White glove provisioning means that all onboarding tasks are performed during the Setup Assistant, and then the Mac shuts down, restarts or directly displays a login window, so that an end user can log in.
MOM White glove provisioning combined with macOS Automated Device Enrollment offers a similar feature as Windows Autopilot for pre-provisioned deployment. From the end user’s perspective, the User-driven experience is unchanged, but getting their Mac to a fully provisioned state is faster.
The graphical interface for White glove provisioning is demonstrated in this online video.
The key concept behind MOM White glove provisioning is that MOM is displayed on top of the Setup Assistant, which continues to run in the background. The hidden pane of the Setup Assistant should be the « Time Zone » pane, whose setting can be configured automatically by MOM.
This video showcases a workflow that does not display the « Create a Computer Account » pane of the Setup Assistant during the provisioning. When this pane is skipped, the workflow must plan a way for the end user to create an account via a mechanism of your choice once the device is provisioned. This account can be a local account when using a third party login window (Jamf Connect, XCreds, Mosyle Auth 2, NoMAD Login AD, etc.), or a mobile account when using traditional AD binding (not recommended).
When the « Create a Computer Account » pane of the Setup Assistant is not skipped, MOM is displayed on top of the Setup Assistant as soon as the local account defined is detected as created.
The « End User License Agreement » and « Device customization » steps are optional, so the provisioning can be automated once the Remote Management pane has been passed.
Requirements
• The MDM must be provisioned for AutoLauncher mode.
• The MDM must support the installation of packages while the Setup Assistant is still running.
Automated Device Enrollment configuration
The Automated Device Enrollment profile applied to devices to be provisioned is expected to skip all the Setup Assistant steps, except the « Create a Computer Account » pane if necessary (see above).
In the context of Jamf Pro, MOM Custom configuration profile must be checked in the Configuration Profiles pane of the Prestage Enrollment, but it does not have to be associated with a scope, as MOM caches its configuration at launch.
Location configuration file
Implementing White glove provisioning involves the edition of keys which are detailed in the Dictionary.
Those that should be examined first are grouped below.
• Keys located at the root level
AWAITED_ITEMS : list of items awaited before the workflow can proceed with the Postflight script step, the Device inventory step and the landing pane ; the purpose of this list of path names and bundle names is to prevent the Mac from shutting down, restarting or displaying a login window before critical items have been installed, although a timeout can be set per item.
In the context of Jamf Pro, the awaited items step also includes waiting for the end of Jamf Pro policies detected as being in progress.
UIHELPER : set to « swiftdialog ».
SWIFTDIALOG_URL : set to the URL used to download the swiftDialog package ; swiftDialog 2.3 and later requires macOS 12 and later, and earlier versions require macOS 11 and later.
TIMEZONE : set to the name of a time zone from among those returned by the systemsetup -listtimezones command ; since MOM is displayed on top of the Setup Assistant and the hidden pane of the Setup Assistant should be the « Time Zone » pane, it is recommended to set the expected time zone.
Note that the following keys are ignored, so their corresponding capacities are forcibly disabled :
– MGTACCOUNTFILEVAULT (FileVault enablement of the management account)
– MGTACCOUNTSECURETOKEN (SecureToken granting to the management account)
– MIGRATION_CHOOSE_INVENTORY_SOURCE (choice of the inventory source for Device Customization).
• Keys located inside the PROVISIONING Dictionary
PROCESS : set to « whiteglove » to enable White glove provisioning.
FOCUS : set to « true » to blur the screen while MOM is running.
WAIT_LOCAL_ACCOUNT_CREATION : set to « true » so that MOM waits for the end user account to be created before covering the Setup Assistant ; note that MOM does not know if the Automated Device Enrollment profile plans to display the « Create a Computer Account » pane of the Setup Assistant, therefore the key exists and must be set manually.
• Keys located inside the EXIT_ACTION Dictionary
COMMAND : « logout », any « restart » and « shutdown » are honoured, and « undefined » becomes « logout » which means in the context of White glove provisioning that the Mac displays a login window once it is provisioned.
COMMAND_DELAY : set to the time in seconds after which the action is automatically triggered once the landing pane is displayed (set to « 0 » to disable the automation).
• Companion keys to name the device
COMPUTERNAME_CONFIG_AUTOLAUNCHER : this key should be set to « template » (computer name derived from a template) or « csv » (computer name retrieved from a CSV file).
COMPUTERNAME_CSV : the CSV file that dictates the computer name.
COMPUTERNAME_TEMPLATE : the template that dictates the computer name (:ModelName: and :SerialNumber: are available variables).
The Settings pane for manual naming or definition of device attributes is fully supported with White glove provisioning, but implies an interaction.
• Companion keys to ease third party login window installation
JAMF_CONNECT_INTEGRATION and JAMF_CONNECT_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation and enablement of Jamf Connect.
NOMAD_INTEGRATION and NOMAD_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation and enablement of NoMAD Login AD.
XCREDS_INTEGRATION and XCREDS_CONFIGURATION (inside INTEGRATIONS Dictionary) : installation of XCreds.
Mosyle Auth 2 installation is entirely under Mosyle Business or Mosyle Manager governance.
• Companion keys to ease software installations
INSTALLOMATOR_INTEGRATION and INSTALLOMATOR_CONFIGURATION > LABELS : installation of the latest available software titles planned for the onboarded device.
JAMF_PRO_INTEGRATION and JAMF_PRO_CONFIGURATION > JAMF_PRO_POLICIES > LIST (inside INTEGRATIONS Dictionary) : execution of Jamf Pro Policies triggered by their Custom event or Identifier.
MUNKI_INTEGRATION and MUNKI_CONFIGURATION > MUNKI_CHECKINAFTERSETUP (inside INTEGRATIONS Dictionary) : installation of the packages planned for the onboarded device.
Want to know more ?
MacOnboardingMate (MOM) is a wizard designed both to streamline the onboarding of a Mac in a Mobile Device Management (MDM) solution, or to orchestrate its migration from one MDM to another MDM, under the remote monitoring of the IT support. MOM can be distributed by any Apple partner as a new service.
Les commentaires sont fermés.