Fully loaded Mac – in the past

We covered the features Apple is giving us to manage our macs in the previous post. However, some of those features are not yet available in Israel. They will show up here eventually, possible with Apple Business Manager release in the next few months.

In the meantime let discuss how we used to deploy new Mac, what worked for us so that later we can talk about the direction we are moving in. Let me know in the comments if you have any suggestions or questions.

Administrative tips

First, we purchase our Macs through a big company that will have significant interest to be approved to be a DEP reseller once it is available in Israel. This way we will probably be able to ensure that previously purchased equipment will be added to our account.

Once the Macs arrive, I do not open them right away since Apple’s one year warranty starts at the moment you activate them (connect to the internet for the first time). I do have a few spare Macs ready to be given just in case someone forgot to let me know about a new person that has already started working … yesterday.

I consider it best practice to have the same configuration across all the fleet per job role and the same color of devices for all. All RND folks get the same machine, and all support get the same weaker configuration. It is simpler to manage, troubleshoot and does not cause people to complain about their hardware.

As soon as I find out a new person is starting, I will fire up that Mac and ….

Deployment workflow

Here is what I used to do so far, later I’ll go into what we do now. So the first thing I did was go into netboot mode on the Mac and put a primary image on the laptop. Even if there was a working version of MacOS, I would erase it. Never know who touched the Macs while in transit and also want to have a consistent setup for all of our devices.

We used Deploystudio and had an image for every computer type. This does add the task of keeping the images up to date, but it is relatively simple as you create a new image after a new deployment and an upgrade of the OS and drop it back on the deployment server. The more diversified your Mac fleet is, the more images you will need to maintain.

Part of the Deploystudio workflow is to copy files to the Mac, install packaged and other security features once the image is finished deploying. We used that to install some packages that will create the admin user and kickstart the Munki binary installation. Munki is a great open source project that is widely used and provides you with an internal “App Store” on the Mac with company approved software. We would also copy a few files over to avoid running around with a USB drive and copying the default wallpaper.

Munki opened so many options for us! We used to rely on Apple Remote Desktop to install things remotely, but this creates many checklists and was not prone to errors. With Munki you can create different lists of packages and configurations that it will apply consistently. We had separate lists for different departments too. We could also update the software for the whole company or a specific department. Running scripts is also an option so you if you want to use the defaults command to set settings or bash CLI that will work correctly.

If you are using an MDM, one more step you can do is enroll your Macs using a quick add package. I prefer doing that at the Deploystudio level (not Munki), so I can be sure that once a Mac finished without errors, it is now enrolled.

To speed things you should use a wired cable an create a separate VLAN only for the deployment purposes. It is possible to use an external drive and that might speed things up however this is a single point of failure. Also if it takes 5 min or 30, it does not make that much of a difference as long as you don’t need to be there pushing buttons and clicking things.

So now you have a Mac, with the latest OS, enrolled to your MDM, connected to Munki, pulling all the apps and setting. We put a printed page with the first-day instruction inside the laptop and back in the box it goes, waiting for the new owner to open it up.

Monitoring

You get some indication from Deploystudio that things ran successfully, but that was pretty much it so far. We needed a solution to monitor the status of the Macs and let us know if something is going wrong. After testing several options, we decided to use Watchman Monitoring. It was everything we needed for a reasonable price.

This service is fantastic at what it does:

  • Asset tracking
  • Hardware and software information
  • Warranty details
  • Notification on errors

You can get notifications for:

  • Kernel Panic
  • Computer name or OS changes.
  • OS downloads
  • Full HD

We could customize the alerts to our liking and open a ticket to our helpdesk software for those situations when we want to follow up.

That is how it used to work, but then Apple came in and had to change things…

Management framework by Apple for the MacAdmins of today

The last few weeks were intense. I was away from my family, my day to day life, habits and work because I was doing the JAMF 200 and 300 courses and certification one after the other in a matter of two weeks.

We have been integrating JAMF for our Mac and iOS devices after working with open source programs for a while. I just got tired of the constant maintenance that deprived me of the ability to move forward on the many projects in the pipeline.

So what is JAMF?

