Rethinking the way I deploy macOS systems

msnowdon
Contributor

Hi, for the first time in a few years now we are purchasing more MacBooks. With the new T2 chip, Fusion drives, Recovery drives, APFS. etc., imaging doesnt seem to be an option anymore. We use Pre-stage Enrollments for mobile devices but I never used it for computers but that may be the direction I want to head in.

The setup seems to be pretty straightforward. Im assuming you take them out of the box, boot them up, they get enrolled and Im back in business.

I have a couple of questions though.

Is there anyway to name the computers prior to them getting bound to AD?

Ive always enabled mobile accounts but is it necessary for lab machines that dont leave the building? I hate seeing the buildup of mobile accounts after a school year is completed.

Also, what should the Password Trust Interval (computer trust account password) be set to? Ive read different things in the past about setting it to 0 will help prevent the computers from falling off the domain. Or should it be set to the same as PCs which I believe is 30 days?

Any other advice or recommendations are appreciated. I have not kept up to date with my macOS knowledge but as I read through all the changes that have been made it seems like I cant even upload a dmg of the OS and have Deploy Studio image/install it anymore. Seems like Netboot is gone with the T2 chip and Recovery drives are not created correctly. Seems like with every new version of macOS, Apple has made deploying Macs harder.

9 REPLIES 9

cbrewer
Valued Contributor II

Take a look at this post for some ideas.

apizz
Valued Contributor

@msnowdon We actually just changed this process this past year and it works really well for us.

We have a series of post-enrollment policies we have run via custom trigger (ex. sudo jamf policy -event autoname). Our setup is that our first policy runs a script (https://gist.github.com/haircut/1debf91078ce75612bf2f0c3b3d99f03#file-rename-computer-py) which grabs a CSV file from a local web server (although this can also be a Google Sheet: https://www.macblog.org/post/automatically-renaming-computers-from-a-google-sheet-with-jamf-pro/) with all our computer serial #s and desired hostnames. It downloads the file and looks for the matching hostname based on the computer's serial number.

We have a script that runs at the end of this first policy to make sure the computer hostname matches what's listed in the downloaded file so, if this auto naming fails or just simply isn't listed in the CSV because we forgot to add it, another policy is triggered which prompts us to manually set the hostname.

Supposing the hostname was listed in the CSV to begin with, that end of policy script finishes by running another policy via custom trigger (ex. sudo jamf policy -event bind) to then bind the machine. The naming of the computer and binding steps have to be done via different policies, otherwise Jamf won't pull the updated computer hostname.

This does require some extra setup on the backend, but makes wiping and redeploying a machine a much smoother process.

If you want more specifics about our workflow I can see about sharing.

adamcodega
Valued Contributor

You can rename the computer before binding it to Active Directory depending on how you bind it. Is that with a configuration profile or a policy? It can just be a matter of making your device name policy happen before binding. (Your device name could be as simple as using the serial number, use Jamf variables like username or asset tag, or you could use a pre-defined name method like aporlebeke described.

I think in a lab a mobile accounts are less of a concern since the computer will arguably always be able to talk to the domain controller. They aren't mobile of course.

For the password trust interval, at least set it to match the domain's setting, whether that is zero or not. You can set that with GPO either globally a specific OU.

blackholemac
Valued Contributor III

All excellent ideas...in response to the naming, the way I got ours perfect (per our existing computer naming conventions we've used for literally 20 years) is to use scripting. With scripting you just have to set the variable $FullComputerName to what you want it to be.

scutil --set ComputerName "$FullComputerName"
scutil --set LocalHostName "$FullComputerName"
scutil --set HostName "$FullComputerName"

In our case we use <building cost code>-<asset tag of device> and append the word Mac at the end for the AD admins benefit. I have an AppleScript prompt that asks for the tag number and another that offers the users a human-readable building name and converts that to the building cost code. I define variables with that user input and define the $FullComputerName variable by piecing building cost code and asset tag together.

I won't lie...you are in for fun...getting off imaging was difficult but the way I did it was a suite of about 3-4 scripts and policies I cobbled together with Jamf Nation help that does everything in the right order I want it for our environment. I'm looking this year at cleaning up my scripts to rely more on technologies such as DEPNotify and Ceremony (a successor to SplashBuddy) to make my lame AppleScript windows look more professional. I have not had to fire up Jamf Imaging since then though I miss the easy to set up Configs.

msnowdon
Contributor

Thanks for the ideas. I was planning on using the AD binding option in the Pre-Stage Enrollment. We also have a specific naming convention based on the computers inventory control number that is assigned once we receive it. Im not sure if its possible to get it to stop and prompt a user to enter in any information that can be used in a script unless I dont bind it during enrollment and have a policy or 2 to run afterwards.

msnowdon
Contributor

@cbrewer That post is exactly what I was looking to do. Seems like you may have the answer to entering the name during Pre-Stage Enrollment. I'll take a look at some of the different scripts being used.

adamcodega
Valued Contributor

When it comes to providing feedback at the desktop after Setup Assistant runs, asking for information from the computer prepper etc. A lot of methods have been superseded by DEP Notify. I myself used to have my own which I've stopped using.

DEP Notify is a small open source app (happens to support multiple MDM) and allows displaying progress bars, etc based on actions Jamf is running and it can run full screen or windowed. It can also ask for input like computer name, dept, etc. DEPNotify-Starter is an open source script and policy how to from Jamf that makes it super quick and easy to get started with DEP Notify in your environment and tailor it to your needs.

msnowdon
Contributor

@adamcodega I'll take a look at that as well. It feels like everything I knew is now obsolete and Im starting all over again.

raven_dover
New Contributor III

I have a simple policy to update the computer sharing name to match what is in Jamf Pro. Works a treat. It just runs once a day as part of the check-in.

d309abdfcab547f293be047a983fa50e