Rethinking the way I deploy macOS systems

Take a look at this post for some ideas.

@msnowdon We actually just changed this process this past year and it works really well for us.

We have a series of post-enrollment policies we have run via custom trigger (ex. sudo jamf policy -event autoname). Our setup is that our first policy runs a script (https://gist.github.com/haircut/1debf91078ce75612bf2f0c3b3d99f03#file-rename-computer-py) which grabs a CSV file from a local web server (although this can also be a Google Sheet: https://www.macblog.org/post/automatically-renaming-computers-from-a-google-sheet-with-jamf-pro/) with all our computer serial #s and desired hostnames. It downloads the file and looks for the matching hostname based on the computer's serial number.

We have a script that runs at the end of this first policy to make sure the computer hostname matches what's listed in the downloaded file so, if this auto naming fails or just simply isn't listed in the CSV because we forgot to add it, another policy is triggered which prompts us to manually set the hostname.

Supposing the hostname was listed in the CSV to begin with, that end of policy script finishes by running another policy via custom trigger (ex. sudo jamf policy -event bind) to then bind the machine. The naming of the computer and binding steps have to be done via different policies, otherwise Jamf won't pull the updated computer hostname.

This does require some extra setup on the backend, but makes wiping and redeploying a machine a much smoother process.

If you want more specifics about our workflow I can see about sharing.

You can rename the computer before binding it to Active Directory depending on how you bind it. Is that with a configuration profile or a policy? It can just be a matter of making your device name policy happen before binding. (Your device name could be as simple as using the serial number, use Jamf variables like username or asset tag, or you could use a pre-defined name method like aporlebeke described.

I think in a lab a mobile accounts are less of a concern since the computer will arguably always be able to talk to the domain controller. They aren't mobile of course.

For the password trust interval, at least set it to match the domain's setting, whether that is zero or not. You can set that with GPO either globally a specific OU.

All excellent ideas...in response to the naming, the way I got ours perfect (per our existing computer naming conventions we've used for literally 20 years) is to use scripting. With scripting you just have to set the variable $FullComputerName to what you want it to be.

scutil --set ComputerName "$FullComputerName"
scutil --set LocalHostName "$FullComputerName"
scutil --set HostName "$FullComputerName"

In our case we use <building cost code>-<asset tag of device> and append the word Mac at the end for the AD admins benefit. I have an AppleScript prompt that asks for the tag number and another that offers the users a human-readable building name and converts that to the building cost code. I define variables with that user input and define the $FullComputerName variable by piecing building cost code and asset tag together.

I won't lie...you are in for fun...getting off imaging was difficult but the way I did it was a suite of about 3-4 scripts and policies I cobbled together with Jamf Nation help that does everything in the right order I want it for our environment. I'm looking this year at cleaning up my scripts to rely more on technologies such as DEPNotify and Ceremony (a successor to SplashBuddy) to make my lame AppleScript windows look more professional. I have not had to fire up Jamf Imaging since then though I miss the easy to set up Configs.

Thanks for the ideas. I was planning on using the AD binding option in the Pre-Stage Enrollment. We also have a specific naming convention based on the computers inventory control number that is assigned once we receive it. Im not sure if its possible to get it to stop and prompt a user to enter in any information that can be used in a script unless I dont bind it during enrollment and have a policy or 2 to run afterwards.

@cbrewer That post is exactly what I was looking to do. Seems like you may have the answer to entering the name during Pre-Stage Enrollment. I'll take a look at some of the different scripts being used.

When it comes to providing feedback at the desktop after Setup Assistant runs, asking for information from the computer prepper etc. A lot of methods have been superseded by DEP Notify. I myself used to have my own which I've stopped using.

DEP Notify is a small open source app (happens to support multiple MDM) and allows displaying progress bars, etc based on actions Jamf is running and it can run full screen or windowed. It can also ask for input like computer name, dept, etc. DEPNotify-Starter is an open source script and policy how to from Jamf that makes it super quick and easy to get started with DEP Notify in your environment and tailor it to your needs.

@adamcodega I'll take a look at that as well. It feels like everything I knew is now obsolete and Im starting all over again.

I have a simple policy to update the computer sharing name to match what is in Jamf Pro. Works a treat. It just runs once a day as part of the check-in.