Posted on 10-20-2016 02:21 AM
When enrolling a Mac via a QuickAdd.pkg, are there any downsides of using one generated via Recon vs one from User-Initiated Enrollment where said user needed to put in their LDAP creds to download the package? I have about 30 Macs in the org that aren't connected to our DEP so would need to associate them via a QuickAdd.
Am I simply losing out on associating a Mac with a user (via LDAP) when I go the Recon created route? Assuming I can find a way to get this info at a later date?
edit: Added some additional information below to clarify
Posted on 10-20-2016 03:53 AM
I find that when using user-initated enrolment, they don't need to put in their LDAP credential anyway.
Once the Macbook has been enrolled, the user information can be found. It will be listed within "local user accounts".
So I find that the benefit of Recon Quickadd.pkg vs user-initated enrolment are:
Quickadd.pkg:
- No need to type in the casper credentials each time.
- End-user don't need much instructions, they just double click on the pkg (they do need to type in their admin password)
User-initated enrolment:
- If Casper JSS ever gets upgraded, you don't need to recreate a new quickadd.pkg file
- You don't need to send anyone a file, you just send them a URL (https://url/enrol) and some instructions. (Great for users that are not even within the same LAN)
Posted on 10-20-2016 05:27 AM
Both User-Initiated and Recon QuickAdd packages have their own advantages.
The advantage of User-Initiated Enrolment is that the user details are added to the User and Location tab of the device in Casper Admin (if the user elects to add their username!).
The advantage of using the QuickAdd package from Recon is that it allows for multiple computer enrolments (ability to use the same QuickAdd package for multiple computers)
Posted on 10-20-2016 04:16 PM
Just to add a bit more context to my post, as I have Macs in the org that fall under DEP and some that don't I needed an easy way to determine which way to enrol a given Mac without having to ask for the SN of it so I created the following script that is run within a pkg
#!/bin/bash
SN=$(ioreg -l | grep IOPlatformSerialNumber|cut -d'"' -f4)
DEP=("C02PNXXXXXX1" "C02PNXXXXXX2" "C02PNXXXXXX3")
if [[ "${DEP[@]}" == *"$SN"* ]]; then
echo "DEP Mac"
echo "Removing files preceeding restart to trigger DEP Enrollment"
# Removes Meraki MDM profile if already currently installed
profiles -R -p com.meraki.sm.mdm
# Removes .AppleSetupDone file. If .AppleSetupDone isn't present at boot
# the Mac will step through the Setup Assistant. This is used to enroll
# the Mac into the CAmper JSS via MDM/DEP + install QuickAdd.pkg
rm /var/db/.AppleSetupDone
# Removes any additional Config Profiles
rm -rf /var/db/ConfigurationProfiles/
# Removes Apple push services daemon, per-user MDM values, etc
rm /Library/Keychains/apsd.keychain
else
echo "Non DEP Mac"
echo "Removing Meraki MDM"
# Removes Meraki MDM profile if already currently installed
profiles -R -p com.meraki.sm.mdm
echo "Running QuickAdd.pkg"
# Install QuickAdd package
installer -pkg QuickAdd.pkg -target /
fi
This checks to see if the Mac it's run on has a SN that is in our DEP account and if that's the case, will remove some files and prompt the Mac to reboot which will run the setup assistant again. The PreStage that is associated with these Existing devices skips all setup steps, doesn't create a new user account (only mgmt one), and prompts the user to enter their LDAP creds in order to complete the enrolment.
If the Mac has a SN that isn't listed in the script, it will proceed to run a QuickAdd.pkg that I generated from Recon.app. Given this isn't a QuickAdd from the User-Initiated Enrolment web page where I prompt for LDAP creds, I'm assuming the only thing I miss out on are pre-filling in information in the User and Location section of the JSS. The Macs are't bound to AD so other than running a User-Initiated QuickAdd, is there another way to feed the User and Location info into the JSS?