Our customer spotlight series shares the unique strategies our customers use for their Mac deployments. It also offers insight into the different ways Macadmins are solving common problems.
Who is Tom Bridge?
Tom Bridge is a partner at Technolutionary, Inc, where he acts as an Apple IT consultant and Mac administrator. Tom is also the producer and host of the MacAdmins.org Podcast and is a regular conference speaker at MacDevOps YVR, Penn State Mac Admins, MacADUK, MacTech, and MacDeploy conferences.
Tom manages numerous customer deployments with SimpleMDM. We are honored that he was willing to share his strategy for this article. Thanks, Tom!
Tom’s goals
A macOS deployment workflow with minimal end-user and administrator interaction
Keep users well-informed about the magic happening behind the scenes and what to expect
Provide the user with clear guidance on what steps must be taken
Minimize security risks and administrative costs
“Good technical solutions paired with good human solutions”
Tools used
Solutions
It starts with something tangible
The initial step of the Technolutionary’s deployment workflow comes even before devices are activated. Prior to being handed over to their eventual user, a printed introductory guide is included with the computer. It explains exactly what the user should expect after activating their device, includes detailed instructions on the aspects of the deployment that require their interaction, and provides information for who they can contact if they encounter difficulties. This step is significant for Technolutionary because it demonstrates how they are able to align with their goal of “good technical solutions paired with good human solutions.”
Apple DEP and user account setup
Once devices are activated, they proceed to check in with Apple DEP and, as a result, enroll with SimpleMDM. The DEP settings are configured to skip a few Setup Assistant screens, but Technolutionary allows users to see most of these panes and choose their own configurations. In addition, the DEP configuration is set up to automatically create a local admin account, prompt the user to create their own local admin account, and assign the device to a specific, initial device group within SimpleMDM. The only initial configuration profile this group applies via MDM is the FileVault profile – this forces the user to enable FileVault after a certain number of logins and escrows the key to SimpleMDM.
Wiring Munki + AWS CloudFront, JumpCloud, & more
Though this initial group may not always be the device’s end destination, it plays another vital role in the deployment process. Through this group, the InstallApplications package is deployed to the device via the ‘InstallEnterpriseApplication’ command during enrollment. When used as this initial package, InstallApplications can be used to run scripts preflight (before reaching the Setup Assistant screens), and to install many other configurations and applications during the Setup Assistant phase and/or at the time of user account creation.
In the case of this deployment, the InstallApplications package downloads a JSON file hosted on a Technolutionary web server. This JSON file instructs InstallApplications to download and install a handful of packages during the Setup Assistant phase. Amongst them are an install script for JumpCloud, a Munki-Cloudfront package, the various required Munki-tools packages, and the DEPNotify package.
The signed Munki-Cloudfront package is particularly noteworthy. Technolutionary’s Munki repository is hosted on an AWS CloudFront CDN, and this package installs the verification keys necessary for devices to access the Munki repo. This acts as a security layer to prevent unwanted devices from accessing the contents of the Munki repo. It also helps minimize hosting costs and aids in tracking abilities.
Providing the user with feedback using DEPNotify
InstallApplications also writes a configuration for DEPNotify that tells it what to do next. It is at this point that InstallApplications hands off to DEPNotify to take over the rest of the process. After the end-user has completed the Setup Assistant panes and has logged in, DEPNotify launches a window from the Technolutionary website that provides details to the user about what is going to happen and instructions on what steps to take. The first step is to download and install the Managed Software Center. Once installed, the user is prompted to click “Next Step” to complete a series of additional tasks, such as ensuring that LastPass and other software has been installed successfully, they have logged in to G Suite and changed their password, and signed in to Slack.
Once all of these steps have been completed, the user is informed that their machine setup is finished and they are all set. In some cases, this is the last step. In others, admins may re-assign the device to a new group within SimpleMDM to apply other configurations and install additional applications. Tom mentioned that they may be looking to automate this process even further by utilizing the SimpleMDM API to check which group a device belongs in and have it re-assigned to that group automatically.