Middlebury

Difference between revisions of "Zero-Touch Deployment for Macs"

 
(22 intermediate revisions by 4 users not shown)
Line 8: Line 8:
 
=== '''<span style="font-size:larger">How does it work?</span>''' ===
 
=== '''<span style="font-size:larger">How does it work?</span>''' ===
  
Apple has a progam called Apple School Manager (ASM) which works in conjuction with any number of Mobile Device Management (MDM) systems. Middlebury College&nbsp;uses an application called Jamf Pro for MDM. When computers are enrolled into Apple School Manager, they become assigned to Middlebury College's Jamf Pro server.
+
Apple has a program called Apple School Manager (ASM) which works in conjuction with any number of Mobile Device Management (MDM) systems. Middlebury College&nbsp;uses an application called Jamf Pro for MDM. When computers are enrolled into Apple School Manager, they become assigned to Middlebury College's Jamf Pro server.
  
 
When&nbsp;a Mac is powered on for the first time and gets an Internet connection, the first thing it does is establish a connection&nbsp;to Apple servers. Apple then directs the computer to make a connection with Middlebury's Jamf Pro server and&nbsp;then enrolls&nbsp;itself into the Jamf Pro inventory. After enrollment is complete, Jamf begins to push policies, profiles&nbsp;and software, thereby configuring it automatically. Once Zero-Touch completes, a Self Service application will open on the desktop providing the client with many options to install as the user sees fit.
 
When&nbsp;a Mac is powered on for the first time and gets an Internet connection, the first thing it does is establish a connection&nbsp;to Apple servers. Apple then directs the computer to make a connection with Middlebury's Jamf Pro server and&nbsp;then enrolls&nbsp;itself into the Jamf Pro inventory. After enrollment is complete, Jamf begins to push policies, profiles&nbsp;and software, thereby configuring it automatically. Once Zero-Touch completes, a Self Service application will open on the desktop providing the client with many options to install as the user sees fit.
Line 14: Line 14:
 
&nbsp;
 
&nbsp;
  
=== <span style="font-size: 18.252px;">'''Deployment steps - Off campus'''</span> ===
+
=== <span style="font-size:larger">'''Deployment steps'''</span> ===
  
To begin, remove the computer from its packaging. Depending on how long the computer has been sitting, It might be necessary to connect the included charger. Open the lid of the laptop and press the start button. Note that the start button is located on the right side of the touch bar, just above the delete key.
+
*'''If on campus, please join the "MiddleburyCollege" wireless.'''
 +
*'''If off campus, connect to your home wireless or wired network connection.'''&nbsp;
  
[[File:Start button.jpg|360x480px]]
+
&nbsp;
  
&nbsp;
+
To begin, remove the computer from its packaging. If using a laptop and depending on how long the computer has been sitting, it might be necessary to connect the included charger. On most laptops, opening the lid of the laptop will automatically start the computer. Otherwise press the start button as shown in the picture below. Note that the start button is located on the right side of the touch bar, just above the delete key.
  
Once the computer has completed the startup process you will be presented with the following window. You will see this window because ITS has already done some of the setup on your computer. The message within the window is simply telling you that the computer is not connected to the Internet. Click on the blue "OK" button.
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Once the computer is powered on, the Apple Setup Assistant will guide you.&nbsp; Following are the steps you are likely to see as of July 2021.&nbsp; Estimated times in parentheses are based on a fast Internet connection by a user familiar with macOS and Middlebury login screens.</span></span></span></span>
  
[[File:First Screen.jpg|424x480px]]
+
[[File:Start button.jpg|360x480px|Start button.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Click on "Network Connection" button
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Country or Region</span></span></span></span></u>'''
 +
 
 +
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Choose United States, or as appropriate.</span></span></span></span>
  
