Auteur/autrice : Franck Sartori

White glove provisioning means that all onboarding tasks are performed during the Setup Assistant, and then the Mac shuts down, restarts or directly displays a login window, so that an end user can log in.

MOM White glove provisioning combined with macOS Automated Device Enrollment offers a similar feature as Windows Autopilot for pre-provisioned deployment. From the end user’s perspective, the User-driven experience is unchanged, but getting their Mac to a fully provisioned state is faster.

The graphical interface for White glove provisioning is demonstrated in this online video.

The key concept behind MOM White glove provisioning is that MOM is displayed on top of the Setup Assistant, which continues to run in the background. The hidden pane of the Setup Assistant should be the « Time Zone » pane, whose setting can be configured automatically by MOM.

This video showcases a workflow that does not display the « Create a Computer Account » pane of the Setup Assistant during the provisioning. When this pane is skipped, the workflow must plan a way for the end user to create an account via a mechanism of your choice once the device is provisioned. This account can be a local account when using a third party login window (Jamf Connect, XCreds, Mosyle Auth 2, NoMAD Login AD, etc.), or a mobile account when using traditional AD binding (not recommended).

When the « Create a Computer Account » pane of the Setup Assistant is not skipped, MOM is displayed on top of the Setup Assistant as soon as the local account defined is detected as created.

The « End User License Agreement » and « Device customization » steps are optional, so the provisioning can be automated once the Remote Management pane has been passed.

Requirements

• The MDM must be provisioned for AutoLauncher mode.

• The MDM must support the installation of packages while the Setup Assistant is still running.

Automated Device Enrollment configuration

The Automated Device Enrollment profile applied to devices to be provisioned is expected to skip all the Setup Assistant steps, except the « Create a Computer Account » pane if necessary (see above).

In the context of Jamf Pro, MOM Custom configuration profile must be checked in the Configuration Profiles pane of the Prestage Enrollment, but it does not have to be associated with a scope, as MOM caches its configuration at launch.

Location configuration file

Implementing White glove provisioning involves the edition of keys which are detailed in the Dictionary.

Those that should be examined first are grouped below.

• Keys located at the root level

AWAITED_ITEMS : list of items awaited before the workflow can proceed with the Postflight script step, the Device inventory step and the landing pane ; the purpose of this list of path names and bundle names is to prevent the Mac from shutting down, restarting or displaying a login window before critical items have been installed, although a timeout can be set per item.

In the context of Jamf Pro, the awaited items step also includes waiting for the end of Jamf Pro policies detected as being in progress.

UIHELPER : set to « swiftdialog ».

SWIFTDIALOG_URL : set to the URL used to download the swiftDialog package ; swiftDialog 2.3 and later requires macOS 12 and later, and earlier versions require macOS 11 and later.

TIMEZONE : set to the name of a time zone from among those returned by the systemsetup -listtimezones command ; since MOM is displayed on top of the Setup Assistant and the hidden pane of the Setup Assistant should be the « Time Zone » pane, it is recommended to set the expected time zone.

Note that the following keys are ignored, so their corresponding capabilities are forcibly disabled :

– MGTACCOUNTFILEVAULT (FileVault enablement of the management account)

– MGTACCOUNTSECURETOKEN (SecureToken granting to the management account)

– MIGRATION_CHOOSE_INVENTORY_SOURCE (choice of the inventory source for Device Customization).

• Keys located inside the PROVISIONING Dictionary

PROCESS : set to « whiteglove » to enable White glove provisioning.

FOCUS : set to « true » to blur the screen while MOM is running.

WAIT_LOCAL_ACCOUNT_CREATION : set to « true » so that MOM waits for the end user account to be created before covering the Setup Assistant ; note that MOM does not know if the Automated Device Enrollment profile plans to display the « Create a Computer Account » pane of the Setup Assistant, therefore the key exists and must be set manually.

• Keys located inside the EXIT_ACTION Dictionary

COMMAND : « logout », any « restart » and « shutdown » are honoured, and « undefined » becomes « logout » which means in the context of White glove provisioning that the Mac displays a login window once it is provisioned.

COMMAND_DELAY : set to the time in seconds after which the action is automatically triggered once the landing pane is displayed (set to « 0 » to disable the automation).

• Companion keys to name the device

COMPUTERNAME_CONFIG_AUTOLAUNCHER : this key should be set to « template » (computer name derived from a template) or « csv » (computer name retrieved from a CSV file).

COMPUTERNAME_CSV : the CSV file that dictates the computer name.

COMPUTERNAME_TEMPLATE : the template that dictates the computer name (:ModelName: and :SerialNumber: are available variables).

The Settings pane for manual naming or definition of device attributes is fully supported with White glove provisioning, but implies an interaction.

• Companion keys to ease third party login window installation

JAMF_CONNECT_INTEGRATION and JAMF_CONNECT_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation and enablement of Jamf Connect.

NOMAD_INTEGRATION and NOMAD_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation and enablement of NoMAD Login AD.

XCREDS_INTEGRATION and XCREDS_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation of XCreds.

Mosyle Auth 2 installation is entirely under Mosyle Business or Mosyle Manager governance.

• Companion keys to ease software installations

INSTALLOMATOR_INTEGRATION and INSTALLOMATOR_CONFIGURATION > LABELS : installation of the latest available software titles planned for the onboarded device.

JAMF_PRO_INTEGRATION and JAMF_PRO_CONFIGURATION > JAMF_PRO_POLICIES > LIST (inside INTEGRATIONS Dictionary) : execution of Jamf Pro Policies triggered by their Custom event or Identifier.

