Jamf Nation Community

thebrucecarter · ‎06-24-2019

Greetings all,

So, we are getting further into deploying Jamf Pro this summer, to all of our labs instead of just the one that needed it due to new equipment. I have the following situation: I have a lab of fairly recent iMacs that is still running Sierra (not High Sierra). They are not currently enrolled in Jamf Pro. I just added them to our Jamf MDM via Apple School Manager, so they are ready to be. I want to get all of these guys into Jamf Pro with the full DEP style control. I thought I could do this with an enrollment package, but our local Jamf guy says that won't work, they'll act like they were user enrolled, which we don't want. Is there a way around this, or am I stuck touching each one the first time?

And by local Jamf guy, I mean our systems admin guy at ND, not anyone from Jamf.

Thanks for your thoughts and assistance!

Jalves · ‎06-24-2019

Hey, we are actually going through the same process in our K-12 environment. We have been imaging for years and this is our first summer moving over to the DEP Workflow while upgrading from Sierra to Mojave. We have also added our devices to Apple School Manager and then created a generic prestage enrollment in our JSS for all managed computers. That gets the computers enrolled into JAMF without needing the end user approval button your co workers may have been speaking about. We then have a net install set up to erase and install 10.14.5 to get them back to a clean install (or use the recovery partition if your computers cannot boot externally). Once that’s done you can work through the apple Setup Assistant. Once the devices are managed, we trigger a policy set with the “at enrollment” trigger that installs the DEPNotify resources to allow us to assign inventory criteria to the device to so it falls into its appropriate smart groups for policy installs. We are imaging a couple thousand lab machines this summer and we our process set to use an auto login user to begin the somewhat “automate" the process for us. JAMF Provides a DEPNotify starter script which can be configured to your needs with little scripting knowledge.

These are the links I used to set this up in our district.

https://github.com/jamf/DEPNotify-Starter

https://gitlab.com/Mactroll/DEPNotify

https://www.youtube.com/watch?v=A_VAD0zYq3A

allanp81 · ‎06-24-2019

Either way though a user has to visit each machine, but if you were imaging the old fashioned way then that would've been the case anyway (unless you had autorun imaging working).

jared_f · ‎06-24-2019

In this case, there is nothing "zero-touch" about DEP for Mac. You will still have to touch each machine if you plan on enrolling them with DEP. Ya, I know... DEP = Apple School Manager.

Assuming you have an admin account on these machines that aren't Jamf enrolled, I would use ARD to push the Mojave installer and then remotely launch it on each machine. After I rolled up the machines, I would then reset them remotely to factory and then bring them through prestage enrollment.

I would then use something like DEP notify to setup the machines as you run them through prestage.

allanp81 · ‎06-24-2019

@jared_f If you start the installer remotely won't that essentially just perform an upgrade rather than reinstall? I wanted to do this approach but all of our High Sierra student macs are still HFS+ as we couldn't image the old fashioned way with APFS. Unfortunately there doesn't appear to be a way to post-convert to APFS or use the eraseinstall command if the device isn't already APFS.

ICTMuttenz · ‎06-24-2019

Hello @bcarter5876

My idea is. You copy the mojave installer trough ARD and then use this script to upgrade to mojave:

/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --applicationpath /Applications/Install macOS Mojave.app --agreetolicense --nointeraction

after Upgrade you have to copy again the mojave installer, because after install remove the install from the client. And then run this script:

/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --applicationpath /Applications/Install macOS Mojave.app --agreetolicense --eraseinstall --newvolumename "Macintosh HD" --nointeraction

why run two script and not one? Because the "-earseinstall" is avaible from High Sierra.

Best regards

CSCC-JS · ‎06-24-2019

@ICTMuttenz

Erase install only works if the machine is formated as APFS filesystem.
Does the upgrade autoconvert?

jwscarsdale · ‎06-24-2019

@jstillio

upgrading to mojave should auto convert the drive to APFS

thebrucecarter · ‎06-25-2019

Thank you all for the information and suggestions. I was able to set up the Mojave installer in a .dmg on a web server, curl it down, mount the image, and run the first stage Mojave upgrade and APFS conversion on some test machines. I ran it right from the mounted .dmg and it seemed to be happy with that. I thought that I might need to copy it onto the local drive. Pretty much the following:

curl -o /Users/Shared/Mojave.dmg http://mywebserver.myspot.nd.edu/utils/Mojave.dmg
echo "cURL result: $?"

hdiutil attach /Users/Shared/Mojave.dmg
echo "hdiutil result: $?"

/Volumes/Mojave/Install macOS Mojave.app/Contents/Resources/startosinstall --applicationpath /Volumes/Mojave/Install macOS Mojave.app --agreetolicense --nointeraction
echo "startosinstall result: $?"

It has autoconverted everything so far, but also everything I've done has been SSD. We have one lab that still has spinning rust, and I'll be checking that one tomorrow. Then we'll go to stage two, but I need to get the workflow inside Jamf Pro set up first.

jared_f · ‎06-25-2019

@allanp81 You are correct. This would just "roll up" the machines to Mojave. I actually didn't know you could install/erase upgrade.

Jamf Nation Community

Mass update an old lab to Mojave and enroll in Jamf