[[File:Network.jpg|424x480px]]
+
[[File:Country or Region.jpg|550x346px|Country or Region.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Your computer will quickly scan for any available Wifi Signals. Click on the Network name drop-down list and select your Wifi name. Enter the Wifi password and clik the "Join" button.
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Accessibility</span></span></span></span></u>'''
 +
 
 +
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Select as needed or click “Not Now” to continue.</span></span></span></span>
  
[[File:Join your Wifi.jpg|424x480px]]
+
[[File:Accessibility.jpg|476x300px|Accessibility.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Upon a successful connection, you will be presented with a Microsoft Single Sign-On login window. Enter your full username@middlebury.edu email address and select “Next.”
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Select Your Wi-Fi Network</span></span></span></span></u>'''
  
[[File:SSO login.jpg|424x480px]]
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Select “MiddleburyCollege” on campus or a trusted home network.&nbsp; You may plug into Ethernet instead if you prefer.</span></span></span></span>
  
&nbsp;
+
[[File:Select Wi-Fi.jpg|463x290px|Select Wi-Fi.jpg]]
  
 
&nbsp;
 
&nbsp;
  
&nbsp;
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Remote Management (~1 minute)</span></span></span></span></u>'''
  
=== '''<span style="font-size:larger">Deployment steps&nbsp;- New&nbsp;out of box computer</span>''' ===
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Click “Continue” or follow the link to learn more about remote management.</span></span></span></span>
  
To begin, remove the computer from its packaging. Depending on how long the computer has been sitting, It might be necessary to connect the included charger. Open the lid of the laptop and press the start button. Note that the start button is located on the right side of the touch bar, just above the delete key.
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">[[File:Remote management.jpg|458x288px|Remote management.jpg]]</span></span></span></span>
 
 
[[File:Start button.jpg|360x480px|Start button.jpg]]
 
  
 
&nbsp;
 
&nbsp;
  
Once the computer has completed the startup process you will be presented with the following window. Select your country from the list.
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Single Sign-On</span></span></span></span></u>'''
  
'''[[File:Select country1.jpg|460x360px|Select country1.jpg]]'''
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Log into Middlebury’s Microsoft Single Sign-On solution with your Middlebury email address and password, as well as Multi-Factor Authentication (if prompted).</span></span></span></span>
  
&nbsp;
+
[[File:SSO-email address.jpg|505x318px|SSO-email address.jpg]]
  
This next step is '''critical''' for the Zero-Touch process to work properly. You '''must''' either connect to Wi-fi or use a network cable directly connected between your router/modem and computer. Either connection will work, but testing has confirmed that using a network cable is the most reliable Internet connection. &nbsp; Pictured below is how you would connect your new laptop to your router using a network cable and network adapter.
+
[[File:SSO-enter password.jpg|505x318px|SSO-enter password.jpg]]
  
[[File:Network adapter.jpg|180x240px|Network adapter.jpg]][[File:Router1.jpg|180x240px|Router1.jpg]]
+
[[File:Approve sign-in request.jpg|505x318px|Approve sign-in request.jpg]]
  
 
&nbsp;
 
&nbsp;
  
The second startup window you are presented with will enable you to connect via Wifi. Click on the name of your Wifi, enter the password and click Continue.
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Stay signed on?&nbsp; It is appropriate to say Yes when signing onto a personal computer or one assigned specifically for your use.</span></span></span></span>
 +
 
 +
[[File:Stay signed in.jpg|465x292px]]
  
[[File:Join Wifi.jpg|453x360px|Join Wifi.jpg]]
+
&nbsp;
  
[[File:Join Wifi1.jpg|456x360px|Join Wifi1.jpg]]
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Remote Management setup (~2 minutes)</span></span></span></span></u>'''
 +
<p style="text-align:center" align="center"><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">This window will provide you with progress of the setup steps.</span></span></span></span></p>
 +
[[File:Remote management again.jpg|462x291px|Remote management again.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Upon a successful network connection, you should now be presented with a Remote Management window. Click Continue to enroll your Mac into Middlebury’s Jamf Pro management system.
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Create a Computer Account</span></span></span></span></u>'''
  
