Hi all, I’ve been very busy over the last year implementing a windows management solution, SCCM, for our fellow operating system Microsoft Windows, so the blog has been neglected for a while, however I thought i’d come back big and launch a mini series on how to get to a fully automated managed mac estate just like Apple want you to.

Speaking to various people around communities and different companies it seems like everyone isn’t as far down the fully managed world Apple want us to be with many still adopting a monolithic imaging process for provision machines for our respective estates. As most people know with the introduction of macOS High Sierra the support for monolithic imaging was ultimately dead. Not impossible but not officially supported!

So in Part 1, I will be covering a utility called SplashBuddy, which helps you give your users a nice branded hello when they turn their Mac on for the first time without the help of an IT professional.

Also want to credit Timothy Halford – Workplace Technology Specialist @ Just Eat, who helped create this DEP workflow internally at Just Eat.

———–

The Final Product

In this tutorial we’re going to hopefully getting your automated workflow which may look a like this:

*Elgato Game Capture HD60 S used to capture the footage

———–

Prerequisites

So there’s a couple of things we need before we start the customization of SplashBuddy. You need to have signed up your organisation to Apple Device Enrollment Program and Volume Purchase Program (https://deploy.apple.com). This basically means that any device you purchase via Apple or an Approved Re-seller/Supplier will be enrolled into your company and means the device ownership is Institutional rather than Personal.

This means we have the ability to enroll the device into our preffered MDM and apply polices etc to the device, before it’s taken out of the box. The best thing about it, it’s absolutely free of charge service by Apple.

*Note I: If you’re signing up don’t create an Apple ID before hand, create it during the registration process.


*Note II: If you’re struggling to find your Company Information when signing up have a look at https://www.upik.de/en/upik_suche.cgi, not many people know what a D-U-N-S Number is.

So back to our prerequisites:

  • Company Enrolled with Apple Device Enrollment Program
  • Device Enrollment Program linked to MDM, for me it’s Jamf Pro (aka Casper Suite)

Device Enrollment Program (DEP) Workflow

First of all you’ll need to provision your DEP workflow depending on what you need for your company, we start by heading over to our JSS and making a Pre-Stage Enrollment.

  • Click PreStage Enrollments > +New
  • Now fill in the following PreStage information:

    • General

      • Display Name: Generic/Company Name
      • Device Enrollment Program Instance: Select your configured company DEP
      • Automatically assign new devices: Checked
      • Support Phone Number: Your IT Helpdesk/Support Number or Alternative Support Number
      • Department: Your IT Helpdesk/Support Team
      • Make MDM Profile Mandatory: Checked
      • Allow MDM Profile Removal: Unchecked
      • Setup Assistant: [Check items you don’t want Setup Assistant to show users]
        • i.e. Setup as New or Restore, Apple ID, Terms and Conditions, App Analytics, Apple Pay, Registration, FileVault (push via your MDM), iCloud Diagnostics
        • All I let users see when they turn on the Mac for the first time is Location Services (will need to auto set the time and date), Siri and TouchID (only show on TouchID enabled Mac’s.

    • Account Settings

      • Personally I leave this part blank as I create these in my “build” post enrollment. However you can enable your MDM Management Account and create an additional local administrator here and also define that when the  user creates the first account on the Mac whether that account is an Admin or a Standard User, this can only be done via DEP and with this setting so if your company doesn’t give admin rights to mac users then this payload is for you
    • The following payloads can be configured if applicable to your setup if required, however the above is the basic information needed to get started:
      • User and Location, Passcode, Purchasing, Attachments, Certificates, Directory

 

Now by setting the “Automatically assign new devices” option earlier the Scope tab will automatically be populated with the device purchased for that company and the PreStage Enrollment configuration applied.

So what does this mean so far? A device that is purchased through Apple or preferred supplier for the Company you registered will appear in your DEP portal which will be automatically connected to your MDM and your MDM will automatically apply the configuration we created above, that means when the device turns on for the first time it will run through the PreStage Enrollment configuration.

Slick right?!

Creating your DEP Smart Group

Now you have to create a smart group using the “Enrollment Method: PreStage enrollment” Criteria and Company Name, we’re going to be need this later.