JAMF is an Apple product management solution (not developed by Apple though). It will allow you as a Mac Admin to do what you want and asked for with your Mac fleet. While other proprietary solutions focus on integrating the MacOS and iOS in the windows environment, the main advantage of JAMF is that it’s solely focused on the Apple ecosystem and on all of its aspects. Working closely with Apple they are usually the first ones to implement new features. The fact that only one OS needs to be maintained probably simplifies the system overall complexity of their system and the possibility of bugs.

It’s a collection of tools that can simplify the day to day action There is a large community of professionals on the JAMF forums who are really helpful with any question and their support has been helpful so far, even without the 24/7 support plan. Of course, this comes at a price of about 60$ per computer per year, s no-brainer if you consider the number of technicians it can replace if implemented correctly, more on that later.

I will not go all into what JAMF does cause you can get all that info on Google but I would like to share with you how we are using it today.

Let us start with some background.

Apple is making a big step in helping Mac Admins manage their devices. And they do it the way Apple does everything, their own way. Apple is providing tools for installing software and settings remotely while maintaining security and its focus on user privacy.

This does come at a cost for the Mac Admin who got used to doing some things their own way and does not want to invest more time in tinkering with something that is already working (smart guy right 🙂

However, this will not work for long. Apple introduced some software and hardware changes over the years that will require us to adjust.

  • SIP (System integrity protection) that no longer gives you access to some of the system folders.
  • The latest Macs come with the T2 that completely blocks the option of full drive imaging.
  • User approved kernel extensions. This feature makes sure that the person who owns the computer is aware of the systems that have access to the system and hardware code.

Many were concerned with the way things were going, but Apple did listen to feedback (so far) and provided new methods to manage devices. Let’s welcome some abbreviations :

MDM – Mobile device management – A solution to manage devices. Apple does not provide one or plan to do so. They did, however, provide protocols, systems, and guidelines how an Apple MDM should work and set up the Apple-controlled backbone so that the controlling power would stay with Apple. This way they can guarantee the quality and security of their product and service

APNS – Apple Push Notification Services – This is the magic sauce that Apple is using to send commands between your Mac and the MDM to get things rolling and to perform some tasks.

DEP – Device enrollment program. This is an amazing feature. If only it was available here in Israel. What it does, is kickstarts enrollment of a Mac into your MDM of your choice. The moment you purchase any Apple device from an approved Apple reseller, its serial is automatically added to your account and with a few clicks in JAMF, you can assign it to a profile, install software and other useful things. You don’t even have to do it yourself. Ask the reseller to ship the laptop to the users home and the laptop will start “setting itself up” once it is connected to the internet for the first time. (With the latest MacOS, each computer must connect to the internet to perform activation). You (with Apple’s help) can control any aspect of the installation

VPP – Volume Purchase Program – Similar to volume license, but better. This way your company can purchase software and assign it to some users. The software is owned by you and the license is transferable. The user does not need to have an Apple ID to install any software

Apple Business Manager – This should unite the VPP and DEP into one. Supposedly it will launch in Israel and bring DEP too (fingers crossed)

GSX – Also not available in Israel yet. This allows you to see the insurance information of your device and simplify the ordering of spare parts.

JAMF – Is using all of the Apple services mentioned above to provide us, Mac admins, with an awesome experience managing Macs.

Now that we have that covered you know the Apple side lets move forwards. MacOS has several options to manage and control Macs:

  • Use the defaults command to add or modify settings, very versatile.
  • Use MacOS CLI commands that perform different actions with the OS.
  • Apple configuration profile, it’s a file that determines and enforces what your device can or cannot do. Awesome for things like making sure encryption is turned on or that the computer locks after a few mins of inactivity.

Apple really does not want us to tinker with the OS too much so that it will work as it intended. This can be clearly visible by the limiting the power of the MacAdmin and the root user of the Mac.

What they ended up doing is provide is a simpler way for us to get all that simply by toggling the features on and off in the MDM of our choice. Not all features are available but the most important ones are there.

In the next post, we will go into the workflow we use to provision MacOS devices from the moment we receive the equipment until the user of that new Mac is happily working with his new toy.