[[File:Enrollment.jpg|479x360px|Enrollment.jpg]]
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Note the Full name and Account name are already filled in based on your login, and that the account name is your full email address.&nbsp; Note that your email address will be required on your next login!&nbsp; Please enter your Middlebury email password two times here to set it for your macOS account.&nbsp; (Matching your passwords will provide improved access to services and keep your life simpler.)</span></span></span></span>
 +
 
 +
[[File:Create computer account.jpg|550x435px|Create computer account.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Next, you will set the time zone. Check the box next to “Set time zone automatically using current location” then click the blue button to turn on Location Services and click Continue.
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Enable Location Services</span></span></span></span></u>'''
  
[[File:Time zone.jpg|461x360px|Time zone.jpg]]
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">See “About Location Services” for more information.</span></span></span></span>
 +
 
 +
[[File:Enable location services.jpg|495x390px|Enable location services.jpg]]
  
 
&nbsp;
 
&nbsp;
  
After several seconds you will be presented with a Microsoft Single Sign-On login window. Enter your full username@middlebury.edu email address and select “Next.”
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Setup Assistant: Touch ID (~3 minutes)</span></span></span></span></u>'''
  
'''[[File:SSO login.jpg|315x360px|SSO login.jpg]]'''
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">For devices with a fingerprint scanner, you may set this up as an alternative to entering your password for installations and other administrative tasks, or “Set Up Touch ID Later.”</span></span></span></span>
  
 
&nbsp;
 
&nbsp;
  
Next, you will be prompted to enter your Middlebury password and multifactor authentication code (if set up).
+
'''<u><span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Post-Setup Assistant</span></span></span></span></u>'''
 +
 
 +
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Finally, you will arrive at the desktop. Self Service will automatically open for you on your first login. You may also be prompted to allow notifications for Jamf and Sophos.&nbsp;</span></span></span></span>
  
'''[[File:Enter password.jpg|320x360px|Enter password.jpg]]'''
+
[[File:Notifications.jpg|left|287x191px|Notifications.jpg]]
  
 
&nbsp;
 
&nbsp;
  
Enter the 6-digit authentication code from the Authenticator app from your mobile device. This code might also come to you via text message.
+
&nbsp;
  
[[File:Authenticator code.jpg|320x360px|Authenticator code.jpg]]
+
&nbsp;
  
 
&nbsp;
 
&nbsp;
  
Re-enter your password a second time.
+
&nbsp;
 
 
[[File:Re-enter password.jpg|320x360px|Re-enter password.jpg]]
 
  
 
&nbsp;
 
&nbsp;
  
Finally you will arrive at the desktop.
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">There may be additional notifications as Sophos installs, and the computer will '''automatically reboot''' after five minutes.</span></span></span></span>
  
'''[[File:Desktop.jpg|480x300px|Desktop.jpg]]'''
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">[[File:Reboot message.jpg|left|245x148px|Reboot message.jpg]]</span></span></span></span>
  
 
&nbsp;
 
&nbsp;
  
At this point the computer is still loading applications in the background. One such application, Sophos Anti-Virus, will automatically download and install. It is important to note that there will be an automatic restart once Sophos has finished installing.&nbsp; &nbsp;
+
&nbsp;
  
There will be a message on the screen alerting you that the computer will restart in 60 seconds. The timeframe for the Sophos download, installation and automatic restart is completely dependent upon the speed of your Internet connection. Times can vary from 1-2 minutes on a fast connection to as much as 15-25 minutes on a very slow connection. It is wise to wait until the reboot has occurred before beginning any work on the computer. &nbsp;
+
&nbsp;
  
When you reach the login screen, click on the “Local Login” button. This will present you with a shorter way to log into your Mac. Just enter your username and password. Using the '''Local Login''' button bypasses the authentication process and logs you into your profile regardless of whether you have an Internet connection.
+
&nbsp;
  
