Zero Touch Deployment on Mac OS

jpeters21
Contributor II

Just wondering from those that have gone zero touch on MacOS devices, are all of your users then local admins? Just in the work flows I have tested, the person setting up the device is a local admin. Yes I realize that could likely be scripted post setup to change memberships, but was wondering what others were doing. Not to say its that much of an issue at my organization, we do not have the need to drop ship new devices, and set up is down to just a couple hands on steps. 

1 ACCEPTED SOLUTION

sujal1208
New Contributor III

We haven't used FireVault yet so we don't have a hidden management account but we use PreStage, create an Admin account and have the user be presented with the local account option from PreStage that are standard accounts. 

 

No one has complained regarding admin rights as we can install the apps via policy or tell them to install it via self service. No Need to remote in and do it manually. Also, all apps we need for our company is always there on self service.

View solution in original post

5 REPLIES 5

sujal1208
New Contributor III

We haven't used FireVault yet so we don't have a hidden management account but we use PreStage, create an Admin account and have the user be presented with the local account option from PreStage that are standard accounts. 

 

No one has complained regarding admin rights as we can install the apps via policy or tell them to install it via self service. No Need to remote in and do it manually. Also, all apps we need for our company is always there on self service.

I must have missed in pre-stage enrollment were you can make that a standard account.. every thing makes sense now.😋 Yea I took the same approach of making everything available through self service that I could (only thing left out so far is UDK due to size), about 50/50 split of those who love the approach and did not even notice they were not local admins, and the ones that are going to complain regardless about any change... but so the way when you work in technology. thanks for the input 

sujal1208
New Contributor III

people complain regardless but there isn't really a need for admin account unless you are developer and maybe (this is pushing the line), marketing. 

Marketing was the first to go, the most vocal and really the easiest ones to ensure they could do their job with out admin rights.... devs I am working on a couple yet but I may just go the route of some sanbox vms.. only concern being esxi for arm seems lacking a bit. 

sujal1208
New Contributor III

If it becomes a hassle, you can always set configuration profiles on denying access to certain apps.

We are currently testing the restricted apps like terminal on non-devs. We also grayed out profile panes in additional making MDM non-removal for better security in terms of removal of the profiles.