Zero-Touch Deployment for Macs
What is Zero-Touch?
Zero-Touch deployment is a new method for provisioning College-issued, primary-user Mac computers. This method of deployment replaces the need for an ITS staff member to prepare computers before they are deployed to the client. With Zero-Touch, a computer can be delivered directly to a client without ever needing to be physically handled by ITS.
How does it work?
Apple has a progam called Apple School Manager (ASM) which works in conjuction with any number of Mobile Device Management (MDM) systems. Middlebury College uses an application called Jamf Pro for MDM. When computers are enrolled into Apple School Manager, they become assigned to Middlebury College's Jamf Pro server.
When a Mac is powered on for the first time and gets an Internet connection, the first thing it does is establish a connection to Apple servers. Apple then directs the computer to make a connection with Middlebury's Jamf Pro server and then enrolls itself into the Jamf Pro inventory. After enrollment is complete, Jamf begins to push policies, profiles and software, thereby configuring it automatically. Once Zero-Touch completes, a Self Service application will open on the desktop providing the client with many options to install as the user sees fit.
Deployment steps - off campus
To begin, remove the computer from its packaging. Depending on how long the computer has been sitting, It might be necessary to connect the included charger. Open the lid of the laptop and press the start button. Note that the start button is located on the right side of the touch bar, just above the delete key.
Once the computer has completed the startup process you will be presented with the following window. Select your country from the list.
This next step is critical for the Zero-Touch process to work properly. You must either connect to Wi-fi or use a network cable directly connected between your router/modem and computer. Either connection will work, but testing has confirmed that using a network cable is the most reliable Internet connection. Pictured below is how you would connect your new laptop to your router using a network cable and network adapter.
The second startup window you are presented with will enable you to connect via Wifi. Click on the name of your Wifi, enter the password and click Continue.
Upon a successful network connection, you should now be presented with a Remote Management window. Click Continue to enroll your Mac into Middlebury’s Jamf Pro management system.
Next, you will set the time zone. Check the box next to “Set time zone automatically using current location” then click the blue button to turn on Location Services and click Continue.
After several seconds you will be presented with a Microsoft Single Sign-On login window. Enter your full firstname.lastname@example.org email address and select “Next.”
Next, you will be prompted to enter your Middlebury password and multifactor authentication code (if set up).
Enter the 6-digit authentication code from the Authenticator app from your mobile device. This code might also come to you via text message.
Re-enter your password a second time.
Finally you will arrive at the desktop.
At this point the computer is still loading applications in the background. One such application, Sophos Anti-Virus, will automatically download and install. It is important to note that there will be an automatic restart once Sophos has finished installing.
There will be a message on the screen alerting you that the computer will restart in 60 seconds. The timeframe for the Sophos download, installation and automatic restart is completely dependent upon the speed of your Internet connection. Times can vary from 1-2 minutes on a fast connection to as much as 15-25 minutes on a very slow connection. It is wise to wait until the reboot has occurred before beginning any work on the computer.
When you reach the login screen, click on the “Local Login” button. This will present you with a shorter way to log into your Mac. Just enter your username and password. Using the Local Login button bypasses the authentication process and logs you into your profile regardless of whether you have an Internet connection.
Once the computer has rebooted, the process of logging back in is what will give you administrative privileges. This only happens once. Subsequent logins from other users will be created as standard accounts.
If Self Service isn’t already open, open it by navigating to Applications/Utilities then double click on Self Service.
Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e. g. MS Office and Adobe applications).
For now, Zero-Touch deployments performed on campus must be completed using a network cable. The Jamf Connect Login application is not compatible with 802.1x Enterprise 2 wireless. MiddleburyCollege wifi will not be active at the Single Sign-on login window and will produce a network error if not connected to a live Ethernet jack.
Occasionally we have seen at-home Wifi drop during the setup process. This results in the following error message:
There is no way to rejoin Wifi in this state. The only remedy is to connect the computer to your home router with a network cable and reboot. Once the computer regains Internet access, it should bring you to the single sign-on login window. If it does not, allow the computer to sit for a few minutes, then try rebooting once again.