Jamf Nation Community

So you create a local user profile that is an admin? Or you make them log in with a network account?

Local admins, yes. That's what the have on their assigned laptop too. Was the challenge for you adding a network account as local admin?

@adamcodega yes, trying to weigh making local admins each time versus using network accounts. A lot of what folks need in general in our org is web-based, so I'm guessing it doesn't really matter… just trying to figure out the easiest way to have something ready that doesn't involve wiping and reimaging every time someone needs it.

@jwojda right?! I'm guessing that would be our issue too. Getting them back. How much time does it take you to get a machine ready for the user? Do you just have a standard image and then manually install what's needed?

Agree with @JRossA, leverage secure user delete.

So for the sake of overthinking.. if they need to sign in with their network account to get where they need to go, then use or have them use Self Service to get the apps they need.

Depending on how much you need to loan out systems I'd setup (another) space machine to run Casper Imaging and image them via Thunderbolt Target Disk Mode. Like I said an AutoDMG image takes about six minutes.

We have a 3 week loaner checkout limit and then we start squawking at them to return them.

if they don't return it, we charge their department the cost of the laptop. =D

FWIW, we use Deep Freeze on our loaners and it's worked well. We don't ever have to image more than once and people are usually good about not keeping them too long, as the longer they have them, the more likely they run the risk of losing data.

I've got some good ideas now, thanks y'all!

Alright... I have to jump in as well as most of our users are rather file dependent.

We maintain a statistically large fleet of loaner laptops. 30 for our ~650 users, which are always imaged and on shelf to cover our two main user populations (Students and Faculty/Staff/Admin). At present we would either create an admin account for our non-student population or use a generated "student" account (local) for our students. We transfer 90+% of their home directories from the computer to be repaired or from their backup drives. We are pretty picky about permissions and the user library so we don't transfer anything that doesn't directly affect their own configurations or settings.

Upon completion of their repair we give our users a few days grace when their computer is repaired to come pick it up before I set a few semi-annoying policies on them. The policies just pop up a nice reminder, once a day, to bring their loaner back as their computer is ready. We've had almost perfect success without having to get more persistent.

Beyond that, we're slowly moving to an integration with Code42 and CrashPlan (ProE or whatever it's called) to automate the file transfer without direct AD binding. I'll love posting that info up in the future when we have it all hashed out! We don't often have a lot of time to get our users back up and running so having this in the background without resorting to network accounts will be pure gold for us!

Hi Everyone,

This was my experience at my last job regarding loaner laptops. We initially had sets of laptops designated as loaners, and in the event of a hardware failure or significant downtime due to troubleshooting, we would swap out our users with a loaner laptop. In the event of hardware failure it was about a 1 week turn around time for repairs. We had to ship the laptop to our tech depot, they had to order the parts, replace the parts, and verify it was fixed. With everything involved from initial diagnosis, travel time, waiting for parts, etc. it was pretty typical for a laptop to take about a week to get back into working order.

What I learned from this experience is that users would get the loaner and create a week's worth of projects, data, and work on that laptop. They would also take the time to restore their personal data, like iTunes collection so they could listen to music while they worked. We would then contact the end user via email that their laptop was back and they could turn in the loaner. This process proved to be ineffective, as the user already had a new laptop, with data on it, and all back ups restored, plus a week if not more worth of work on it.

We had 6,000 Mac laptops at my last gig. We purchased them all at the same time on a set life cycle, meaning all of our loaners were the same as the production laptops end users were issued. So, in the end I stopped giving out loaners completely, and just reassigned end users new assets when their Mac had issues. This meant zero downtime for the end user, no hassle of bringing it back, and our asset management system could track everything tied to that user, and we had the JSS to back up what user owned what laptop, or what user logged into what laptop last.

In my experience, if at all possible, just issue a new laptop and keep the old one to refill your loaner stock. Of course there were cases of end users that kept very good care of their laptops and requested they get their original back. When that happened IT, of course, honored that request and the loaner issued was traded back in. I would say 95% of users did not ever want to trade their loaner back in for their original. So, we simply stopped doing it. Too much of a hassle, and it was also interrupting our end users to take time out of their day to head to IT to swap their loaner back.

Of course all Orgs will have different cultures, processes, ideas, etc. So, take my experience with a grain of salt. For my last job though, loaners were just such a hassle that I stopped doing it and just reassigned hardware when that happened.

Now, in the event that someone needed to borrow a set of laptops for something specific, we had a laptop cart you could check out. Like if we had visitors come look at our laptop program and want to experience it, or if a classroom needed more laptops for a project, or whatever reason, we had a cart you could check out and take with you. Then turn it back in when you were done. We also had the option for individuals to check out a couple of laptops, and they would sign for them and drop them off when they were done.

