Seeking Answers + Feedback RE: My Pre-Onboarding + Onboarding Flow


I'm just trying to iron out a few remaining kinks in my flow and I'd love to hear any feedback regarding it, or advice from folks who have "been there."

  1. I fire up a new machine (typically DEP nowadays) and go through the setup assistant. I create the user (Firstname Lastname, firstnamelastname) and a simple "first time password." (Side note, I really wish I could skip the password requirement here for reasons that you will read shortly, so if anyone has suggestions...)
  2. I fire up Self Service and launch DEP Notify. (Really, I don't do this but my remote folks who manage endpoints at my various locales.) My floor team enters a new computer name (assettag-Firstname-Lastname) and a few other fields. Then they go grab a coffee while my scripts take over.
  3. I install Chrome, and I (attempt) to configure Chrome to be the default browser and suppress all first-time banners (still a work-in-process, hoping for a fix).
  4. I install Google FileStream. A few issues here with Apple's "untrusted developers" that I would hope to override, but PPPC doesn't seem to be doing the trick for this one.
  5. I install Slack.
  6. I install Umbrella Roaming Client.
  7. I install our OneLogin Desktop PLIST which pre-configs Desktop, and then I install OneLogin Desktop.
  8. I install Docutil, and then I configure the Dock --- removing items, highlighting others.
  9. I do a quick JAMF RECON to send all the updates over to my JSS.
  10. And last, but not least, I attempt to take the very simple password that was set earlier and set it to blank. Nothing. Empty.

Why?!? Because when we hand the laptop off to the new hire on their first day I want THEIR flow to look like this:

  1. They fire up their new machine and log in by only having to click their avatar. (First-day passwords are annoying and, for whatever reason, often times stressful for the new hire. Is what it is...)
  2. Then, the very first thing they do is log into OneLogin Desktop. They enter their first-day ONELOGIN password, are prompted to change it to something only they know, and after updating it (and setting up 2FA) OneLogin Desktop kicks in and syncs THAT password to their machine --- meaning their OneLogin password and device password will always be in sync.
  3. They then click "Launch OneLogin Portal" for the tray app and, ideally, OneLogin launches with CHROME.

If we could address the default browser and no temp password issues, man, I feel like I would have made onboarding great again. Any ideas, or am I just crazy for wanting a flow like this?


Valued Contributor III

Why not have it all just kick off automatically after Apple's three mandatory clicks during Setup.
Then right at the very end you go to Self Service, click one icon and enter the user the device is for which kicks off account creation, passwording etc.
Better yet, if you have an asset database of devices and users work out a way for it to read that list and do the account automatically as well (we had an in house solution for this with a web API).
I've never used DEP notify, but you can easily enough blank out the setup process with a simple jamfhelper call if need be.