New Mac Provisioning

stevefitz
New Contributor II

I'm looking to transition from having our MSP provision brand new laptops to having the end-user run through the setup. We look to be all setup for auto-enrollment into our MDM. I don't see any reason not to go this route other than we can't seem to setup a local admin account remotely that has access on machines with filevault enabled. Any other reasons not to go this route? 

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

This is really the way Apple has MDM designed, its all about 0 touch deployment. I can give you more reasons to go with 0 touch deployments than I can give you to avoid 0 touch deployments.

 

As far as FileVault, you can still have a local account preloaded during device enrollment. When FileVault is enabled that Admin account would also get a FileVault token. However you should be using password rotation for any local management accounts which would mess up FileVault for that account anyway. If you have access to JAMF, you can get the FileVault recovery key and use that to unlock FileVault no matter who has FileVault access.

View solution in original post

1 REPLY 1

AJPinto
Honored Contributor III

This is really the way Apple has MDM designed, its all about 0 touch deployment. I can give you more reasons to go with 0 touch deployments than I can give you to avoid 0 touch deployments.

 

As far as FileVault, you can still have a local account preloaded during device enrollment. When FileVault is enabled that Admin account would also get a FileVault token. However you should be using password rotation for any local management accounts which would mess up FileVault for that account anyway. If you have access to JAMF, you can get the FileVault recovery key and use that to unlock FileVault no matter who has FileVault access.