Cheers,
Tom

I was hoping a discussion like this would come up on JAMF. Two weeks ago I was doing a JumpStart where the IT Department just received an Arabic Mac Book Pro so we were using that as our target test machine (later nuke/pave for the intended faculty). It's the worst thing I have EVER experienced (besides 10.7 and learning "natural scrolling"... but that is another story or something that @charles.edge would still complain about).

After typing for 10 seconds I stated outloud "You should keep this and have it as your loaner. NOBODY would want to keep it".

The width difference in the Return key and the left shift key are killers: http://support.apple.com/en-us/HT201794

- Justin

We've been investigating CrashPlan for a few of our teams that want automated backups… I've heard some good things about it.

I think I'm less concerned with true replacements and more concerned with just loaners for folks that left their computers at home. We're a mixed bag environment (MacBook Pros, Retinas, and Airs, Dell 14" and 15" Latitudes) so having a true replacement for every user type is pretty much impossible because we don't have that kind of stock. I was planning on using Macs for loaners because it takes me about 20 minutes to get one going, rather than like half a day like the Windows machines…ugh…

Sort of off topic here, but I have noticed a lot of orgs are changing their helpdesk to be more of a Apple Genius bar type setup. This has greatly interested me over the past couple years and I have been tinkering with tools I build that are not for end users, but rather level I techs and helpdesk people.

So, lets assume a user has an issue with their OS. Let's also assume they have a valid crashplan back up (that is verified). They take their Mac with the flashing question mark to the helpdesk depot at their office. With Casper Imaging you can reimage an entire computer in under 3 minutes with TDMI and Thunderbolt cables. I did a POC with a customer not too long ago that was just a simple launchd, an asr script and a TDM Thunderbolt connection. We were automatically imaging systems with an 80gig image (lots of extra content) in right around 3 minutes and 30 seconds. Now you could expand on this idea, and leverage Casper imaging with a local DP at a help desk depot, and you could completely restore the user's laptop, start their crashplan recovery and send them on their way with in probably 10 minutes or so. With a brand new OS and all their apps. I know this doesn't necessarily relate to issuing spares, but in this event you could fix their laptop quickly over issuing a spare over the span of time it takes to repair.

I've been very interested in leveraging the Casper Suite to build tools for IT staff as well as end user solutions. I have worked with a few orgs that are setting this type of experience up and so far all of them have positive feed back on these things. Even when I worked at the school district we had sort of a Genius Bar setup like an Apple store. I had tables and users could come into my office and sit down and get assistance. I was building tools back then as well, but they were just automated ways of doing tasks I had to do on a regular basis.

Now, I am looking at writing interactive scripts that allow IT techs to run diagnostics, tasks, and maintenance not only through Self Service, but also through the terminal. I think there are lots and lots of things we can do as Casper Admins to not only build great end users experiences for our end users, but also everyone else in IT.

As for the situation where someone forgot their laptop at home, we had a cart of laptops that people could check out for the day. For the situation of break/fix we just issued a new laptop from our spare stock. If the end user wanted their original Mac back when it came back from repair we honored that as well. We basically just gave them choices and they got to pick what they wanted to do. For the most part I think everyone liked that workflow.

-Tom

Awesome input as usual @tlarkin

Self Service can be an awesome tool for IT techs as well as traditional users.

@tlarkin I couldn't agree more. We are always working to create a comfortable, respectful and helpful help desk experience. The last thing we want is users to dread coming and asking for help, at any level. Thankfully our help desk tech creates most of that environment on her own. That said, having the ability to create quick diagnostic and repair policies for our IT staff really helps out front! It also gives a great structure for permanently fixing whatever issue it was you had to create the policy to resolve. I only wish we had more space to put in tables for my help desk and users to work at instead of the window we have. Fortunately I have a few in my office when things get really bad.

Regarding loaners again; proper staging and planning for your environment is KEY. As our community lives, learns and teaches with these units, transitional speed to a loaner during repair is really critical. I couldn't really keep a faculty member for even 10 min while they are teaching. Often times when something is really bad they simply send a student with their computer to the help desk. Said student has no access to the faculties accounts, let alone a good description of the issues at hand. That wouldn't even count emergency needs by our Board or other visiting dignitaries, teachers and other such professional folks. This is the primary reason we keep pre-imaged loaners on hand at all times even with our network imaging process in at about the 5-10 min mark depending on image configuration.

Beyond that our students are BYOD and our faculty/staff/etc are planned purchases but not always identical. Fortunately we've sorted out any integration and compliance issues by maintaining a community understanding that our loaners are meant to be flexibly assigned to ANY user regardless of need. Because of our purchase planning and turnover we're almost always able to keep our professional users in machines newer than the loaners anyways (under 3 years). So, while we have policies and documents in place to force compliance we almost never have to.

