- Jamf Nation Community
- Products
- Jamf School
- enrollment best options
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
enrollment best options
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-26-2024 10:07 PM
ok so I am trying to make our device enrollment as seemless as possible for our workstations guys but I am not certain what the best possible options are. Does anyone have experience with pre-stage enrollment? Trying to make this as white glove as possible and its frustrating because I know there is a better way than what we have going I just dont know enough about the configuration options for the platform to be able to maker the changes we need. Any tips or pointers would be greatly appreciated.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2024 01:08 PM
There are lots of videos form previous JNUCs that give some great examples of using Automated Device Enrollment to setup a user driven enrollment experience. Just doing a quick scan, I found this one:
https://www.youtube.com/watch?v=scZPQ0yYje0 (Fair, warning I haven't watched it)
Also, if you are looking for a good starting script, I would highly recommend Setup Your Mac by Dan Snelson
https://github.com/setup-your-mac/Setup-Your-Mac
The key point is what do your users need. For example:
- Do you need a solution that allows the user to use their regular company id (Okta, Entra, Google, etc.) to login. Then you need a workflow that includes Jamf Connect or similar
- Do you want to install a specific set of applications for the user before they start working. Then you want a tool like Setup Your Mac to run the policies.
- Do you have a set of configuration profiles you need to install. Do they need to be installed before the user logs in?
Enrollment and setup can be very organization specific, but there is a lot good information and demonstrations of what other organizations use. Definitely check out past JNUC videos.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-29-2024 01:15 PM
Depends on how you want the process to go. I have several questions on your process.
- Are you the only one setting up devices? or are there going to be others?
- Do you have your profiles and devices groups all setup?
- What in particular is frustrating about your process? What do you need to change the most?
Knowing the answers to these questions will help you get started. For me, I am typically the only one that sets up devices for our district. I have spent an extensive amount of time testing JAMF School and what it can and cannot do. In contrast to the first reply you received, I stay FAR FAR FAR away from configuration scripts when setting up anything with Apple Silicon. I have done this because Rosetta is about a 50/50 on installing itself with the DEP profile, and I also stopped adding an admin account in the DEP setup because a MDM created account is not recognized as an admin account for many back end functions. one of which being the reduced security for Kernal Extensions. Don't believe me? try creating an account with JAMF School that is an admin, and then going into system recovery to allow users to control Kernal Extensions, it will not work.
Having said all of that, here are my basic tips for setting devices up in Pre-Stage Enrollment:
- Setting up your DEP profiles is key, configuring what you want. Currently, I name my devices as "%AssetTag%-%Username%" which gives me good information when searching for devices after enrollment.
- I skip all settings except location services.
- Under settings, I choose to prompt for the Admin account to be created for the reasons mentioned above. An MDM created admin account does not seem to function correctly on Apple Silicon. I have reached out to JAMF several times and this, and I was told to purchase JAMF Pro to solve the problem.
- Outside of that, I don't use Zero-Touch Setup. If you want to explore that road, I have played with it before and it is neat, but does not always work with Apple Silicon devices.
- Lastly, I do have Rosetta set to install itself, but again, it's hit or miss in my experience.
- After the DEP profile is all setup, I typically assign it to the device but I do not assign Device Groups due to my issues with Rosetta 2 failing to install and the managing of Kernal Extensions not working by default on Apple Silicon devices. This forces half of my software to fail to load properly.
- After DEP handshake, and the setup is complete. I install rosetta manually, and then enable the management of Kernal Extensions. After that, I give the device its groups and all my software and configurations install manually.
I can typically get a set of devices done in office in groups of 5. The whole process takes me under 30 minutes to get 5 done. I know this is a lengthy reply, but I hope it helps add some perspective on what other folks deal with.
