We are a K-12 district with over 1700 desktops in our schools spread across 10 buildings. We currently use DeployStudio to manage our imaging of machines and Jamf to manage the day to day updates, management. We use DEP for our iPads but haven't used DEP for our Mac Computers yet because we haven't needed it for any reason.
We currently have it set up where we can image the most of the district between when school gets out and they get back to summer school less than two weeks later (assuming Teachers or custodians don't unplug the desktops). It's currently zero touch, and we can reboot them remotely, and get them to boot to DeployStudio, then DeployStudio automatically images, renames the computers, and enrolls them into Jamf. Jamf then handles the rest (Home pages, user specific settings, printers, etc).
Now with the new user approved MDM profiles what is the most efficient way to do this? I'd rather not have to go back to touching each computer unless it's absolutely necessary and go through the setup assistant on each computer to get them to pull down the MDM profile from Apple.
Is there another way to do this, or am I missing a simple way to do this, is there any way to remotely get these iMacs to either have User Approved MDM or DEP enrolled with MDM install once we upgrade them to 10.13?
We had some Apple Education technical reps come by last week and they confirmed that with 10.13.4 to get User Approved MDM automatically approved is by enrolling the Mac with DEP into your MDM, having the end user self enroll through a MDM web portal or package or to upgrade, or upgrading from a previous version of 10.13 that automatically enabled User Approved MDM based on the fact it was being enrolled into a MDM.
My future workflow for our carts and staff devices with 10.13.4 and forward will involve imaging the Macs with Imagr or Restor, using first boot scripts to delete .AppleSetupDone, having our techs or staff go through the Setup Assistant and then logging into the local admin account or their AD generated mobile account to finish off the setup.
The Apple reps mentioned that there aren't any automated setups to allow User Approved MDM other than the conditions I listed before. Approving through a remote session within Apple Remote Desktop is also non-effective. If these steps aren't followed, the tech or end user must self approve the MDM profiles. Depending on your end users, this may prove problematic. Apps with third party kernal extensions that need to be whitelisted through a config profile may break.
If I were you and trying to avoid DEP enrollments, I would try to get a 10.13.2 installer onto your lab to get them to automatically approve User Approved MDM and then install the 10.13.4 combo updater over them to preserve that setting. Even though 10.13.3 isn't documented to have the same User Approved MDM stipulations as 10.13.4, I notice you still get the warning symbol over the MDM profiles.
I stripped out the firmware package (https://www.amsys.co.uk/deploying-firmware-updates-imaging/) and install it though Imagr before imaging. Our district fleet mainly consists of MacBook Airs, so applying this firmware gets them able to use APFS.
We recently purchased a large amount of newer MacBook Airs preinstalled with AFPS, so imaging with APFS is unavoidable.
For the few 2016 MacBook Pros with touchbars, I would recommend running the installer on them before imaging them. I am not sure what further unique firmware updates are automatically applied to them.
For all other non-SSD Macs, I create a HFS 10.13 image for them.