Jumping into the fire - questions on 1:1 using DEP


Hello everyone,

This thread is similar to a few others but slightly different. I didn't want to hijack their threads, but I have been reading them as I see them and absorbing information.

Backstory: We have been planning for the last couple of years to go 2:1 iPad K-4, 1:1 iPad 5-8, and 1:1 macbook 9-12. We started this year with pilot classrooms in our junior high and elementary with iPads, and the original goal was to roll out the iPads 2:1 and 1:1 this upcoming school year. That process is pretty much solid, i've had very few issues with it. Well over the last month we received a rather large anonymous donation which allowed us to accelerate the deployment and do the high school as well.

The problem: In the original deployment plan, I had all of the next school year to get the jump start for Mac OS completed and all of my packages and everything created. Now that everything is accelerated, I have the summer to get that done. Due to the time crunch we aren't going to be able to get the jump start until after school starts - so the plan is at the moment to push forward without it and circle back after school starts to get the training and have them check everything we did. Oh also my department is 1 person strong over the summer, and i'll have 600+ devices to roll out.

The specs: JSS 9.72, DEP setup in JSS, Software update server setup, caching server(s) setup, netboot server setup - our past provisioning relied on Deploy Studio. Open Directory on a 10.6.8 server, migrating to 10.10 over the summer. The machines being delivered will be 10.10. We do not have JDS installed yet, but that is the only setup item i'm aware of we are missing.

The questions:

Being new to this process we are getting hung up on how to handle a few things - mainly user accounts. We don't want the local users to be admin. We want the local user accounts to mirror our existing open directory logins - not the apple id as a login like apple recommends.

The reasoning is because our LMS Canvas uses our OD logins and our SIS Powerschool uses our OD login, I don't want to add yet another login they have to remember.

Just curious what other organizations are doing to handle the users. Are you using mobile accounts and bound to OD? If so how does that workflow work to tie that machine to only one user. Are you using a strictly local account with some sort of script creating it based on OD login? Or what?

Does the pre-stage imaging profile "User Accounts" feature allow any kind of tag to pull the information about the current user to create a unique local account automagically?

This topic is what i'm following on another thread that was posted recently -- thin imaging. I want to leverage DEP and roll out the devices without personally having to touch those devices before hand. The specific question I have on this one is - does casper have the ability to automatically link the device to the user in JSS similar to the workflow for iOS? If not - are you manually doing that before enrollment, or during enrollment?

Scripts - what kind of scripts do you think are absolutely necessary for a successful deployment, and are you willing to share?

I spend a lot of time reading success and horror stories from other people and I try my best to learn from them so I don't make the same mistakes, though i'm sure i'll make new ones. If anyone is willing to share any kind of tips and tricks that really helped that would be fantastic!

I love this community. It is so helpful and full of quick responses unlike some other vendor forums and definitely not as catty as the old apple listserv πŸ™‚



Valued Contributor

To kick off this conversation I can add that DEP for OS X does not assist with creating the first user. Call this DEP 1.0 and we'll see how Apple evolves things in the future. In addition, call it a known caveat or a giant hole but you can bypass the OS X check-in (not applicable to iOS) with Apple during Setup Assistant by not giving the computer a network connection. You'll then continue with Setup Assistant anyway you want and the computer won't be bound.

With OS X DEP, everything after the first user creation can be skipped/automated with DEP and the MDM profile is then baked into the computer and not removable by local administrators.

With this in mind you can still utilize DEP as a provisioning tool for technician's benefit. When you first login after Setup Assistant you can have scripts automatically kick off to join the computer to OD, install apps and updates, etc.

Contributor III

I am in a very similar position as bbelew. We have been using JSS for iPads for years but not 1:1. Now, this summer, we are going 1:1 in certain grades with iPads. All 1:1 with staff and some 1:1 for staff in OS X. We have just bought licenses for OS X and are looking at getting everything set up this summer.

We have been using AD binds for OS X for years and I would love to move to local accounts. All the issues with keychains (after a user changes the password; once a year for us) and Mac AD tokens just randomly expiring is such a headache. However it would be another login for people to remember.

We use thick and thin imaging using Deploy Studio. I would love to move to all thin imaging with JSS but I was wondering if I stick with Netboot or does local TB drives work better?

And printing! 3 years ago a staff survey had printing as the #1 Tech concern for our staff. How best to deploy printers and driver management. Any suggestions would be appreciated!

I will be watching this thread carefully too!

Edited for spelling.


Thanks for the reply. Is the script to join the computer to OD necessary with the pre-stage configuration and it's OD binding? Or does that just matter for authentication.

For the user our Apple SE suggested we just let the users login with their apple id's. I don't like that idea personally because it's yet another login they have to remember. I'd rather it be the same login they use for our LMS, SIS, library system, etc.

Just kind of curious on that subject what other schools are doing. I like the idea of it using our OD credentials because then i'll have a name associated with search and web browsing queries in our content filter. If they are all just a generic account with their own password i'd have to make them authenticate to the filter to browse the web which I really would rather not do. It just adds another step to become an issue.

We have had issues with mobile accounts in the past. For example we have a mobile account for testing, it's imaged onto the machines but just in case it's not a user can still use it and it'll just create the portable home directory. Syncing isn't enabled on it - yet still from time to time it decides to act like a network home and give everyone the same documents.

I like the idea of being completely uncoupled from our servers to remove them as a possibility for future issue. Our experience with network homes over the past couple years has gotten worse and worse and there is a huge distaste of the servers and worry that a 1:1 will be plagued by similar issues.