Out of our 30 total loaners we usually only set aside 5 for faculty/staff which run to about 260-ish assigned units. Thanks to our own internal policies and things like the Casper suite and tools developed like @tlarkin mentioned at the help desk, this has become a very happy place for stressed users to come. The reason we set aside 25 for students has more to do with the fact that they drop them far more often than the faculty and often wait until just before or just after a school break to bring them in. It gets interesting when you have half a dozen or more students, with smashed screens, 30 min before they have to leave for the airport on a school vacation, and one help desk tech.

@emilykausalik the neat thing about Crashplan is that it's platform independent so it's probably easier to transfer a users files from PC to Mac than it is trying to explain how to use it. JAMF and the folks from Code42 have a few things going on the corporate side so I'd ask around. We've been working with Julia from Code42s Minn. office and she's been great! @tlarkin with pre-imaged computers (our helpdesk maintains our loaner fleet regularly) the hand off with a crashplan backup could be about a minuet. That's where we're hoping to get. We're still testing and won't yet be bringing the Crashplan storage on site just yet

Hey @Chris_Hafner

Sounds like you all are building a pretty sound workflow for your help desk. I dig it! Keep up the good work.

@adamcodega

I have always been a fan of Self Service with IT policies scoped by LDAP groups, and also tons of tools/scripts in Netboot Images techs could leverage. I used to build Diskwarrior, Tech Tool, ASD, and a bunch of customer diagnostic/repair scripts in my NetBoot image so techs could NetBoot and run those tools to help troubleshoot/fix computers with issues.

-Tom

I set up our Macs bound to AD with Centrify. Just finished deploying CrashPlan ProE before the holiday break. So if any of our staff has a system/drive failure or their MBP is stolen, we can provide a loaner.

The person simply logs in with his/her AD credentials and can access their files via the CrashPlan web interface while I set them up with a new MBP with a full-restore from CrashPlan.

- Corbin

@corbin3ci Nice! That's what I'm talking about!

@tlarkin you wrote

I used to build Diskwarrior, Tech Tool, ASD, and a bunch of customer diagnostic/repair scripts in my NetBoot image so techs could NetBoot and run those tools to help troubleshoot/fix computers with issues. Where can one learn how to do this with Yosemite tools? I have exactly this need.

I used to be able to make NetBoot images years ago but these days when I try it I always get some sort of cryptic error messages. I can build great "Utility boot drives" on USB, but have been unable to convert one of those into a NetBoot Image. NetInstalls are fairly easy, but for me NetBoot hasn't worked for years.

Really? While I end up using AutoCasperNBI in general... because it's easy and I can do other things instead, I've been manually building diagnostic NBIs for years without issue (All the way through 10.10.x). If you ever want to troubleshoot, let me know.

PKGs and AutoCasperNBI for me, always found System Image Utility to be... "flaky"/inconsistent in behavior. Plus the NBI's that AutoCasperNBI have a lot of things (diskless, NFS) set by default, compared to the resultant ones from SIU...

@yeldarb Now is a great time to try out AutoCasperNBI as I just released version 1.2.0.

@Chris_Hafner & @RobertHammen thanks for the cheerleading gents!

@Chris_Hafner I saw AutoNBI but frankly it's overkill for my needs (I don't even have the prerequisites.) Looks powerful though. I just have a simple need that I would think a lot of others must have: I create a USB boot drive that contains a bunch of utilities for Mac troubleshooting and diagnostics. When I try to use System Image Utility with that drive as Source, and create a NetBoot image, it fails with "Error 2" (whatever that means.) Looking at the SUI log in Console, I see this in the middle where it fails:

Create NetBoot Image
Initiating NetBoot from installed volume.
created: /SCRATCH/TEST_NetBoot.nbi/NetBoot.dmg
update_dyld_shared_cache failed: /private/tmp/mnt.VYpQQ6KB/var/db/dyld/shared_region_roots/ does not exist, errno=2
Execution of 'createNetBoot.sh' failed. Cleaning up.

I'm probably missing something in how the Source volume must be created, but I can't find much documentation suggesting how it needs to be set up (lots of documentation for NetInstalls)

@yeldarb I'll update the pre-reqs.. but it can be used to create a Restorable DMG that can then be restored to a USB.

The "createNetBoot.sh" mentioned in the error is actually the script that's mentioned as the secret sauce.

Not sure what you mean Secret Sauce. I did try the suggestion mentioned in the Jan 7, 2015 12:09pm post here
https://discussions.apple.com/message/27214817#27214817
namely to edit the createRestoreFromSources.sh
line which has the 456MB padding and increase it to 2048

# Convert to MB, rounding up, and add 456MB (128+200+128)for OS level stuff...
imageSize=$(($(($(($imageSize+1023))/1024))+2048))

didn't seem to help.

