Streamlining My Mojave workflow

Abhinav7264
New Contributor

Hi there,
I made a workflow to clean install Mojave and Silently install Mojave through Self Service. Now I trying to create an admin account and connect the cleanly installed machines to our Wifi after the reboot. We don't have DEP. I searched for a solution for doing this without DEP, but nothing is solid. Are there any suggestions or scripts which can help my cause? Any help regarding this is really appreciated.

8 REPLIES 8

weldon
New Contributor

If the computers aren't assigned to the MDM with DEP, then it won't be possible to automatically force them to enroll and run policies. However, you can look into some other projects like Mac Deploy Stick from Two Canoes or Bootstrappr from Greg Neagle that will help you run additional packages as you reinstall the OS. You will just have to select the boot volume manually to start the process.

itupshot
Contributor II

@weldon I was afraid of this.

We currently have the majority of our computers registered under DEP, but my company was acquired by another company. Now we are not able to purchase directly from Apple, so any new serial numbers will not be registered into our DEP.

So, even though we are still using our own instance of JamfPro, we can't really automate certain things based on DEP registration since these new machines won't appear.

We were actually not relying on DEP for automatically running imaging tasks. We were just using NetInstall images hosted on NetSUS server to run Jamf Imaging. However, if using DEP pre-enrollment is the only option for automating software deployment and creating an admin user login on a fresh installation of the OS now, we're out of luck.

mm2270
Legendary Contributor III

@itupshot Buying your Macs directly from Apple is not a requirement to have them enrolled in DEP. It was when it was first introduced, but Apple changed that a while ago. You can use any Apple authorized reseller who participates in the DEP program, and they should be able to hook you up. You just have to make sure they do participate in it so they enroll your purchases into Apple Business Manager/DEP for you. Not every reseller is authorized to do it, but most are.

However, your assumption above is correct. The only realistic way to get new or reinstalled OS machines auto enrolled into your Jamf Pro instance and an admin account created is through DEP. Anything else you will need to touch the systems to manually create an account and then enroll. It's not a terribly large amount of steps to go through, but its still far from automated.

swapple
Contributor III

@itupshot Adding on to @mm2270 , after we learned about the resellers in DEP, we were able to go back to them and they manually added all of our purchases (present and previous) from them to DEP, not just from now going forward. We still are not 100% DEP but are that much closer.

PaulHazelden
Valued Contributor

Without DEP, you will be forced at a minimum to log in as a user account and open Profiles in the System Preferences, and accept the MDM profile, before it can be properly managed by the MDM.
You have to do this locally on each Mac, you cant do it in a remote session, or even have a remote session open when the user does it on their end. This is a "Problem" for which the solution is DEP.
Bootstrappr or similar will be the best option for running a script to create user accounts etc.

tjhall
Contributor III

As mentioned above, you can wipe and re-install OS X and automatically install an admin account and Jamf via script but the MDM profile will need to be approved manually.
I've noticed that TeamViewer (once approved) can approve the MDM remotely so don't know if that's an option?

itupshot
Contributor II

@weldon @mm2270 @swhps It's not a reseller that's purchasing. My company was acquired by a larger company. So that company now will be purchasing Macs for us under their DEP.

However, we will still be managing them using our JSS/JamfPro, but they just will not be synced to it from DEP/Apple Business Manager.

sdagley
Esteemed Contributor II

@itupshot Can you have your parent company add your JSS as an MDM in their ABM account and generate a token for your JSS? You can have multiple MDMs defined per ABM, so they could put machines purchased for your division into your designated MDM. I've never tried it myself, but the Device Enrollment Program config page in Jamf Pro does allow multiple accounts to be defined.