DEP JAMFBASED MAC DEPLOYMENT Or How we learned

DEP & JAMF-BASED MAC DEPLOYMENT Or: How we learned to stop imaging and love to install Donna Seelbach – Director of Technology John Lesica – Microcomputer & Network Support Specialist Red Hook Central School District

HELLO FROM RED HOOK CSD! • • • PK-12 public school in the northern part of Dutchess County, NY Enrollment of approximately 1950 students IT Department of 5 – Director, 3 technical staff, 1 administrative staff Hybrid Windows, Mac, & i. OS environment Approximately 2000 devices – 25% Windows, 25% Mac, 50% i. Pad • Not a 1: 1 district • Mac & i. Pad percentage increasing significantly

DOCUMENTATION NOTE Introductory workflow available for download at: https: //www. redhookcentralschools. org/Page/4669

WHAT IS DIFFERENT IN 2018? • mac. OS is changing • Security • SIP • KEXT restrictions • Secure Boot • Secure Token • Management • DEP • Configuration Profiles • Mac hardware is changing • T 2 Co-Processor • Bridge. OS (i. OS derivative) • SSD Controller (always-on encryption, FAST!) • Touch Bar So. C • Secure Boot

MACBOOK PRO TOUCH BAR Bridge. OS/i. OS is subservient to mac. OS

SECURE BOOT Bridge. OS/i. OS is the supervisor of mac. OS

WHY STICK WITH IMAGING? • Your existing deployment solution works • Must cede some level of control to Apple • DEP deployment is not zero-touch, at least right now • DEP will likely take longer per-set, at least right now • New infrastructure & processes needed

WHY SWITCH TO DEP & INSTALLATION? • Security needs outweigh IT convenience • This is a good thing, we must adapt • Allows use of Macs straight out of the box • Apple provides no straightforward roadmap • MDM-enrollment may (will? ) eventually be required • 10. 13+ imaging only if that major version already installed • Secure Token lost if imaged

DEP SETUP • DEP enrollment • MDM server association • Serial Number adoption

DEP ENROLLMENT • Create a unique email address exclusively for a DEP administration Apple ID • Call Apple. Care • Apple verifies request by contacting a supervisor or director-level administrator of organization

MDM SERVER ASSOCIATION • Upload Public Key from MDM • Download & Install token from DEP/ASM

SERIAL NUMBER ADOPTION Add devices to a server via serial number, order number, or CSV

SERIAL NUMBER ADOPTION Use Order Numbers if possible!

USER-INITIATED ENROLLMENT • Add JSS management account configuration • If using randomized JSS password, an additional local-login admin account is needed

HOW TO DEPLOY VIA DEP & JAMF Prestaging Tasks 1. Assign new Serial Numbers to MDM 2. Pre. Stage Enrollment Creation 3. Smart Group Creation 4. Policy Creation Deployment Tasks 1. OS Installation 2. Setup Assistant 3. Verification & Cleanup

PRESTAGING

PRESTAGING TASKS – JAMF MDM SETUP 1. 2. 3. 4. Assign new Serial Numbers to MDM Pre. Stage Enrollment creation Smart Group creation Policy creation

PRESTAGE ENROLLMENT • Configure as required for each device group

PRESTAGE ENROLLMENT (CONT’D)

PRESTAGE ENROLLMENT (CONT’D) • Account Settings payload requires mac. OS 10. 13. 5 and JAMF 10. 5 or later. Earlier releases are broken. • Configure a local-login admin user here if using randomized JSS management account • Can also configure to prompt for additional account creation during Setup Assistant • If two local users created here, only the first to login acquires Secure Token (more later)

PRESTAGE ENROLLMENT (CONT’D)

SMART GROUP Simply scope to Pre. Stage Enrollment

POLICY 1 - NAMING • Sets computer name via script • Triggers Common Policy

POLICY 2 – COMMON CFG • Disables sleep • Installs district-wide software, printers & preferences • Sets EFI password • Triggers Custom Policy

POLICY 3 – CUSTOM CFG • Adds location-specific software, printers, & preferences • Binds to AD • Restores sleep defaults

DEPLOYMENT

DEPLOYMENT TASKS 1. OS Installation 2. Setup Assistant 3. Verification & Cleanup

OS INSTALLATION • Imaging • Net. Install • USB Drive • Internet Recovery • Configurator & an extra Mac needed to reset T 2 co-processor in new Macs

SETUP ASSISTANT / MANUAL INPUT • Complete any Setup Assistant options not excluded in PSE • Wait for reboot if configured… • Login as admin to claim Secure Token (optional) • That’s it.

VERIFICATION & CLEANUP • Check all Policy-based items have installed • Check general operation • Add extended inventory information to device record (e. g. Tag#, User, Location)

CACHING SERVER • Significant bandwidth optimization

AFTER THE OLYMPICS, EVERYTHING LOOKS SO EASY

SOME PRESTAGING CONCERNS • Lack of Internet is ALMOST a DEAD STOP • Serial Numbers were not assigned to the correct PSE • DEP device registration erroneously disowned • All apps must be deployable • All configuration customizations must be deployable (i. e. Profiles, Scripts, Preferences, or Packages)

SOME DEPLOYMENT CONCERNS • Lack of Internet IS a DEAD STOP • Need for a new OS deployment process • Mac clock is wrong • JAMF framework can take an indeterminate time to install • Computer goes to sleep • MAS apps don’t auto-install

SECURE TOKEN The bane of my existence Maybe even more than printers

SECURE TOKEN • An absolute mess • Almost entirely undocumented officially • Enabled only if booting from an APFS volume • Required only if File. Vault is enabled • Auto-assigned to first logged-in user • Token revoked if imaged

SECURE TOKEN (CONT’D) • Not auto-assigned to any other users • Assigning tokens requires tokenized admin • Assigned automatically if tokenized admin creates user via GUI • CLI token assignment requires admin password in script or locally-entered in popup • Warning can be suppressed with a custom profile

END RESULT • No image-based deployments as of Summer 2017 • Approximately 400 Macs newly-deployed or refreshed with this process • ~40 minutes to wipe & prepare an individual Mac • Add ~10 minutes for installation of complete Garage. Band loops • 20+ minutes for loop installation on mechanical HD’s • ~20 minutes to deploy up-to-date Mac from box • 2 -3 hours for a lab / 4 -6 hours for a cart of 30 Mac. Books given logistical issues • After completing Setup Assistant, can leave systems unattended

Q&A

THANK YOU! Feel free to contact us at dseelbach@rhcsd. org jlesica@rhcsd. org