DEP

Have you set up PreStage Enrollments in JSS? Once you have that set up click on the refresh button under scope and you should see your machines listed.

First, did you set up your MDM at deploy.apple.com?

I did add a server for Casper if that is what you mean.

I have not setup PreStage Enrollment yet. I am not sure exactly what I should be setting up in there. Since I am only managing computers with Casper I assume both MDM check boxes should be blank?

When I look at PreStage Enrollment it looks like I only need to fill out the three required boxes?

When we set ours up we made the MDM mandatory, added a help desk phone number and let the setup process skip a few step. Nothing cosmic. Ours seems to be working OK.

I setup prestage enrollment. In General I filled out the display name, device enrollment program instance, support phone number, department, and checked make mdm profile mandatory. I did not change anything in any of the other tabs.

For testing I have a Yosemite machine that was already enrolled in Casper. I deleted the Casper profiles from the computer, deleted the computer from Casper, shut down the computer, added the computer to the DEP Casper server, added the computer to the prestage enrollment scope and turned the computer back on.

The computer did not auto-enroll in Casper. Do you see anything wrong with the steps I have taken?

This is/should be part of the initial turn on process for a new machine. You should be able to set this up and hand a user a brand new machine. The first time they turn it on and it goes out to Apple to check, Apple will push it back to your MDM server to set up the computer with your settings for your environment. If your machine has already been set up or imaged with a "corporate" image you will need to use an enrollment URL or quick add package.

@Sobchak you will need MDM enabled even if you are only working with computers. MDM is how your JSS will communicate with computers in the DEP program.

I have a PreStage setup that assigns DEP computers to a department named DEP. This allows me to scope a policy to the DEP department, set to run on Enrollment Complete. This policy installs a script, a LaunchDaemon, and creates an admin user. After the policy runs the machine restarts, the LaunchDaemon kicks off the script and all of my settings are set and software installed.

You do not need to do this, of course, you can just let the system enroll and have users use Self Service to install software.

Your testing machine will need to be wiped back to factory settings (re-imaged) so that you have to run through Setup Assistant. During Setup Assistant the system will pickup that it is a DEP enrolled machine and will contact the JSS to enroll.

HTH

You can also re-test DEP by deleting the computer from JSS, removing the JAMF framework:

sudo jamf removeFramework

from the computer, and deleting any profiles on the computer. Then, run

rm /var/db/.applesetupdone

and when you restart the computer, Apple Setup Assistant will start as if it was a new computer.

@stevewood Question about this workflow: Do your users create an admin account when during the setup assistant after the DEP screen? I can't seem to bypass this (I guess for good reason).

My goal is to have a zero-touch solution to use DEP moving forward. Our users are AD based and I have pre-built scripts to automatically make certain users admins based on their OU. I'm a bit confused about the steps between accepting DEP in the setup assistant and the JSS Post-Enrollment policies. Any help is appreciated. Thanks.

@rcastorani that's one of the problems right now, or at least when I was testing. The end user has to go through Setup Assistant before the DEP workflow will kick off.

I haven't worked through this except in my mind, but I think you'd want a package to install a LaunchDaemon that initiates a script and then restart the computer. Upon restart, the LaunchDaemon kicks off the script and the script finishes up your setup. The script would delete any local users created during the Setup Assistant phase, bind the computer, and possibly re-name based on some criteria using the API. Like I said, it's conceptual and I have not messed around with it in a long time.

This is exactly where I am at work. Trying out DEP for the first time and playing with workflows to get as close to zero touch as possible. What are others doing in their shops?

@stevewood Ok, at least I don't feel like I'm missing a step then. I was going for zero-touch, but with the right post-enrollment policies I might be close enough. @Kyuubi My process is almost exactly as Steve mentioned above.

Here is my current workflow as I think this through:
- Make sure computer is in VPP and JSS PreStage Enrollments
- Create DEP Policy to run immediately after enrollment - scoped to a smart group based on Department or PreStage Enrollment

1. Fire up OTB laptop, start setup assistant, connect to wifi, and confirm DEP settings
2. In setup assistant: create local user account and put desired computer name in the Account Name field (this seemed much easier than using the API or a dialog box since I'll simply be removing this account anyway)
3. DEP Policy dumps a postimage.sh launch daemon and restarts the computer*
4. User enters their AD credentials
5. Policies run on login that are scoped to the LDAP user OU (ard, dock, etc.)
6. All additional software and printers are in self service - my job is done.

* Huge thanks to @stevewood for the awesome script that runs through a myriad of settings configurations and jamf policies! That thing is amazing! I tweaked the script for our environment to include removing the local user created during setup, create a new admin account, rename the computer based on Account Name created during setup, bind the laptop, etc, and restart into the login window. More info on his script here (scroll closer to the bottom to get his updated script): https://jamfnation.jamfsoftware.com/discussion.html?id=10491

That's what I have so far and what I'll be working on finishing up and testing tomorrow. I'm hoping to extend this to replace our older imaging processes for any of the reasons we usually have a laptop in the shop (new, repair, repurpose, etc). Any feedback is more than welcome!

@rcastorani Would it be possible to see your postimage.sh launch daemon? I am butting my head against the proverbial wall trying to get this DEP MBP to bind to AD and download and install all the settings and config packages (ssh, admin user, ssh banner, etc) that get pushed during imaging and installed in the jss post install script. I appreciate the help.