- français
- English
High Sierra Policy
Provided :
www.jamf.com/blog/imaging-is-dead-now-what-part-1
www.jamf.com/blog/imaging-is-dead-now-what-part-2
www.jamf.com/blog/imaging-is-dead-now-what-part-3
- Since macOS 10.13.2, and the introduction of UAMDM (https://support.apple.com/en-gb/HT208488) Jamf changed the way a macOS device is being enrolled to get a similar experience that we do with iOS.
Before we used to push a Quickadd Package, containing the Jamf Binary, that got installed first, then the CA certificate if applicable and the MDM profile. Now we push first the CA certificate if applicable, then the MDM profile. Once both pushed, the binary is sent to the device with an InstallApplication command like any other MDM command. This operation can take a couple of minutes to be executed due to the MDM command queuing that could occur. This can delay the Enrollment complete trigger since the binary could not be installed.
- So in order to avoid this possible instability with enrollment complete trigger with DEP, we would recommend to lean on the Next Checkin / Once per computer trigger / frequency combinaison.
- Some of the advanced configuration would consider to create a custom trigger to distribute all our Setup policies (quite often also listed as numbers ranked by 10) called with 1 policy that would trigger this execution.
Example : we would create a custom trigger (called setup), and all our setup policies would use this trigger. We would organise them with numerical-alphabetical order. Then we would create a policy that would be executed on Next Checkin / Once per computer and would call for all policies triggered by the event 'setup'. We would execute this using Files and Processes payload and executing the command 'policy -event setup'
That's just an example of course and you're free to be as creative as you wish.
I hope that gives you a bit of context and will help you to succeed in your management of MacOS devices.
Provided : https://github.com/JAMFSupport/FileVault2_Scripts
Talked about Securetoken
Securetoken is indeed a big topic for many companies as the documentation is a bit limited about it.
Usually a mobileaccount is supposed to have a popup window that will ask local admin credentials to provide securetoken to mobile account.
The behavior is described here : https://soundmacguy.wordpress.com/2018/06/02/bypassing-the-securetoken-dialog-for-mobile-accounts/
There are a couple of commands to execute in order to give a specific user the securetoken. Most of them are discussed here :
https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
As we don't have a "best practice" about that and how to deal with it, I would recommend to ask on Jamf Nation what other admins are doing, and what is their current workflow. Each situation is unique and a workflow that I might give could not fit your situation. Many admins probably found a workaround with that and some of them would most likely fit your needs.
It's discussed here for example : https://www.jamf.com/jamf-nation/discussions/27669/pre-stage-enrollment-issue-with-10-13-4-popping-up-securetoken-window-message-after-logging-into-ad-for-the-first-time
Apple Open radar link : https://openradar.appspot.com/38485212
As you will read on the Radar, this is unfortunately an expected behavior.
Sophos built an article about this too : https://community.sophos.com/kb/en-us/128052
I wanted also to add some insights from other cases that we had in the past :
"This is possible to grant a SecureToken without any user interactions with script although please note that it does require the script to have the username and password for both the administrator account with a SecureToken already AND the mobile account we are targeting. This is an example of the command we would use:
/usr/sbin/sysadminctl -adminUser admin_username_here -adminPassword admin_pass_here -secureTokenOn mobile_username_here -password mobile_pass_here
This works because we are providing the credentials for both accounts inside the command, removing the need for any user interaction. Afterwards we'll see that the mobile account has a SecureToken and can be used to unlock the disk.
Note: That this script may only work successfully on later versions of macOS 10.13. Earlier versions of the OS required the 'interactive' flag which caused the user to be prompted for credentials. I've successfully tested this today on macOS 10.13.6."
Talked about this :
https://www.jamf.com/jamf-nation/articles/148/updating-the-computer-name-of-managed-computers
and that : https://github.com/kcrawford/dockutil