[[File:Local login.jpg|320x360px|Local login.jpg]]
+
&nbsp;
  
Once the computer has rebooted, the process of logging back in is what will give you administrative privileges. This only happens once. Subsequent logins from other users will be created as standard accounts.
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Upon your next login, encryption will be enabled to protect your data.&nbsp;</span></span></span></span>
  
If Self Service isn’t already open, open it by navigating to Applications/Utilities then double click on Self Service.
+
[[File:Enable FV.jpg|273x265px|Enable FV.jpg]][[File:Enabling FV.jpg|273x265px|Enabling FV.jpg]]
  
Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e. g. MS Office and Adobe applications).
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Once back at the desktop, the setup process is complete.</span></span></span></span>
  
=== '''On-campus''' ===
+
<span style="font-size:10.5pt"><span style="line-height:107%"><span style="font-family:"><span style="color:#221100">Self Service should open automatically. Self Service can also be found by navigating to Applications/Utilities then double clicking on Self Service. Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e.g. MS Office and Adobe applications).</span></span></span></span>
  
For now, Zero-Touch deployments performed on campus must be completed using a network cable. The Jamf Connect Login application is not compatible with&nbsp;802.1x Enterprise 2 wireless. MiddleburyCollege wifi will not be active at the Single Sign-on login window and will produce a network error if not connected to a live Ethernet jack.
+
[[File:Self Service.jpg|620x364px|Self Service.jpg]]
  
 
&nbsp;
 
&nbsp;
  
&nbsp;
+
At this point the computer is still loading applications in the background. One such application, Sophos Anti-Virus, will automatically download and install. It is important to note that there will be an automatic restart once Sophos has finished installing.&nbsp; &nbsp;
  
=== '''Troubleshooting''' ===
+
If Self Service isn’t already open, open it by navigating to Applications/Utilities then double click on Self Service.
  
Occasionally we have seen at-home Wifi drop during the setup process. This results in the following error message:
+
Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e. g. MS Office and Adobe applications). &nbsp; &nbsp;
<p style="text-align: center">[[File:No Wifi.png|423x480px|No Wifi.png]]</p>
 
If you get this screen, it means there was no network throughput at a critical time. Click the OK button and let the computer sit for 15-20 minutes. It will likely come around and eventually get what it needs from Jamf Pro. If it does not,&nbsp;the only other remedy is to connect the computer to your home router with a network cable and reboot. Once the computer regains Internet access, it should bring you to the single sign-on login window. If it does not, allow the computer to sit for a while, then try rebooting once again.
 
 
 
&nbsp;
 
  
 
[[Category:Pages with broken file links]] [[Category:Hardware]] [[Category:Hardware Distribution]] [[Category:Helpdesk Documentation]] [[Category:Public Search]] [[Category:Zero touch]]
 
[[Category:Pages with broken file links]] [[Category:Hardware]] [[Category:Hardware Distribution]] [[Category:Helpdesk Documentation]] [[Category:Public Search]] [[Category:Zero touch]]

Latest revision as of 11:49, 12 August 2021

What is Zero-Touch?

Zero-Touch deployment is a new method for provisioning College-issued, primary-user Mac computers. This method of deployment replaces the need for an ITS staff member to prepare computers before they are deployed to the client. With Zero-Touch, a computer can be delivered directly to a client without ever needing to be physically handled by ITS.

 

How does it work?

Apple has a program called Apple School Manager (ASM) which works in conjuction with any number of Mobile Device Management (MDM) systems. Middlebury College uses an application called Jamf Pro for MDM. When computers are enrolled into Apple School Manager, they become assigned to Middlebury College's Jamf Pro server.

