Zero Touch Deployment

sharif_khan
Contributor II

Hi 

Is there anyone suggest me that how I can Implemenet 100% Zero touch deployment for mac devices for our on Prem Jamf pro instences. Is there any one here implement have that successfully. And also macs are bound to Domain to use their AD asccount. So we setup our LDAP server in Jamf pro. In this situation I need suggestion that if we want to integrate Intune with Jamf pro how that will Impact though we didn't integrate our Azure AD with Jamf pro. I know it is little complex but any seggestion is appriceable. 

11 REPLIES 11

jcarr
Release Candidate Programs Tester

Integrating local LDAP with your on-prem Jamf Pro should be an issue since both systems are on your network.  Using Azure AD is a common choice for those with cloud hosted Jamf Pro since both are in the cloud and don't have to contend with your firewall.

 

As an aside, what do you get from binding that you don't get from the Kerberos SSO extension?  I find it causes more headaches than it's worth for mobile devices.  With authenticated enrollment, you can force the local user's full and short names to match the directory, and with the SSO extension, the local account password will sync with the AD password, and users will get the TGT when on your network.

We integrate with LDAP becuase that way user login on thier machine.

jcarr
Release Candidate Programs Tester

I can see that for stationary, shared use devices (e.g. iMac in a common area), but if these are 1:1 devices, my original question still holds... What do you get from binding that you don't get from the Kerberos SSO extension?

sdagley
Esteemed Contributor II

What @jcarr said about using Kerberos SSO... You do _not_ want to bind your Macs to AD if they'll only have a single user. Kerberos SSO will provide synchronization between a Mac user's local account password and their AD password, and it will generate Kerberos tickets for authentication.

When it comes to scripting the actual device enrollment there are several different tools that can be used. Simplest is probably the combination of DEPNotify and DEPNotify-Starter (the latter is a script you'd customize for your environment and call from a Jamf Pro policy triggered on enrollment complete). Googling DEPNotify will turn up several tutorials on YouTube.

A new entry in category is the combination of swiftDialog and Setup Your Mac but as provided the latter script is designed to be manually initiated via Self Service after the user has enrolled their Mac, and you may prefer the automatic trigger approach of DEPNotify-Starter.

sharif_khan
Contributor II

But how user will access Jamf instences from their home where as my my Jamf Pro is On prem and after DMZ. And during Remote management screen they has to authenticate with their AD credential. Is that will take care by Intune Integration and Microsoft SSO extension? If yes can any one share full workflow?

jcarr
Release Candidate Programs Tester

How do your users access resources inside your firewall now?  When users are off-site, the Jamf framework will operate in offline mode until the instance can be reached (i.e. when the user connects the VPN).

 

This does present a chicken/egg problem for device provisioning (another reason many orgs opt for cloud hosted services), but once devices are provisioned on-site, off-site operation should not be a problem.

TheAngryYeti
Contributor
Contributor

@sharif_khan - few things here - your Pro instance and Distros will need to be accessible to the outside if you want users off-perm to be able to set up a machine, also your LDAP would need to be publicly accessible as well.  the way around this is to leverage SSO for enrollment/registration and have it pull the LDAP info over from the directory.  Since you are on-prem you will not be able to use AzureAD as a directory.  Intune and SSO extensions have no play in the setup of a Mac, they are used for compliance and convenience respectively.  I can give you a full rundown on how to accomplish this if you would like.

I misspoke, and got ahead of myself - LDAP just needs to remain visible to Jamf Pro.  it's the AD binding part that would need to see a DC in order to log in and be usable as AJ points out below.  Other modifications to AJ's workflow could include SSO customization, Kerberos extension to keep the local account in sync without a bind to AD.

@TheAngryYeti yes you are right our DC part is in the Jamf which bind the machine and let user to login with their LDAP. 

AJPinto
Honored Contributor II

The JAMF part is easy, its the Microsoft part that gets sloppy. For JAMF you need a cloud distribution point, and to move your JAMF instance to the DMZ and get a second JAMF JAMF Pro Web App on a external server.

 

Active Directory is an outdated solution and designed for on prem tech assisted configurations. You can script domain binding, but the device still needs to be on prem. Apple has been saying to stop domain binding for years now. Azure and Microsoft Endpoint Manager should not be too bad, but the support Microsoft offers for macOS is garbage. 

 

The Automated Device Enrollment workflow would look like this.

  • Mac is pointed to your JAMF Instance which is open internet by Apple during activation 
  • Users would log in with their LAN accounts to enroll the Mac. JAMF can see AD to authenticate the users.
  • Your prestage would take over and install any configuration profiles and packages (Assuming you have a cloud distribution point).
    • If the user is on prem you can domain bind with a script and they can log in to mobile accounts.
    • If the user is off prem you cant domain bind nor can they log in with a mobile account if even the device is domain bound as the Mac cant see the domain controller. You need to find a modern IDP solution like JAMF Connect.
  • User logs in to macOS using their LAN credentials
  • User logs in the comp portal to register the Mac with Azure (intune) (assuming Azure is open internet if the Mac is off prem)

 

This doc covers how to open internet an on prem JAMF instance.

https://docs.jamf.com/technical-articles/Installing_a_Jamf_Pro_Web_Application_in_the_DMZ.html?hl=dm...

roiegat
Contributor III

I think we need a bit more information here.  Like do you guys use Apple Business Manager? Volume Purchasing Program? APNS set up? Jamf connect? Because that will determine somethings in JAMF settings.

There are some great suggestions already..but I'll add my 3 cents.  Ideally have an authentication method for the user...AD works.  Assuming you have everything above here's how in theory it would work:

  1. User gets mac and opens it up...logs into wifi
  2. Wifi connect to apple, tells it the url of the MDM
  3. MDM authenticates user and creates account
  4. (If you don't have JAMF connect, user might need to input password here)
  5. At desktop, EnrollmentComplete trigger should fire off from JAMF.  This is were you set up something fancy with swiftDialoug or any of the other options.  Ideally you want to have your user blocked from doing anything on the mac until its complete
  6. All the apps and settings get installed and then force the user to logout to activate Filevault

Were on Prem and have a very similar solution to this.  But we also use SSO.  I highly recommend using Dan Snelson's great Setup Your Mac:
https://snelson.us/2023/01/setup-your-mac-via-swiftdialog-1-6-0/

As a side rant....I really don't like the term zero touch.  If it was truelly zero touch I would be able to open my mac and everything would already be done.  But alas, fancy terminology.  I prefer to call it Light Touch Deployment.