I build my instance to run this way for a couple of reasons. The biggest one is that I like to build things that have interchangeable parts. Meaning if the transmission goes, we just replace that part. I have used Jamf since it was Casper and many orgs had on prem servers for my instances. The only instance that work and other than patch mgmt' were the ones I built this way. It started from the SplashBuddy workflow and has matured. My two recent companies run it this way. Open for suggestions.
In this flavor, a list of items are installed at certain times.
-1 Base Application Install / Checkin and Policy Trigger
Once per computer, and at the enrollment trigger, Every DEP machine and non - DEP machine will receive these applications from the JSS. The last command does two things: 1.) It runs a recon, which checks-in and reports to the JSS. A layer that, from early in the imagining cycle, allows the JSS to understand what has been done. 2.) Runs jamf policy. By running Jamf policy here we tell the next step to start and we even get our daily scripts to run faster - ex.) changing the ComputerName to the username.
Frequency Once per computer
Trigger At Enrollment Scope All Users and Computers Site (never have one) Install 1Password 7.pkg Install CylanceProtect.pkg Install Google Chrome.pkg Install Slack.pkg Install zoom.us.pkg Run Unix command 'jamf recon; jamf policy' (this is in the files and processes payload)
-2 CF Dock Policy Trigger
This solely is here to fix the dock not running 100 percent of the time - everytime. Why did the dock not run? Well JSS has _mbsetupuser as a user in every failed Dock policy. The fix, would be to flush every policy associated with a regular manual cadence. Or, create more smart groups and then they are not managed correctly - not scalable.
This command, /usr/local/jamf/bin/jamf policy -event eventdock then calls the next step to start, which is the Dock policy that starts adding and removing applications on the dock
Frequency Once per computer
Scope All Users and Computers Site (never have one)
Run Unix command '/usr/local/jamf/bin/jamf policy -event eventdock'
Again, a files and process payload to trigger a custom trigger. In this case it's -eventdock
-3 CF Dock Policy
Adds and removes the applications for 1st time setup. It is called by the -eventdock trigger.
The rest is a little private and honestly whatever you want. What I am doing is ensuring that my dock config works after the apps are installed and after any other criteria needs to be met. I just test 10 machines 5 in DEP and 5 not. If I have an issue, I will update this thread.
@jmancuso How do you setup the Dock? Do you use docutil in a script?
If so, you can add this to beginning of your script to wait until proper user is logged-in and then configure the Dock:
# Waiting for user login USER=$(stat -f %Su "/dev/console") until [[ $USER != "_mbsetupuser" && $USER != "loginwindow" ]]; do sleep 1 USER=$(stat -f %Su "/dev/console") done echo $USER "logged in, configuring Dock..."