Posted on 09-09-2019 11:45 AM
Hey Guys,
Are any of you doing zero touch and I mean completely zero touch.
What are you doing for Filevault encryption?
Currently we have our IT team receive and setup the machine then deliver the machine and wait for user, we unlock the drive and setup the new user.
Is there a way to deliver machine directly to user and not have to unlock the drive and at the same time our admin account added to machine later via script or something?
Posted on 09-09-2019 12:07 PM
We did zero touch where I used to work and it was pretty seamless (our IT management still wanted us to sit with users and go thru the DEP process with them).
AFAIK, Filevault can be enabled via policy so the machine will enable when the user logs in for the first time. Others here may have a bit more details though.
Posted on 09-09-2019 01:20 PM
Hey there!
Filevault zero touch might require you to use a certificate or a global recovery key
Posted on 09-09-2019 02:11 PM
There are two options:
1: Don't enable filevault2
2: At first Login the User is Admin so gets the Secure Token by Default then a script kicks in to downgrade the account on log out (which is required by one or more 'updates'. I use dsconfigad groups add "All Staff" to the admin group then update this afterwards.
3: Deploy to user and don't have an admin account with FV2 permissions!
I have tested 2 and it did work but I haven't deployed it to production yet as zero touch is a bit of an alien concept here though I've been doing it on iPad for over a year...
Posted on 12-18-2019 10:30 AM
Hate to be a negative nancy, but I feel that it needs to be pointed out that zero-touch deployment is not actually possible on Apple devices. it is either LTI or UDI, ZTI is just not possible
Posted on 12-19-2019 10:05 PM
I agree, "zero touch," is a misnomer as that would imply you literally did nothing and it auto configured. The user will have to input some things to the device, and they will also have to authenticate (if you have auth turned on). I force a reboot at DEP Enrollment which then prompts the user to enable FV2.
Posted on 02-04-2021 08:38 AM
I believe Zero Touch is intended to be from the IT perspective, of course, the owner has to touch it. but the idea is IT doesn't have to do it for them, or do anything else to it after delivery.
Posted on 02-08-2021 08:18 AM
Thankfully Apple seems to have finally caved and now allows for a truly zero touch deployment.