Making "Zero Touch" Computer Enrollment actually Zero Touch?

fernando_gonzal
Contributor

I have DEP enrollment of managed Macs, after a reinstall of the OS, down to four steps:
1. Selecting the Country
2. Selecting the Keyboard Layout
3. Clicking Continue on Remote Management/MDM enrollment (not optional for our Macs)
4. Selecting the Time Zone

However, my school was a bit spoiled with Netboot and DeployStudio as we would set the Startup Disk via ARD to our Netboot Server which would load into DeployStudio which was configured to automatically apply a workflow and run automatically.

Basically nobody had to physically touch the machines. It was truly "Zero Touch".

Is there a way to automate the DEP process to skip the steps 1-4 I listed above and simply enroll in our Jamf MDM server?

Thanks.

1 ACCEPTED SOLUTION

smithjw
New Contributor III

If you take out the Time Zone selection you can get it down to 3 steps but at this stage that's as far as you can get. I'm hoping that Apple give us the ability to auto-continue the Setup Assistant (like the Apple TV) in 10.15 🀞🏼

View solution in original post

11 REPLIES 11

smithjw
New Contributor III

If you take out the Time Zone selection you can get it down to 3 steps but at this stage that's as far as you can get. I'm hoping that Apple give us the ability to auto-continue the Setup Assistant (like the Apple TV) in 10.15 🀞🏼

View solution in original post

fernando_gonzal
Contributor

Thanks. I don't see another setting for Time Zone selection. In the screenshot I have configured the Setup Assistant to skip everything. Is it located somewhere else?

Regards,9e754758cca0409ab860fa93364661ed

allanp81
Valued Contributor

@mk2000 which version of Jamf Pro are you running?

fernando_gonzal
Contributor

@allanp81 10.10.1-t1551187745

allanp81
Valued Contributor

That should be ok then I think, I don't think that option was available until a certain version.

Ludeth
New Contributor II

IIRC You are not seeing time zone as a jamf option because it is not skiable per say. If you remove the check box for Location service and allow the user to enable Express settings (which would turn on location services) then you won't see the time zone screen because the Mac will determine it on its own.

If you skip location services then they are disabled by default and you have to select a time zone. So really you are just trading one screen for another. Depending on your use case and if the Macs travel you may find that you want location services on anyway.

Also you may also have to uncheck App Analytics and one other box. It then combines them all into Express Settings..

mm2270
Legendary Contributor II

Yeah, I don't think Time Zone is skippable unless you let the user choose to enable Location Services. So it's one or the other. No matter what you have to click through around 3-4 screens initially.

So, as for how to automate any of this and make it really truly zero touch, you can't. Welcome to the wonderful world of Apple and DEP (where "Zero touch" doesn't mean what you think it means)
Hopefully Apple will eventually give us some way to automate getting through those last few screens, but I wouldn't hold your breath for it.

mconners
Valued Contributor

Hello @mk2000 and others. In our situation, we have a script I borrowed from Jamf Nation to set the timezone at enrollment.

This policy is run only at enrollment. The policy sets the login window to display a "please wait while we are installing additional applications" message along with setting the timezone, it will run a recon and set the computer name. Finally, this policy will restart the computer so the login window is configured for us.

Like others have said, we have the steps down to 3 steps but not really a zero touch.

fernando_gonzal
Contributor

Thanks everyone for your responses!

Regards,

diradmin
Contributor II

@mk2000 >>Making "Zero Touch" Computer Enrollment actually Zero Touch?

Spoiler: you can't.

tlarkin
Honored Contributor

I am going to guess Timezone is not skip-able to do cert based auth, and that if your time/date is off it will break many SSL types of communications.

I think zero-touch is more of that IT doesn't have to touch it. Historically you would either mass image, or you would have desktop support techs log in and configure machines. Zero touch is more of the fact IT doesn't have to touch the device and you can ship it to the user. I will agree that the phrase "zero touch," implies many other things and it should be maybe marketed more clearly.