Prestage VS Imaging. Differences?

laura_perez
New Contributor II

Hi all,

Well, I am still struggling with the difference between these 2 procedures (For MAC OS X) and which is better for what. I mean, I know the basics, like prestage is for DEP registered devices and more for when they are brand-new and imaging more for "old computers". Is there any comparison table? I'm still guessing about which one is the best for each case.

We have basically 2 scenarios:
· New computers in DEP. I think the idea is to use a Prestage enrollment policies configuration (Because you can't install software just with prestage, right?)

· "Old" computers returned by users that need a wipe a possible update to the last OS X programs configuration. So the idea would be to use imaging for a clean image or a clean image apps or, if we don't want to update the software in the image every time, we could use a plain image with the last OS X + configuration and policies to install software, is that right? (But now that I think... we still would need to enroll the computer in this situation...)

I know, I am a bit confused... And I have read some technical papers and done some tests, but still guessing about the best option... What about your scenarios?

Thanks in advance.

10 REPLIES 10

stevewood
Honored Contributor II

@laura.perez there are 4 methods of getting systems ready for use that I can think of. They are: Prestage Imaging, Prestage Enrollment, Imaging, and Autorun Data.

Prestage Imaging - used for machines that are not currently in the JSS and are not a part of DEP (although a DEP computer can be imaged with this method). You can choose a particular Configuration to apply to these machines, or you can hand pick what software you want installed. This method works by booting a particular machine off of a NetBoot or off of an external hard drive. Open Casper Imaging and the "imaging" process will begin automatically. I use imaging loosely because you do not have to be laying down an OS or any apps during this process, and instead could simply be letting Casper Imaging enroll the machine into the JSS and then allowing software to be installed via Self Service or some other method.

Prestage Enrollment - used for machines that are DEP machines. This method works hand in hand with a policy that is set to run when Enrollment Completes and does not utilize a Configuration in the JSS.

Imaging - utilzing Casper Imaging to run a configuration against a machine. I utilize this method when I need to re-deploy an old machine, a machine that is already in the JSS.

Autorun Data - useful for when you want a machine to always have the same configuration. Save the autorun data to the machine and then whenever Casper Imaging is run the Autorun data will be picked up and the machine will be imaged the same way. This is useful for lab environments where you can set the computers to reboot to a NetBoot server at a certain time in the evening to erase the drive and re-image.

I utilize a combination of the first three methods. If I have a bunch of machines to get ready, I will enter their serial numbers into a Prestage Imaging item, create a bootable distribution point on a laptop, and then Target Mode Image the machines. Works really well when you have a lot of machines to get ready quickly.

I primarily use the DEP method since all of our machines are in DEP. And then when an employee leaves the company, I will boot from an external drive, wipe the drive, ASR an OS image onto it, and then run Casper Imaging to get my first boot script on which handles installation of necessary software, etc.

Hope that helps some.

a_simmons
Contributor II

@stevewood Whats the difference between Autorun Data and Prestage Imaging? They sound like the processes are visually the same.

stevewood
Honored Contributor II

@a.simmons PreStage Imaging is only used for DEP enrolled machines and is only used with DEP.

Autorun Data is used with Casper Imaging and is used anytime Casper Imaging is opened.

They are similar in nature.

stevewood
Honored Contributor II

@a.simmons I just re-read what I wrote and I was wrong with what I just wrote. I was comparing PreStage Enrollment with Autorun Data and not PreStage Imaging.

PreStage Imaging is used for machines that have never been in the JSS, or machines that have been deleted from the JSS. When Casper Imaging runs it finds the serial number, or whatever you've put into that PreStage Imaging configuration to scope your machines to. Then the configuration that is in the PreStage will be applied to that machine.

AutoRun Data is used on machines that are already in the JSS.

Sorry for the confusion.

a_simmons
Contributor II

Thanks for that Steve.

ctarbox
Contributor

JAMF 99.101

I'm attempting to use Pre-Stage Imaging for a MacBook Pro that is NOT new and NOT in DEP or the JSS. I have wiped it and it's at the setup assistant screen. It has never been enrolled in the JSS previous to this. I have this Scoped with it's MAC address.

I'm getting hung up when, after the netboot, Casper Imaging gets to the "Looking for Autorun Data/PreStage on JSS, and then asks for my JSS credentials. It does not automatically log in to Casper Imaging.

My question is, what 'Local Account' is the PreState looking for? There is obviously no local account on the MacBook Pro. I have tried my JSS User Credentials (Active Directory Account), my JSS administrator local account on the JSS server, and my local administrator account on my Netboot set.

I'm in the timeframe of the activation period.

I can successfully Netboot and image this laptop manually, but want to get the PreState Imaging prepared for others that will be doing this task. And if I do log in manually, I do not see the PreStage Image listed with my other Configurations.

