Jamf + SCCM Workflow

New Contributor

Hello everyone!

I manage about 100+ Mac Minis and image them with Windows 10 + MacOS using BootRunner and BootCamp. We're planning on upgrading to newer 2018 Mac Minis from our 2012 Mac Minis, which feature the T2 chips that pretty much killed imaging.

I'm trying to understand and learn about Jamf Pro + SCCM to manage our machines but I'm having a hard time trying to find a workflow that would work for us, can you all help out?

I'm completely new to this so please bare my poor knowledge, but I do know that our University does have all the software readily available (SCCM and Jamf Pro) for us to use, but it's a matter of planning out a workflow to create managed "images"

Here's a list of things we need:
- Not having to touch each machine individually for setup. We'd like to automate as much as possible (internet, accounts, and LDAP + AD binding)
- Ability to remotely manage our machines to update and install applications for the future.
- Ability to deploy Windows 10 images through Jamf Pro and have it automatically run the first-run scripts we already wrote (this includes AD binding, IP configuration, etc)

Here's from my current understanding of what a rough workflow would look like, and please correct me in any places that is wrong.
1. Unpack all 200+ Mac Minis
2. Enter Serial Numbers to ASM and create server-key for Jamf
3. Import server-key into Jamf and load all the machines
4. Apply zero-touch enrollment policies to reduce the amount of information we have to enter
5. Apply any other policies
6. Import the Windows 10 image that was prepared with Sysprep into Winclone and download the package
7. Import Windows 10 package to Jamf and have it deploy based off this article
8. Reboot + Success???


New Contributor III

Good Morning for the apple side I can help and also imaging is called provisioning if your looking into other articles you will see alot of people using that term. So here is kinda the steps you can take to help you out.

  1. Add the computers to your Apple business manager. https://support.apple.com/guide/apple-business-manager/assign-purchased-devices-asmf500c0851/web

  2. Assign the devices to the Jamfs MDM within the school Manager

  3. In your, Jamfs GUI navigate to prestage enrollments create one with the stuff you have said before like AD bindings and networks, etc. Admin Account

  4. When in the prestage section for the scope you can assign to any devices in your Apple Business manager so the device that you uploaded will show up there then select the one that needs to be added.

  5. Boot the machines on go through setup assistant which can also be edited in prestage enrollments then you will see a screen your computer is now being configured via your school name.

  6. That's pretty much it then you can see the devices pull up in jamf and manage them change names of the machines and much more. I hope that could help a little for you on the apple side never had I deployed windows using jamf.

Contributor II

The first thing I'm going to say is (not gonna sugar coat this) allow for 4 months to learn & develop everything you need to go from an imaging workflow to a DEP provisioning workflow.

If you're dual booting machines and using Boot Runner, you're going to have to manually go around every single machine and disable SIP (System Integrity Protection) from the recovery console (CMD+R at boot chime, then open the terminal from the top menu and type CSRUTIL disable) in order to boot to the Windows partition from the Bootrunner selection screen.

From macOS 10.13 onwards Apple have disabled the ability to 'bless' a partition programatically in order to make it bootable. So thats a manual step right there. You may have been able to capture this in an image previously but you can't under DEP provisioning as it's a clean install of the OS every time.

You also can't automate DEP enrollment 100% as far as I can tell (I could be wrong, someone please correct me if it can be fully automated). After the OS installs you still need to click through 3 screens during system setup even though you disabled every setup screen in your prestage enrollment in Jamf. There's a MDM welcome screen, a region (language & keyboard) selection screen and a set location screen.

The new mac models can't be downgraded so you'll most likely be running macOS 10.15.5 and won't be able to use your old image. There is also a secure boot utility now built into the recovery console utilities menu to allow booting from external USB drives etc. Be sure to have a look at that if secure boot and T2 chip security are blocking you from doing something.

Here's a list of things we want:
- Not having to touch each machine individually for setup. We'd like to automate as much as possible (internet, accounts, and LDAP + AD binding)

You're going to have to touch each machine individually for some setup, it can be 99% automated but not 100% unfortunately.
It goes - OS install, 3 setup screens, then it can automatically apply configuration profiles, application packages and any scripts via policies.

- Ability to remotely manage our machines to update and install applications for the future.
Jamf can handle all of that. ARD is not easy to turn on any more due to Apple implimenting 'user approved Apple Remote Desktop'. Jamf as your management server is the better option.

- Ability to deploy Windows 10 images through Jamf Pro and have it automatically run the first-run scripts we already wrote (this includes AD binding, IP configuration, etc)
I don't have knowledge of that. We previously used MDT to deploy via USB sticks but with Apple firmware restrictions in 2019 model imacs (and no T2 chip to disable those restrictions) it has become impossible to dual boot them with a custom image or load a WinPE boot image. (Might be possible with Winnclone etc.) but we're moving away from dual boot and are considering a VDI solution for Windows software due to the high amount of work/man hours required to maintain such DB a setup.

You will also need to learn about erase/install workflow for the macOS installation. macOS 10.15 now has the ability in its softwareupdate command line utility to --fetch-full-installer and it will download the catalina installer app into your applications folder. Then the catalina installer app has a program inside it called startosinstall which can now do --eraseinstall which will wipe a drive and do a clean install of the OS. This can be deployed from Jamf to your already enrolled lab machines.

softwareupdate --download --fetch-full-installer --full-installer-version 10.15.5

/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --eraseinstall --agreetolicense --nointeraction --forcequitapps --newvolumename macOS

If they aren't enrolled the first time you provision catalina it will be a manual effort to install the OS onto each machine in order for DEP to pick them up during the setup process. If they are new machines, before you boot them for the first time, you need to add their serial numbers to apple school manager (your reseller should do this for you) then associate an MDM server with the serial numbers in ASM (that will be your Jamf server). Then in the Jamf server you will need to create a prestage enrollment (computers/prestage enrollments) and then add the serial numbers to the prestage enrollment so that they get picked up by DEP during the setup process.

Since 10.14, most applications now give annoying permission prompts called PPPC Privacy Preference Policy Control. This can be managed using a handy Jamf utility to create the PPPC mobileconfig files for each application that is asking permission to access another program or resource.
You can them import/upload the mobileconfig file into Jamf (computers/configuration profiles/upload button top right)

I hope this points you in the right direction. I would focus on getting the macOS side of things developed first before thinking about the Windows side as there's lots of new things to learn and get right if coming from an imaging workflow.

It's becoming obvious that Apple is bringing alot of it's iOS technologies across to macOS with each new release of the operating system and they are changing the desktop workflow to match the provisioning of a mobile device.
'Imaging' and 'deployment' are now dirty words. It's now - provisioning, onboarding, offboarding, enrollment etc.

Microsoft Autopilot + Azure AD (Cloud AD) is the Windows equivalent of DEP. The writing is already on the wall for on-premise SCCM and Microsoft may force you to go that direction in the future. (There is a future coming where imaging is also dead on Windows.)