How to ace your summer device deployments

Summer time brings warm weather, vacations and IT refreshes.

During these times, admins are often working on wiping devices, re-enrolling into mobile device management (MDM), and unboxing brand new hardware. Summer seems to fly by all too fast!

Leveraging the latest services from Apple like the Device Enrollment Program (DEP) — now part of Apple School Manager — and best practices from Jamf can help increase the efficiency of your summer deployment and help you be ready for when the school year starts.

Provisioning iOS

If you are just getting started, there are a few things to consider:

• Are your iPad devices going to be part of a 1-to-1 or shared environment?
• Do you have new devices or existing devices?
• Does any user data need to transfer between devices or do users retain their same device?
• Are you going to leverage DEP and is supervision needed?

DEP allows a way to quickly and easily enroll devices. If you’ve already connected to DEP or Apple School Manager, you’ll want to create a new PreStage Enrollment or update the scope of an existing PreStage. For new devices, you’ll also want to make sure devices are showing in Apple School Manager and that they are associated to the Jamf Pro server MDM connection.

For PreStage Settings, you’ll want to make sure to check the boxes for “Supervise Devices” and “Make MDM Profile Mandatory”, and potentially “Prevent Unenrollment” if we want to prevent the end user from being able to remove the MDM profile. “Pairing” isn’t required but is recommended in case troubleshooting is needed in the future.

"Require Credentials for Enrollment” will use your integration to a directory service like LDAP to verify and assign the device to the user. Without a directory, you can still update this information from a CSV and use a tool like the Mass Update Tool.

Even if devices were not purchased through Apple or an authorized Apple reseller, you can still add them to DEP using the latest version of Apple Configurator. Once the device is added to DEP, it can be cancelled by a user within 30 days within Settings on the device. After the 30 day grace period, it is permanently part of DEP and future enrollments can be done via PreStage Enrollment. For more step-by-step instructions on this process, check out our Knowledge Base video for Adding iOS Devices to DEP with Apple Configurator 2.5.

Re-provisioning iOS

If you are planning to redistribute devices, you can reclaim Volume Purchase Program (VPP) licenses either within the Mobile Device App setting by un-scoping devices or globally revoke VPP content from within the VPP token settings. Un-scoping or revoking licenses will only apply to apps as eBooks cannot be redistributed. VPP is also part of Apple School Manager.

Activation Lock can cause hiccups for an organization that is trying to reissue devices. When a user logs in to iCloud or Find My iPhone, they enable Activation Lock by default. On supervised devices in Jamf Pro, you can bypass the Activation Lock since the bypass code is collected as part of inventory. For devices that are not supervised, or pre-iOS 7, you would need the user to logout of iCloud on the device or through the web before wiping the device. If the user is not available, please contact Apple and provide proof of purchase to remove the Activation Lock.

Activation Lock Bypass is located under “Management” on the device inventory record. The code can be entered on the device to unlock it and regain control.

You can also Clear Activation Lock with a Mass Action when wiping a device.

As of Jamf Pro 10.4, you can also “Suppress the Proximity Setup”, which is a setup option that appears before the device connects to a network and receives DEP instructions - we highly recommend having this option checked when wiping devices.

Provisioning macOS

Before provisioning computers, there are few things to take into consideration:

• Are the Macs part of a lab or single user computers?
• Will central IT be doing the setup or are end users responsible for setup?
• Is any authentication needed? Or bind to AD?
• Are you able to leverage DEP?

Assuming computers are part of DEP, you can setup a PreStage Enrollment to provision new devices or recently wiped devices. Computers have to have “User-Initiated Enrollment” for macOS configured as this will allow for a QuickAdd package to be created during enrollment.

If you are only using one PreStage Enrollment, the option for “Automatically assign new devices” will be very helpful. With multiple sites in Jamf Pro, you can create multiple MDM server connections within DEP and assign devices to the appropriate connection. This would allow for new devices to be automatically assigned to the appropriate PreStage Enrollment as they are added to DEP.

Similar to iOS, macOS PreStage Enrollment settings can allow you to “Make MDM Profile Mandatory” and “Require Authentication” as part of enrollment. If Jamf Pro is integrated with a directory like an LDAP server, then the end user can be prompted via “Require Authentication” to enter their login information in order to populate the “User and Location” information. Requiring authentication would be appropriate if the users are responsible for setting up the computer.

The Management Account is created during enrollment, so we won’t need to specify it under Account Settings. For labs, if you plan to use a Guest User you can select “Skip Account Creation”. After enrollment, you can use a policy to create additional local accounts or delete any extra accounts that are on the computer.

The Jamf Marketplace provides additional integrations to enhance the DEP end-user experience.

Re-provisioning macOS

In a scenario where a computer is returned to be reissued, you can first “Wipe” the computer using an MDM command or through Disk Utility and use DEP PreStage Enrollment. Without DEP, you can do the same wipe process and instead use user-initiated enrollment to re-enroll.

Using DEP or user-initiated enrollment ensures that the MDM profile is installed as “Verified” in order to meet new requirements in macOS High Sierra.

For macOS High Sierra 10.13.4 and greater, a new argument to the startosinstall command is built into the macOS installer. The eraseinstall argument can be used to erase the volume before running the installer. Additionally, the installpackage argument can be used to specify packages to after the OS installation.

To streamline the erase and install process even further, you can setup a button in Self Service to complete both an erase of the volume and a fresh installation of High Sierra.

Whether iOS or macOS, new devices or existing hardware, you’ll be able to ace your summer provisioning and get back to enjoying the season in no time!

For any questions, please contact us and we’d be happy to assist with your device deployments. If you’re not already a Jamf customer, start your free trial today!