Customer Spotlight: Tom Bridge’s macOS Deployment Playbook

This is the first article in our Customer Spotlight series. The goal of this series is to take a closer look at the unique strategies that our customers are using for their deployments, and in doing so, provide insight into the different ways that Apple Admins are solving common problems.

Who is Tom Bridge?

Tom Bridge is a partner at Technolutionary, Inc, where he acts as an Apple IT consultant and Mac administrator. Tom is also the producer and host of the MacAdmins.org Podcast and is a regular conference speaker at MacDevOps YVR, Penn State Mac Admins, MacADUK, MacTech, and MacDeploy conferences.

Tom manages numerous customer deployments with SimpleMDM. We are honored that he was willing to share his strategy for this article. Thanks, Tom!

Tom’s Goals

A macOS deployment workflow with minimal end-user and administrator interaction

Keep users well-informed about the magic happening behind the scenes and what to expect

Provide the user with clear guidance on what steps must be taken

Minimize security risks and administrative costs

“Good technical solutions paired with good human solutions”

Tools Used

It Starts with Something Tangible

The initial step of the Technolutionary’s deployment workflow comes even before devices are activated. Prior to being handed over to their eventual user, a printed introductory guide is included with the computer. It explains exactly what the user should expect after activating their device, includes detailed instructions on the aspects of the deployment that require their interaction, and provides information for who they can contact if they encounter difficulties. This step is significant for Technolutionary because it demonstrates how they are able to align with their goal of “good technical solutions paired with good human solutions”.

Apple DEP and User Account Setup

Once devices are activated, they proceed to check in with Apple DEP and, as a result, enroll with SimpleMDM. The DEP settings are configured to skip a few Setup Assistant screens, but Technolutionary allows users to see most of these panes and choose their own configurations. In addition, the DEP configuration is set up to automatically create a local admin account, prompt the user to create their own local admin account, and assign the device to a specific, initial device group within SimpleMDM. The only initial configuration profile this group applies via MDM is the FileVault profile – this forces the user to enable FileVault after a certain number of logins and escrows the key to SimpleMDM.

Wiring Munki + AWS CloudFront, JumpCloud, and More

Though this initial group may not always be the device’s end destination, it plays another vital role in the deployment process. Through this group, the InstallApplications package is deployed to the device via the ‘InstallEnterpriseApplication’ command during enrollment. When used as this initial package, InstallApplications can be used to run scripts preflight (before reaching the Setup Assistant screens), and to install many other configurations and applications during the Setup Assistant phase and/or at the time of user account creation.

In the case of this deployment, the InstallApplications package downloads a JSON file hosted on a Technolutionary web server. This JSON file instructs InstallApplications to download and install a handful of packages during the Setup Assistant phase. Amongst them are an install script for JumpCloud, a Munki-Cloudfront package, the various required Munki-tools packages, and the DEPNotify package.

The signed Munki-Cloudfront package is particularly noteworthy. Technolutionary’s Munki repository is hosted on an AWS CloudFront CDN, and this package installs the verification keys necessary for devices to access the Munki repo. This acts as a security layer to prevent unwanted devices from accessing the contents of the Munki repo. It also helps minimize hosting costs and aids in tracking abilities.

Providing the User with Feedback Using DEPNotify

InstallApplications also writes a configuration for DEPNotify that tells it what to do next. It is at this point that InstallApplications hands off to DEPNotify to take over the rest of the process. After the end-user has completed the Setup Assistant panes and has logged in, DEPNotify launches a window from the Technolutionary website that provides details to the user about what is going to happen and instructions on what steps to take. The first step is to download and install the Managed Software Center. Once installed, the user is prompted to click “Next Step” to complete a series of additional tasks, such as ensuring that LastPass and other software has been installed successfully, they have logged in to G Suite and changed their password, and signed in to Slack.

Once all of these steps have been completed, the user is informed that their machine setup is finished and they are all set. In some cases, this is the last step. In others, admins may re-assign the device to a new group within SimpleMDM to apply other configurations and install additional applications. Tom mentioned that they may be looking to automate this process even further by utilizing the SimpleMDM API to check which group a device belongs in and have it re-assigned to that group automatically.

Have a question about this deployment? Leave a comment below and we’ll do our best to address it.