Help

Zero-touch deployment

arnork
New Contributor

Posted on ‎08-09-2015 02:30 PM

I'm new to the Casper Suite–having inherited the installation from a coworker that has since left the company–which means I haven't been through the JumpStart.

What I'm trying to do is to set up a workflow mere mortals can follow to enroll their Macs into JSS.

I'm aware that it's possible to send out an email and that certain WiFi vendors can prompt users to enroll (and even block users who don't), but I'd like to be able to have users NetBoot to install the quickadd package before they start the built-in setup assistant for the first time.

I know I can do this with Deploy Studio, but is it possible to use the Casper Suite for this?

In DS you would create a workflow that would install a leave-behind package that would be installed on the first run, but I'm not finding that functionality in JSS

0 Kudos
8 REPLIES 8

bradtchapman
Valued Contributor II

Posted on ‎08-10-2015 01:03 AM

Hello,

There's very little said about your environment, and your post describes a whole lot of Danger to Manifold moments. I have sympathy that you're taking over the job from a guy who just quit, but your knowledge of the Casper Suite product is less than your co-worker. The misuse or misunderstanding of a computer management tool can cause harm to many machines and irrecoverable loss of data in a short period of time.

  • Are you confident that 100% of your users can NetBoot and not hose their computers?
  • Are these machines configured with SSH / Remote Login enabled?
  • Is there a known hidden / service / master account (e.g.: "macadmin" )?

What is the HOLY GRAIL of No-Touch Deployment?

257e682c2e3047aa8046e7f3ce17395d

No, that's not it.

d817bfa5520d4491be574a3f2f88c2e3

Sexy, but still not right.

1967692579734c0fafbba7672c0ec024

OK this is just silly and it only rhymes with what we're looking for...

DEP.

The Device Enrollment Program created by Apple in 2014, and supported in Casper Suite since 9.3. This is the ONLY zero-touch deployment solution that can be used for a Mac that is fresh out-of-the-box, or that has been wiped and re-imaged or re-installed via the Internet.

Here's how it works: DEP requires registering machine serial numbers with Apple in advance of initial setup. It cannot be enabled after Setup Assistant has been run. When those computers connect to the Internet during the Setup Assistant, they communicate with Apple and ask if there are any "marching orders." If the computer is not enrolled in DEP, it does nothing and continues onward. If it is enrolled, then it will be instructed to contact your JSS for enrollment and further processing.

DEP requires the following pieces to work:

  1. All computers must be purchased directly from Apple or an Authorized Reseller;
  2. Individual serial numbers of managed devices must be sent to Apple;
  3. Proof of purchase must be submitted with these serial numbers;
  4. Machines submitted to DEP must be less than 3 years old;
  5. You must configure the JSS for push notifications (and much, much more!);
  6. You must set up an institutional Apple ID to use the program.

Now look... even if you don't plan to use DEP, another good reason to have an institutional Apple ID is to use Push Notifications and Configuration Profiles, which requires an Apple ID and a certificate for the server. The credentials for this ID should be kept with at least two other people in case you quit, get fired, or get hit by a big red truck.

Click here for a series of presentations about Casper and DEP. http://www.jamfsoftware.com/resources/apples-device-enrollment-program-dep-and-casper-suite-93/.

Here's Apple's document about DEP: https://www.apple.com/nz/education/docs/DEP_Guide.pdf

Since DEP might be out of the question for you right now, your next best bet is to create an enrollment package in Recon (one of the 5 utilities included in the Casper Suite). This one can be used over and over again. Make sure you know the enroll username (most Casper admins will use "enroll / enroll" since the account is most unprivileged and unimportant). If you're going to make this unattended, you might want to use Apple Remote Desktop to push the package to machines already on the network.

The alternative is to send people to https://your.jss.domain/enroll and let them download the self-enroll package. The packages obtained through this page are embedded with a one-time-use invitation code. This same procedure can be used on iOS devices, too. If you're using LDAP or Active Directory and it's tied to Casper, then entering the optional username on that webpage will make the package unique to that user and computer in the JSS (it has no bearing on Active Directory binding; that can be done later).

I hope that helps!

0 Kudos

bradtchapman
Valued Contributor II

Posted on ‎08-10-2015 02:30 AM

I would also like to take this moment to do a shameless plug for the Casper Certified training series.

If you have a strong background in Mac support and administration, and have already worked with the JSS before, then the CCT course will expose you to the essentials: enrollment, groups, policies, package composition, and Apple-specific concepts as they relate to Casper.

The CCT is much more thorough than a JumpStart class, and you will feel a whole lot more confident in being able to run the JSS yourself after taking it.

The next CCT class in Amsterdam is in December. There is a CCT class in Paris August 25-28 that still has an open slot. Good luck!