Screen Shot 2018-03-04 at 23.08.30Screen Shot 2018-03-04 at 23.08.30

SplashBuddy

Now we’ve completed the initial setup and enrolled into your device into your MDM and run the PreStage Enrollment and meets the criteria for your “DEP Smart Group” created earlier.

Essentially at this stage you’re done you’ve just provisioned a Mac with thin-imaging the way Apple intended and you can make a bunch of policies in your Jamf Pro, that does Software Install, applies FileVault Config etc, with a trigger of enrollmentComplete and target the machine based on your smart group created.

However at this point any policies will run silently and the initial perception for the user isn’t great. Now to make it slick we’re going to use SplashBuddy, it looks damn cool and you can brand it, to a point, anyway you want.

So in a nutshell SplashBuddy is an app that can’t be closed that reads the jamf.log whilst polices are taking place on the machine and shows a visual indicator when it’s done. It looks little like so:

Thinking about your SplashBuddy workflow

Now you have to decide what you want to display to the end user for example, a sample workflow at Just Eat is:

  • Enable FileVault
  • Install Sophos Anti-Virus
  • Re-brand the Mac – Set Desktop Background, Set Login Window Background and Set Security Policy Banner
  • Install Standard Software – Google Chrome, VPN Client, NoMAD, TeamViewer
  • Create Local Administrator account
    • (I know this could be done by the PreStage Enrollment but it’s more of a perception that the user knows we are putting on an account to administer the machine)
  • Final Checks – Set ARD to Local Administrator, Customize the Dock (which includes Self Service)

Super simple workflow that gets the user up and running with everything the IT team needs to have on the machine before letting users use the device. All other software is available in Self Service.

Making your workflow happen

So head over to the SplashBuddy GitHub Page and download the latest stable release, you’ll need to download the Installer-1.X.zip and unzip it.

Screen Shot 2018-03-04 at 23.30.55Screen Shot 2018-03-04 at 23.30.55
Screen Shot 2018-03-04 at 23.31.55Screen Shot 2018-03-04 at 23.31.55

Defining your SplashBuddy Preference File

  • Open “io.fti.SplashBuddy.plist”, located in payload > Library > Preferences in your text editor of choice
    Screen Shot 2018-03-04 at 23.58.42Screen Shot 2018-03-04 at 23.58.42
  • Now define your workflow step by step, and specify the following, info on the keys can be found here:
    • canContinue – <false/>
      • This means the application can’t close until this step is done
    • description – Enable FileVault
    • displayName – FileVault Encryption
    • iconRelativePath – filevault.png
      • Icon placed in payload > Library > Application Support > SplashBuddy > filevault.png
    • packageName – Enable FileVault
      • IMPORTANT: Remember what you call your packageName as we’ll need this later when we’re making it work with jamf Pro
  • Now once you’ve defined your entire workflow, you’ll end up with something like so:
    Screen Shot 2018-03-04 at 23.58.42Screen Shot 2018-03-04 at 23.58.42
    Screen Shot 2018-03-05 at 00.12.22Screen Shot 2018-03-05 at 00.12.22

Modify the SplashBuddy HTML window

Now you’ve got your workflow defined in your preferences it’s time to get creative, we’re going to edit the HTML window to the left of the side bar, you can put literally whatever you want here we but we opted to go for a on-brand video, you’ll need to know some basic HTML for this section.

You’ll probably want to engage your Marketing team here (Dimensions for the html window can be found here). However you want this to be really basic and super small in file size, the smaller the size the quicker it loads for the user to see.

<html>
<head>
  <meta charset="UTF-8">
<body bgcolor="#000000">>
  <div>
    <iframe width="545" height="360" frameborder=0 
    src="https://www.youtube.com/embed/YOURYOUTUBEVIDEOCODEHERE?autoplay=1&loop=1&controls=0&showinfo=0&rel=0&fs=0&playlist=YOURYOUTUBEVIDEOCODEHERE">
    </iframe>
   </div>
</body>
</html>
  • Save your file and close.

Making your SplashBuddy Installer

With the preferences for the workflow now defined and the html window now updated with the desired content you need to compile all this information into a PKG installer.

jamf Pro – Preparing the Workflow

With the modifications to SplashBuddy complete and the Installer created, we’re now going to tie the entire process together so first things first upload your SplashBuddyInstaller PKG to your distribution points via jamf/Casper Admin.