You state above that this does not have to be in DEP; JAMF Support has also told me the same thing. So if DEP is not required, am I suppose to go through the setup assistant and put a local admin account on it? Seems like that would defeat the purpose of the auto imaging. I'm not sure what else to look for.

Cheryl

Sandy
Valued Contributor II

I'm pretty sure in the Pre-Stage Imaging setup the local account in the "install" tab is the Netboot image's admin account.
This account is used to allow the computer's drive to be modified.
I believe at the time I was not able to get the "image automatically" to work, so I also created a jss user with easy-to-type name and password that ONLY had rights to image.

ctarbox
Contributor

I found where my hangup was. I found this thread (https://www.jamf.com/jamf-nation/articles/469/managing-prestage-imaging-and-autorun-imaging-workflows) regarding some changes initiated in version 9.101, that directly affect the auto login for PreStage Imaging. I had to go to: Settings --> Computer Management - Management Framework --> Security --> and untick the box: Require Login for PreStage Imaging and Autorun Imaging.

I also confirmed that my JSS administrator account used for Imaging had the correct permissions set. https://www.jamf.com/jamf-nation/articles/72/imaging-computer-permission-requirements

Cheryl

itupshot
Contributor II

@ctarbox I know this is an old thread, and you seem to have found a solution for your issue. I've been trying to figure out why PreStage Imaging is not running automatically in my environment.

As @stevewood said in his examples, we're not really "imaging" in the traditional sense since we're only using Jamf Imaging to install our software suite.

It'd be kinda nice to have the whole process run automagically, but since we name our computers based on the asset tag stickers we affix to them, we don't mind having to stop and do that. It also gives us the opportunity to make any other adjustments on the fly. My main gripe is that it doesn't seem to pick up the imaging config that was selected in the PreStage Imaging settings.

Here, our machines are on DEP, and we have the PreStage Enrollment create a local admin account in addition to the Jamf management account. When the Enrollment is done, we get that local admin account that we can log into if we need to.

Then, we netboot the computers to a volume that has Jamf Imaging installed. I figured that the local account we created during Enrollment should be the one that we're supposed to enter in PreStage Imaging. Well, it doesn't seem to automatically bypass the login screen. It could be because of that security setting that you mentioned. I just checked and it looks like the box is ticked.

Our biggest challenge is the new Retina MacBook Airs. NetBoot is not an option with these (or any new machine with the T2 chip). I'm still trying to figure out how we'll get our software installed on these machines.

stevewood
Honored Contributor II

@itupshot I think your confusing "PreStage Imaging" and "PreStage Enrollments". "PreStage Imaging" is for use only with Jamf Imaging, where as "PreStage Enrollments" are for use with DEP. If you are looking for some way to utilize DEP to enroll your computers and "image" your computers, then you will not use "PreStage Imaging" at all.

You will need to convert your PreStage Imaging setup into a policy/policies or a script. Let's say your PreStage Imaging configuration does the following:

  • Install Office, Chrome, Skype for Business, Slack
  • Set the login window settings
  • Bind computer to AD

To convert this to work with DEP and PreStage Enrollments you will want to convert all of that over to policies, scripts, and/or Configuration Profiles.

You could create installer policies for the applications that contained just the app, set to Ongoing, with a custom event trigger, update inventory selected, and scoped to All Computers. The custom event trigger could be “installchrome” for example.

Your login window settings could be done as a Configuration Profile scoped to all of your computers.

For binding you can create a policy that calls a binding configuration. This too could be set to Ongoing, scoped to all, and have a custom trigger, perhaps “bindcomputers”.

You can create a simple script that runs your application install policies in order and then bind the computer to the domain. Something like this:

#!/bin/bash

/usr/local/bin/jamf policy -event installchrome
/usr/local/bin/jamf policy -event installoffice
/usr/local/bin/jamf policy -event installskype
/usr/local/bin/jamf policy -event installslack
/usr/local/bin/jamf policy -event bindcomputer

### any other things you want to do ###

exit 0

Once you have the script, you create a policy that is scoped to either all computers or to a Smart Group that looks for PreStage Enrolled machines, with a trigger of “Enrollment Complete”. Once the computer gets through Setup Assistant and is enrolled in Jamf, this policy will kick off and start provisioning your machine.

We utilize a series of scripts to provision our systems. These scripts are contained in a single policy that is triggered by "Enrollment Complete". The first of these scripts to run presents dialog boxes for the technician to complete. The dialogs ask things like what business unit a Mac is for, who the end user is, what City the Mac will be in, and what the asset tag is. We use that information to programmatically build the Mac name, set the name, and update Jamf.

After that script the policy runs a provisioning script that installs our apps, printer drivers, and so on. Once all of the scripts are done, the computer restarts and once it is at the login window you know it is provisioned.

Hopefully that helps and is not too confusing. If you need clarification, just @ me and I’ll try to respond.