Skip to main content

Advanced zero-touch DEP

The key to a smooth, reliable zero-touch deployment is fun. OK, not entirely. But allowing the end user to easily complete the deployment, while not dreading the process, will greatly aid in a successful deployment. In this session, Jamf experts, Jon Yuresko and Matthew Phillips, explored when and how zero-touch deployment can work in any environment.

The duo started with a look at the definition of provisioning and asked the question, “It isn’t imaging, right?” Not exactly. For the purposes of the presentation, Phillips and Yuresko n are talking about provisioning. Some people call it configuration, or setup, processing, thin imaging, or even thin(ish) imaging.

“The fact is, if you aren’t starting with a base image of preinstalled software and settings (e.g. if you’re starting with a clean, vanilla macOS) you are doing some level of provisioning,” Yuresko said. “This includes your standard “once-per-computer at check-in” policies and any kind of security compliance you’re implementing, or ongoing installation of apps that get deleted or settings that change. They’re all ways of provisioning your Mac, and you’re probably already doing them.”

While some may say they use a master image, which is easier because it has less room for error, keeping it up to date is a cumbersome process. But what’s to come? Apple encourages zero-touch provisioning, which works with a clean OS, including new Mac devices. How does it work?

Provisioning can be accomplished with policies (or custom triggers) in Jamf Pro, but DEP is required for the sleek zero-touch experience. The catch? Macs need to be on the internet (for iOS and tvOS, no internet required). To get up and running with DEP:

  • The user creates an account at deploy.apple.com
  • Apple verifies the user’s information
  • Once approved, the user is able to add Mac devices to the portal from authorized resellers or their Apple portal
  • User creates a DEP public key in Jamf Pro
  • User uploads it to deploy.apple.com to get their DEP token
  • User uploads the token to Jamf Pro and their DEP devices will automagically appear
  • Enter Jamf Pro:
  • User creates a PreStage enrollment in Jamf Pro with their preferred settings (configuration profiles, etc.)
  • User scopes desired devices to the PreStage
  • User finds a brand new/wiped DEP Mac and turns it on
  • The Mac is provisioned.

With a little work on the back end, it’s that easy! But for organizations that aren’t quite ready for zero-touch deployment, Yuresko and Phillips also covered a few advanced workflows that leverage DEP:

  1. Security with DEP to require credentials at computer activation. If a device is wiped or stolen, users can receive a notification when it activates again. If credentials aren’t provided, the system can be locked.
  2. Self Service Activation Provisioning allows any user to provision their computer. A policy runs a provisioning script and can scope to machines that require additions.
  3. bom Files/Dummy Receipts uses persistent files to track history and populate Smart Groups. This is useful for scoping, scripts, extension attributes and Zero Touch.
  4. Launch Agent Initiated Provisioning starts automatically and resumes after reboot. Then it runs until it’s done. Users are also able to run this script on any configured Mac with no side effects.

Yuresko and Phillips closed with information about user experience during enrollment, shared through the lens of the user feedback interface. But maybe the best experience is the one that hasn’t been written yet.