0 Kudos

arnork
New Contributor

Posted on ‎08-10-2015 05:05 AM

To answer your points…

  • I honestly highly doubt that my knowledge of Casper is "less than [my] co-worker"
  • I'm working in a test environment, entirely separate from the production installation; if I break something its just test equipment
  • I'm therefore 100% sure I can NetBoot without hosing client computers
  • There is no hidden master account yet; the idea is to set up a test environment that enrolls the machine and makes it possible to have JSS create user accounts, install certificates in the keychain etc
  • DEP is nice, but isn't fully implemented yet (some countries are yet to get it…over here it is a very manual process for all involved parties)…plus it can be easily bypassed/ignored by the user.
  • I want a qualified user to be able to enroll the machine, without going through the steps of creating a user account, connecting to WiFi. That's why I'm thinking NetBoot.

So…
Can I use the Casper Suite to NetBoot a vanilla machine out of the box and install the QuickAdd package? If I do that…will the machine be enrolled and manageable in JSS?

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎08-10-2015 05:22 AM

@arnork the short answer is yes, you can accomplish what you are asking. And you can do it with machines fresh out of the box, or machines that come back in and need to be re-imaged.

For out of the box the way that I handle this is to utilize a Pre-Stage Imaging workflow that allows me to identify a configuration in Casper to run. The configuration identifies what packages (if any) I want to run against the machine, it identifies what hidden admin user I want on the machine, and finally enrolls the machine in the JSS and makes it manageable. At that point, I can utilize policies in the JSS that are set to trigger on "Enrollment Complete", or the way I do it is via a script that calls policies by policy ID.

Machines that come in for re-issue, the process is similar, except I wipe the drive, lay down the OS of choice (10.10.4 now), and then run similar settings to the out of box example above. You can get this to be very automated as well by using Autorun Data for your computers. However, I would caution against that if you have Casper Imaging set to run at boot on your NetBoot sets. Autorun data will cause Casper Imaging to run automatically when it is started and can cause damage to your systems.

They key to both of those scenarios is having Casper Imaging set to run on boot of your NetBoot set. While it is not a must have item, it does make it very easy. With out of the box machines, scan the serial number into the PreStage Imaging config, boot the machine from NetBoot, and wait for it to finish and enroll.

As far as connecting to wifi, adding other users, etc, you can handle that with configuration profiles and software installs.

Hope that helps answer your base question. If you have follow-ups, shoot.

0 Kudos

roiegat
Contributor III

Posted on ‎08-10-2015 07:10 AM

Some great answers here, but to add to it - I highly recommend reading the Casper Admin. I've read the whole manual several times at this point and always find something new I could be doing. Personally, I like reading manuals so it's a good read.

I would also highly recommend the JAMF traning they offer. I've taken the Jumpstart at our site, but I also took the CCA course and loved it. I know they have season passes which are great for companies as well.

0 Kudos

bradtchapman
Valued Contributor II

Posted on ‎08-10-2015 08:30 AM

@arnork

- I honestly highly doubt that my knowledge of Casper is "less than [my] co-worker" - I'm working in a test environment, entirely separate from the production installation; if I break something its just test equipment - I'm therefore 100% sure I can NetBoot without hosing client computers

I made a judgment about your skill level based on your limited posting history on JAMF Nation and lack of available experience on Google. If I have insulted you in any way, I apologize.

When you said "I'd like to be able to have users NetBoot," I didn't think you were the sole user. Casper Imaging requires authentication from a local JSS user or member of an authorized directory group, and it would have surprised me if the company employees (or students) were doing this on their own.

As mentioned above by @stevewood , the imaging process allows you to run scripts before, during, and after imaging. Casper enrollment is just one of those steps.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎08-10-2015 09:15 AM

I'll just chime in and say that if you really wanted to, you can continue to use DeployStudio in your environment, both for a thin/low touch setup and full imaging. We use it here over Casper Imaging. Nothing states you must use Casper Imaging in your environment, so don't feel obligated to use it if you are more comfortable (right now) with DS and already have a workflow that can do what you want. (Later on I would explore it and learn more about how it works though, since each tool has its own advantages)
You would just need to make sure to use a full QuickAdd.pkg created from Recon.app as mentioned above and include that in your DS workflow along with anything else you want to install before it boots up into the full OS.

Note that you would not be able to use the Pre-Stage imaging workflow that @stevewood mentions with DeployStudio since that requires Casper Imaging.app.

0 Kudos

ega
Contributor III

Posted on ‎08-10-2015 01:10 PM

Honestly the best option, when you don't have DEP, is to use Casper's Over the Air Enrollment with your directory server logins. User gets url, follows instructions and then uses Self Service.app to add software. We do this for brand new machines assigned to individuals. BUT I do this kind of netbootwith Casper using First Boot Package Install Generator.app (https://derflounder.wordpress.com/2014/10/19/first-boot-package-install-generator-app/) when I need to "nuke" machines.
My work flow is run System Image Utility.app from /System/Library/CoreServices/Applications. Create a NetInstall and customize it by adding the automator actions "Enable Automated Installation" and "Add Packages and Post Install Scripts".
I create a First Boot Package with the Generator above that contains my QuickAdd.pkg and add it to the install with the "Add Packages and Post Install Scripts". Then build and put the nbi into my netboot setup. This takes care of the "nuke it until it glows" case (check the format before install option on "Enable Automated Installation") .

0 Kudos