Next we’re going to make the workflow out of policies in jamf Pro. Now we’re going to create two sets of policies for each step, all will become clear, I’ve found this method to work more reliably and it means I can update the policy without having to touch the SplashBuddy setup as often.

So for example we’re about to create step one of my workflow which is, Enabling FileVault, to do this create a new policy and populate with the following:

  • General

    • Display Name: DEP – Filevault
    • Enabled: Checked
    • Category: Choose your relevant category
    • Trigger: Custom
      • CustomEvent: FilevaultDEP
    • Execution Frequency: Ongoing
    • Target Drive: /
      Screen Shot 2018-03-05 at 01.14.03Screen Shot 2018-03-05 at 01.14.03

  • Disk Encryption

    • Action: Apply Disk Encryption Configuration
    • Disk Encryption Configuration: FV Institutional and Individual
    • Require FileVault 2: At next login
      Screen Shot 2018-03-05 at 01.13.45Screen Shot 2018-03-05 at 01.13.45
  • Scope the policy to All Computers and All Users
  • Then hit Save to finish saving your policy

Now we’re not done just yet, now we have to make a blank package that calls the custom trigger to the policy which you’ve just created.

  • Download and unzip this emptypkg.pkg
  • Open jamf Composer
  • Drag the emptypkg.pkg to the Packages section, then click Convert to Source
    Screen Shot 2018-03-05 at 1.28.36 AMScreen Shot 2018-03-05 at 1.28.36 AM

  • Now drop-down “emptypkg” > Scripts > right-click > Add Shell Script > postinstall
    Screen Shot 2018-03-05 at 1.30.25 AMScreen Shot 2018-03-05 at 1.30.25 AM
  • Lets call your FileVault policy with the custom trigger you made earlier, in the script section enter: 
    sudo /usr/local/jamf/bin/jamf policy -event FilevaultDEP
wait
    Screen Shot 2018-03-05 at 1.36.26 AMScreen Shot 2018-03-05 at 1.36.26 AM
  • Rename the emptypkg to the packageName you declared in your preference file for that particular step, so for example, Enable Filevault-1.0.pkg
  • Repeat for all the steps in your workflow.
  • Upload all the blank packages using jamf Admin to your distribution point.

In recap you want to create a set of blank packages that calls a custom trigger on a policy which you’ve made in jamf Pro. SplashBuddy checks against the blank packages which runs the custom policy trigger.

jamf Pro – DEP Build

All aspects are now ready you have created your policies and your blank packages named correctly as listed in your SplashBuddy preference file and uploaded to your distribution points, the last thing left to do is actually make the “DEP Build”.

Category

Policy

Your policy order must be named in a numbered sequenced order, i.e. 00, 05, 10, 20, 30, 40, 50 and so on, this is the order they will run in SplashBuddy.

00 and 05 are for SplashBuddy to initally run.

  • Create a new policy with the following:
    • General
      • Display Name: 00 Please Wait
      • Enabled: Checked
      • Category: BUILD PROCESS DEP – DO NOT TOUCH
      • Trigger: Enrollment Complete
      • Execution Frequency: Ongoing
    • Scope
      • DEP Smart Group
    • User Interaction
      • Start Message: Please Wait
  • Create your next policy with the following:
    • General
      • Display Name: 05 SplashBuddy
      • Enabled: Checked
      • Category: BUILD PROCESS DEP – DO NOT TOUCH
      • Trigger: Enrollment Complete
      • Execution Frequency: Ongoing
    • Package
      • SplashBuddyInstaller-DateTime.pkg
    • Scope
      • DEP Smart Group
  • Create your next policy with the following:
    • General
      • Display Name: 10 Filevault DEP
      • Enabled: Checked
      • Category: BUILD PROCESS DEP – DO NOT TOUCH
      • Trigger: Enrollment Complete
      • Execution Frequency: Ongoing
    • Package
      • Enable FileVault-1.0.pkg
    • Scope
      • DEP Smart Group

Repeat the process until you’ve made a policy for your entire workflow and you should have something that looks a little like so:

Screen Shot 2018-03-05 at 2.04.15 AM copyScreen Shot 2018-03-05 at 2.04.15 AM copy

 

Let me know how you all got on down below or drop me a message on Slack Mac Admins channel if you need any help, stay tuned for Part two where i’ll be covering setting up autopkgr and munki to automate the download of software.

Sachin