When a Mac is powered on for the first time and gets an Internet connection, the first thing it does is establish a connection to Apple servers. Apple then directs the computer to make a connection with Middlebury's Jamf Pro server and then enrolls itself into the Jamf Pro inventory. After enrollment is complete, Jamf begins to push policies, profiles and software, thereby configuring it automatically. Once Zero-Touch completes, a Self Service application will open on the desktop providing the client with many options to install as the user sees fit.

 

Deployment steps

  • If on campus, please join the "MiddleburyCollege" wireless.
  • If off campus, connect to your home wireless or wired network connection. 

 

To begin, remove the computer from its packaging. If using a laptop and depending on how long the computer has been sitting, it might be necessary to connect the included charger. On most laptops, opening the lid of the laptop will automatically start the computer. Otherwise press the start button as shown in the picture below. Note that the start button is located on the right side of the touch bar, just above the delete key.

Once the computer is powered on, the Apple Setup Assistant will guide you.  Following are the steps you are likely to see as of July 2021.  Estimated times in parentheses are based on a fast Internet connection by a user familiar with macOS and Middlebury login screens.

Start button.jpg

 

Setup Assistant: Country or Region

Choose United States, or as appropriate.

Country or Region.jpg

 

Setup Assistant: Accessibility

Select as needed or click “Not Now” to continue.

Accessibility.jpg

 

Setup Assistant: Select Your Wi-Fi Network

Select “MiddleburyCollege” on campus or a trusted home network.  You may plug into Ethernet instead if you prefer.

Select Wi-Fi.jpg

 

Setup Assistant: Remote Management (~1 minute)

Click “Continue” or follow the link to learn more about remote management.

Remote management.jpg

 

Setup Assistant: Single Sign-On

Log into Middlebury’s Microsoft Single Sign-On solution with your Middlebury email address and password, as well as Multi-Factor Authentication (if prompted).

SSO-email address.jpg

SSO-enter password.jpg

Approve sign-in request.jpg

 

Stay signed on?  It is appropriate to say Yes when signing onto a personal computer or one assigned specifically for your use.

Stay signed in.jpg

 

Setup Assistant: Remote Management setup (~2 minutes)

This window will provide you with progress of the setup steps.

Remote management again.jpg

 

Setup Assistant: Create a Computer Account

Note the Full name and Account name are already filled in based on your login, and that the account name is your full email address.  Note that your email address will be required on your next login!  Please enter your Middlebury email password two times here to set it for your macOS account.  (Matching your passwords will provide improved access to services and keep your life simpler.)

Create computer account.jpg

 

Setup Assistant: Enable Location Services

See “About Location Services” for more information.

Enable location services.jpg

 

Setup Assistant: Touch ID (~3 minutes)

For devices with a fingerprint scanner, you may set this up as an alternative to entering your password for installations and other administrative tasks, or “Set Up Touch ID Later.”

 

Post-Setup Assistant

Finally, you will arrive at the desktop. Self Service will automatically open for you on your first login. You may also be prompted to allow notifications for Jamf and Sophos. 

Notifications.jpg

 

 

 

 

 

 

There may be additional notifications as Sophos installs, and the computer will automatically reboot after five minutes.

Reboot message.jpg

 

 

 

 

 

Upon your next login, encryption will be enabled to protect your data. 

Enable FV.jpgEnabling FV.jpg

Once back at the desktop, the setup process is complete.

Self Service should open automatically. Self Service can also be found by navigating to Applications/Utilities then double clicking on Self Service. Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e.g. MS Office and Adobe applications).

Self Service.jpg

 

At this point the computer is still loading applications in the background. One such application, Sophos Anti-Virus, will automatically download and install. It is important to note that there will be an automatic restart once Sophos has finished installing.   

If Self Service isn’t already open, open it by navigating to Applications/Utilities then double click on Self Service.

Use the search box in the upper left corner of the Self Service window to search for desired items. Self Service provides installers for software and printers, as well as information on how to get applications outside of Self Service (e. g. MS Office and Adobe applications).    

Powered by MediaWiki