiles > Restrictions > Functionality. And you will set up the restrictions on the end users from here too.

Auto Launching a PDF is possible using a LaunchAgent. You might need to use a script to call the PDF, but calling a script from a LaunchAgent is easy.

Purging data from an account is not so easy. Logout hooks no longer work in the newer versions of OSX. Plus for whatever reasons Apple has made this harder to do, and have removed privilages from various accounts, like root. If JAMF runs a script, it runs as root, if a LaunchDaemon runs a script it runs as root, if a LaunchAgent runs a script it runs as the logging in user. I have tried running scripts that remove data from a users Home folder, and in Monterey I have found that root is unable to do this fully, but if I sudo from an admin account I can delete it all. Also the logging in user account if it is a standard account, cant delete everything from its own Home folder. There are people in JAMF Nation who do run policies to clear out home folders on log out, and one of them would be better at explaining how to do it.