Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Workflow for DEP enrollment with Macs

I apologize if this has been asked already, but I am new to JAMF and wanted to see what you guys were doing.

I would like my macs to enroll via DEP, get prompted for the user to enter the computer name, then bind to AD. The problem is I cannot figure out how to rename BEFORE it binds to AD. How are ya'll doing it? Also, if you can share your script to prompt the user to rename their computer that would be great!

Thanks guys!

Like Comment
SOLVED Posted: 7/17/17 at 7:47 AM by jwojda

To my knowledge there isn't. My work around is to let it bind and do it's thing, then once the machine is done and the user logs in, run a self service policy to unbind, prompt for the machine name, then rebind (among other things, browser runs, first boot scripts, etc).

Like
SOLVED Posted: 7/17/17 at 10:59 AM by mbezzo

Hi Chris,
What we do is trigger a policy from "enrollment complete" that runs a script that checks the current UID and loops until it's a 501 (or 502 in our specific case) and THEN move on to a loop that waits for the dock to load. At that point we start the naming/binding/everything else.

Here's some snippets of the scripts we use:

"Waiting for user to finish logging in" Script:

#!/bin/bash

# Function to add date to log entries
log(){
NOW="$(date +"*%Y-%m-%d %H:%M:%S")"
echo "$NOW": "$1"
}

# Logging for troubleshooting - view the log at /var/log/prefirstrun.log
touch /var/log/prefirstrun.log
exec 2>&1>/var/log/prefirstrun.log

# Disable Software Updates during imaging
softwareupdate --schedule off
log "Software Updates disabled"

# Get the currently logged in user
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
log "Current user is $loggedInUser"

# get UID for current User
currentUID=$(dscl . -list /Users UniqueID | grep $loggedInUser | awk '{print $2;}')
log "$loggedInUser UID is $currentUID"

# Check and see if we're currently running as the user we want to setup - pause and wait if not
while [ $currentUID -ne 502 ] && [ $currentUID -ne 501 ]; do
    log "Currently logged in user is NOT the 501 or 502 user. Waiting."
    sleep 5
    loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
    currentUID=$(dscl . -list /Users UniqueID | grep $loggedInUser | awk '{print $2;}')
    log "Current user is $loggedInUser with UID $currentUID"
done

# Now that we have the correct user logged in - need to wait for the login to complete so we don't start too early
dockStatus=$(pgrep -x Dock)
log "Waiting for Desktop"
while [ "$dockStatus" == "" ]; do
  log "Desktop is not loaded. Waiting."
  sleep 5
  dockStatus=$(pgrep -x Dock)
done

# Start the imaging process since we're now running as the correct user.
log "501 or 502 user is now logged in, continuing setup."
jamf policy -event firstRun

exit 0

Prompt for naming script:

#!/bin/sh

# Prompt user to name computer
computerNamePrompt(){
    # $1 = window title
    # $2 = prompt text
    # $3 = default answer
    su \- "${loggedInUser}" -c osascript <<EOT
        tell application "System Events"
            with timeout of 8947848 seconds
                text returned of (display dialog "$2" default answer "$3" buttons {"OK"} default button 1 with title "$1" with icon ("path/to/icon.icns" as POSIX file))
            end timeout
        end tell
EOT
}

# Ask for Computer name to use when binding
log "Prompting user to enter computer name"
computerName="$(computerNamePrompt 'Enter Computer Name' 'Please enter a Computer Name following the companyname standard.\n\nExample: computernamestandard' 'genericizedcomputername')"
log "User entered $computerName"

Hopefully this will get ya started. This took a lot of playing around with to get a good solution! It seems Apple has changed things fairly recently and now DEP isn't triggering as early as it used to - we would have so many policies run as "_mbsetupuser" which just didn't work for us. The looping scripts did the trick and allow the Jamf policies to start at a more reasonable time.

Good luck!
Matt

Like
SOLVED Posted: 7/17/17 at 11:47 AM by chris.morelock

Thank you guys for the info! I will try it out

Like
SOLVED Posted: 7/17/17 at 12:13 PM by sjmosher

One thing that we found helpful in our new machine workflow: it was discovered that if binding to AD through JAMF via policy object, the policy will take the name of the computer as it was at the start of the policy/script/etc when triggered
. In our instance, we have to rename the system, then reboot and then bind. When trying to bind as part of the same sequence of tasks, AD would get a blank name. Post reboot, the name binds successfully. Hope this helps!

Like
SOLVED Posted: 7/17/17 at 12:36 PM by kquan

@mbezzo _mbsetup user triggering policies even without the "enrollment complete" trigger has been problematic for us here at my company, specifically happening with machines shipped with 10.12.4 and up.

I did make a post on JAMF Nation here :
https://www.jamf.com/jamf-nation/discussions/24237/dep-w-10-12-5-done-from-internet-recovery-account-creation-issue

Be curious if you'd have any suggestions to this!

Much appreciated!

Like
SOLVED Posted: 7/17/17 at 11:30 PM by stevevalle

Our staff Macs bind to AD using the serial number of the computer. When the user logs in for the first time, they are prompted to insert the Asset ID of the Mac. This Asset ID is also used as the computer name.

The script we use to prompt and rename:

#!/bin/sh

# Loop until valid input is entered or Cancel is pressed.
while :; do
    computerName=$(osascript -e 'Tell application "System Events" to display dialog "Please insert your Asset ID number and click Submit:" default answer "" buttons {"Submit"} with icon caution' -e 'text returned of result' 2>/dev/null)

    if (( $? ));
        then exit 1; fi  # Abort, if user pressed Cancel.

        computerName=$(echo -n "$computerName" | sed 's/^ *//' | sed 's/ *$//')  # Trim leading and trailing whitespace.

    if [[ -z "$computerName" ]]; then

        # The user left the Asset ID number blank
        osascript -e 'Tell application "System Events" to display alert "You must enter your Asset ID number. Please try again" as warning' >/dev/null

        # Continue loop to prompt again.

        else
            # Valid input: exit loop and continue.
            break
    fi
done

/usr/sbin/scutil --set ComputerName "${computerName}"
/usr/sbin/scutil --set LocalHostName "${computerName}"
/usr/sbin/scutil --set HostName "${computerName}"

dscacheutil -flushcache

echo "Computer name has been set..."
echo "<result>`scutil --get ComputerName`</result>"

exit 0
Like
SOLVED Posted: 7/19/17 at 10:22 AM by chris.morelock

Thank you guys!

Like