To be clear, my goal isn't to create a Restorable DMG, it's to create a NetBoot that I can put on our NetBoot server, and boot that over the network to do troubleshooting instead of needing to use the USB drive. Our server already has many NetInstallers and they work fine.

@yeldarb I've seen that error crop up from time to time in the past, generally on early mavericks images. What is your specific process for creating the NBI (How do you setup your base image and capture it with SIU, etc.) That said, I'm not sure what you mean by AutoNBI being overkill. It's like driving an automatic as opposed to a stick. Maybe you're used to the stick. In any event, this looks like an error on the unit your using as the base for your NBI. Without knowing more the only suggestion I can make straight away is to refresh your dyld cache. try the following command on the target machine

sudo update_dyld_shared_cache -force

and see if that helps. Again, knowing your specific process with software and OS versions would be super helpful here.

@yeldarb I think what @bentoms was trying to say was that AutoCasperNBI uses the same scripts to create a .nbi as does SIU. AutoCasperNBI just makes the process a heck of a lot more stable and more easily replicated from one image to another.

@yeldarb When I said "Secret Sauce" I had hyperlinked to something explaining it: https://macmule.com/autocaspernbi/#Secret_Sauce

I'm confused to as what you want to do, one minute you're saying that you don't have the pre-requisites for AutoCasperNBI.. which are a NetBoot server.. Next post you're saying you have an NetBoot server...

AutoCasperNBI was built to simplify the process? what's missing?

My apologies, I am working in several different forums and apparently I confused AutoCasperNBI with something else called AutoNBI, which does have more interesting prerequisites.

In any case, the fault seems to be in the Secret Sauce which is not going to be different if I use another tool that relies on those scripts... I see what you mean now about the Sauce.

My point is that my definition of "Simplest" would be for the Apple tool to just work. I want to understand why it doesn't. One thing I came across: others seem to have noticed that whenever capturing using SUI from an SSD drive, it tends to fail. In my case right now, all my Macs have SSD! So I guess I need to go find one that doesn't, or stick this USB boot drive image onto an actual hard drive, and try SUI from that...

(I hate Windows but I have to say that every time I dig into NetBoot stuff, I'm reminded how much easier it is to get something working PXE booting other operating systems etc.)

Well, in that case, creating a .NBI with AutoCasperNBI using an installer captures through AutoDMG would solve your problem simply because your dealing with software .dmgs and .pkgs. No additional computers required, SSD or no!

OH, and it's also pretty simple to add the diagnostic tools as well. Drop their packages in AutoDMG when creating your OS, prior to running it through AutoCasperNBI. Piece of cake!

Not a piece of cake if some of the diagnostic tools aren't .pkg'd. I'm not dealing with sofware .dmgs and .pkgs (that wasn't my original question.)
I understand what you're saying, nobody builds from "perfect masters" anymore... but rather layers from packages... blah blah. However in this case it's a little different, not making a perfect master, but a USB boot troubleshooting drive that has been perfected by several people. External boot drives are still very useful even in this day of recovery partitions and Internet Recovery etc. Especially now that there is real Mac malware screwing up students' Macs. I just want to be able to NetBoot the same thing I have on a USB drive (it's an SSD USB drive.)

Fair enough. I guess your off to find a non SSD drive then. That said, you could probably try using composer or something like CCC to capture a .dmg from your USB drive and go that way.

Quick additional question. Are you a JAMF customer>? I only ask because I don't want to make recommendations that require the suite if you're not. I'm just wondering why the creating of the USB drive itself isn't automated. Particularly if it's setup is picture perfect for your needs. Being able to automate the deployment of new drives, update packages as necessary and then turn those into .nbi's on demand seems like something that might help. Again, I'm not quite sure what you're doing in specific or what you normally use.

P.S. If by chance you ARE using the casper suite, the present malware items out there are super simple to deal with either automatically or manually via "Self-Service" without the need for diagnostic drives and .nbis. Again, I'm sure you're using them for other things as well. I'm just trying to bring this all around full circle.

Please know that we're guessing a lot here about your situation and solutions to try helping out ;-) We tend to want to be a helpful bunch!

Yes I'm very grateful for the help and suggestions... now I have a bunch of possibilities to work through!

So now that the days of imaging are just about done, what are people doing for these loaner laptops? For the people who "forget to bring theirs into work" type situations. Ideally, the laptop is basically fully set up and ready to go with a bunch of commonly used applications. Do you enroll them into Jamf with generic accounts? Or do you do something else? We are also an Active Directory house.