The final product
You have now gone back through your original spreadsheet of apps and settings that you created in the beginning of this process and have one “Main Policy” and one “Provisioning Policy” for each line item. As you go through to ensure this is true, you may find some things would be best deployed via Mac app or configuration profile, and if so, feel free to adjust those accordingly based on your environment’s culture or regulations. As you cannot schedule mobile device management (MDM) payloads, all you need to do is ensure your scope is properly assigned per profile/app.
Head over to the Jamf Pro script editor and create a script with something along the lines of “provisioningScript.sh”. Find an example of this script here: https://github.com/jamfprofessionalservices/Provisioning-Workflows/tree/master/Provisioning_Examples and add all items you’re looking to provision in the description of the script. This is for reference to show what this script will install and if you ever add or remove policies or apps to your provisioning configuration, you can keep track using this description. In the script itself, add a line for each app/setting you made a “Provisioning Policy” for like the following:
/usr/local/jamf/bin/jamf policy -trigger provision_locationservices /usr/local/jamf/bin/jamf policy -trigger provision_googlechrome /usr/local/jamf/bin/jamf policy -trigger provision_settings_googlechrome
Click save, and you should now have a script that has a “jamf policy -trigger” for every policy. This script is now your entire “Provisioning” workflow! You can find a basic script and more complex scripts here: https://github.com/jamfprofessionalservices/Provisioning-Workflows/blob/master/Provisioning_Examples/provisioningWithInstallChecks.sh. You have a few options to deploy now:
- Repurposed machine/lab device – Ensure the computer is on at least 10.13.4. As mentioned earlier, using the workflow and script outlined here: https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/ and attach a custom QuickAdd to the –installpackage, you can remotely erase, install and enroll a computer entirely remotely. You can even automate this entire process (wipe, install OS, enroll, provision, get to the login screen with apps and everything configured for you) and never touch the machine with various workflows.
- New computer non-DEP (Device Enrollment Program) – Enroll the machine using either user-initiated enrollment or QuickAdd and upon finishing enrollment have a launch daemon that runs the provisioningScript.sh automatically. Or use the bottom “Self Service” and guide your end user/IT admin to Self Service to begin provisioning. You can also use the “enrollment_complete” trigger if you’d prefer or a custom QuickAdd with a “/usr/local/jamf/bin/jamf policy -trigger provision_provisionscript” at the end of the “postinstall.sh” found in the QuickAdd.
- New computer DEP – Create a launch daemon that runs the provisioningScript.sh at login and have a splash screen guide the user through the provisioning process.
- Self Service/BYO – Begin provisioning via a click of the button from Self Service as soon as you enroll a machine. You can have one provisioningScript.sh for all users and they can click “Provision” when necessary, or an IT admin can prior to deployment. Or have a provisioningSript.sh for every type of user that contains settings/apps only necessary for that user/department. Properly scope that Self Service policy or have multiple when necessary. (As a fail-safe, have an exclusion group set in this “Provision” Policy that will not display this option to pre-provisioned machines.)
Regardless of the company culture, organizational structure or educational environment, these workflows and tools can aid in drastically reducing the downtime it’ll take to switch from monolithic imaging and help provide a more efficient deployment strategy in the long run.
Reach out to Jamf Nation for some great tools to help provide a better end user experience to go hand-in-hand with these new provisioning workflows. Splash screen apps are great for environments where a device is drop-shipped to the desk of an end user. If you’re wiping and re-provisioning labs, you need only a signal/prompt to alert the IT admin that the provisioning is complete, be it on screen or email notification. Again, the steps and workflows mentioned above are currently in production in many of Jamf customer’s environments. Be sure to set aside some of that tasty drink for that time in the future when instead of panicking or racing to meet a deadline, you’ve configured your Jamf Pro to both scale and be easily maintained.
Please feel free to utilize Jamf Nation and your support/resources at Jamf to help aid in your new deployments!
Not already a Jamf customer? Take our best-of-breed Apple management solution for a free test drive and start putting these workflows in place.