MUNKI_INTEGRATION and MUNKI_CONFIGURATION > MUNKI_CHECKINAFTERSETUP (inside INTEGRATIONS Dictionary) : installation of the packages planned for the onboarded device.

Want to know more ?

MacOnboardingMate (MOM) is a wizard designed both to streamline the onboarding of a Mac in a Mobile Device Management (MDM) solution, or to orchestrate its migration from one MDM to another MDM, under the remote monitoring of the IT support. MOM can be distributed by any Apple partner as a new service.

UltimateMDM is the one you’ve chosen, or the one your Apple consultant has recommended. Our legacy or free instances of Meraki Systems Manager will no longer be available after February 7, 2024. If the product meets your needs, you can just order your licenses. If not, you must perform your MDM Switching as soon as possible.

Meraki Systems Manager does not make it easy to remove a locked Remote management profile. You’ll find below the instructions delivered in the Integration Guide of MOM release 5.16 for this specific case. Please note that updating the locked Remote management profile to the unlocked Remote management profile can take time, which is important to bear in mind if you have thousands of Macs in your fleet.

If the Remote management profile is not locked or if the Mac was enrolled using Device Enrollment, the interactions described below are not required and the migration is seamless. MOM will deal with the problem as it arises.

MOM can be distributed by any Apple partner as a new service. Licenses are not tied to a specific MDM. If the targeted MDM is not currently supported, we’ll need to coordinate.

Context of the edge case

• Migration planned from Meraki Systems Manager to UltimateMDM with AutoLauncher mode
• Device executing any version of macOS 11 and later
• Device enrolled in Meraki Systems Manager with a locked Remote Management profile
• Device assigned to an Automated Device Enrollment Profile :
  • linked to Meraki Systems Manager
  • Removable : No
• Logged in user is a standard account or an admin account

Known macOS limitations :

• the unenrollment must be performed from the same user session as the one used for the enrollment if the associated user account still exists on the device
• calls to AxM are rate limited to once every 23 hours with macOS 12.3.x, and to 10 times every 23 hours with macOS 13 and later ; these limits should be reached when fine-tuning the workflow, but not in production ; when the limitations are reached, wait for 24 hours or use a different test device.

This is the chronology of the required interactions between the IT Support and the End User.

• IT Support

• In Meraki SM :
  • Settings : Custom configuration profile that plans a migration from Meraki Systems Manager to UltimateMDM – Tag : mom
  • Apps : MOM Content and MOM Core packages – Tag : mom
  • Devices : Device selected > Tag > mom (Command > Sync apps can help to during testings)
• Webhook message received : « Workflow of type migration started »

• End User

• MOM started

	• End User User chooses to execute the migration now (postpone possible if planned)
	• End User Message displayed : « The Remote Management Profile of this device is locked. The workflow will be paused until the unenrollment is done. Please follow the displayed instructions. » Dialog displayed : « Please contact the IT Support. Once confirmed that an Automated Device Enrollment Profile that plans a removable Remote Management Profile is assigned to the device, click on Continue. » User contacts the IT Support • IT Support Webhook message received : « Device pending unenrollment from Meraki Systems Manager » In Meraki SM : Apple Automated Device Enrollment : Device assigned to an Automated Device Enrollment Profile : still linked to Meraki Systems Manager Removable : Yes Full sync IT Support confirms to the user that he can click on « Continue » • End User User clicks on « Continue »
	• End User Dialog displayed : « After clicking the Continue button, a device enrollment notification is going to be displayed in the upper right corner of the screen. Please click inside this notification and proceed to the update of the management configuration. » User clicks on « Continue »
	• End User macOS notification displayed : « Device Enrolment – Update company name configuration. » User clicks inside the notification
	• End User Profiles System Setting (macOS 13 or later) / Profiles System Preference (macOS 12 or earlier) is automatically opened macOS dialog displayed : « Update Device Enrolment? – Update management configuration for company name. » User clicks on « Update » Depending of how fast the update action is done, reminder dialog may be displayed : « The Remote Management Profile of this device is still locked. After clicking the Continue button, a device enrollment notification is going to be displayed in the upper right corner of the screen. Please click inside this notification and proceed to the update of the management configuration. » User clicks on « Continue » Once the device enrollment update is done, the Remote Management Profile becomes removable MOM deletes locally the unlocked Remote Management Profile Note : It has been observed that the Remote Management Profile may not become immediately removable ; in this situation, the update process may be triggered several times until the unenrollment can take place. • IT Support Webhook message received : « Device unenrolled from Meraki Systems Manager »
	• End User Message displayed : « The MDM enrollment provisioning of this device must be managed by the IT Support. Please follow the displayed instructions. » Dialog displayed : « Once IT support has confirmed that the device has been provisioned for enrollment with the new MDM, click on Continue. »
	• End User Message displayed if the « Continue » button is clicked before the next step is done : « The MDM enrollment provisioning is still associated to Meraki Systems Manager. Once IT support has confirmed that the device has been provisioned for enrollment with the new MDM, click on Continue. » • IT Support Webhook message received : « Device pending provisioning to enroll in UltimateMDM » In AxM : device assigned to UltimateMDM In UltimateMDM : device assigned to an Automated Device Enrollment Profile IT Support confirms to the user that he can click on « Continue » • End User User clicks on « Continue »
	• End User With macOS 14 or later, a Remote Management pane is displayed in full screen mode. With macOS 13 or earlier, a device enrollment notification is displayed in the upper right corner of the screen. The workflow is paused until the enrollment is done.
	• End User The device is enrolled in UltimateMDM and the workflow continues.