A few years ago, we discovered that Faronics' Deep Freeze wouldn't work with Apple's Fusion Drives. So, we followed instructions published by others (one's I consolidated into a previous blog post) to split the fusion drive / core storage volume. Ever since then, we've been chasing the next issue with Mac imaging (APFS, for example). This summer, we finally abandoned the idea of Mac imaging all together. We have yet to see how it will go once the students return to campus, but we've settled on a process that resolves our immediate roadblocks while simultaneously addressing some of our older concerns (some of the ones leading us to Deep Freeze and imaging in the first place).
We've started looking at more robust and/or consolidated solutions (Jamf, Apple Server), but are classically understaffed and overtasked, so we're charging through this transitional summer as macOS survivalists putting our Quest SMA to the test. If we aren't the last to make this transition, here's what my first round attempt looks like so far (I will, of course, refine as we validate):
Manual tasks
This is where we will continue to pursue automation options over the next year with device enrollment (maybe?).
Install the latest OS on systems we're refreshing
Walk through initial setup
Install the KACE agent
SMA Managed Installations
These installation currently use device name-based smart labels.
System Center Endpoint
our NAC policy key
Chrome
Firefox
SMA Scripted Installations - Run Once
So far, these are clusters of tasks. As we verify they are working as we expect, I'll begin creating more logical clusters or migrating them to Managed Installations so there aren't quite so many manual steps.
Task for overall system setup:
sudo systemsetup -setusingnetworktime on -setnetworktimeserver TIMESERVERNAME -setremotelogin on
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users USERNAME -privs -all -restart -agent -menu
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
sudo defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true
sudo pmset repeat poweron MTWRFSU 6:30:00
sudo pmset -a displaysleep 180 disksleep 0 sleep 0
Microsoft Office Suite install - will be migrating to Managed Installation
Microsoft Office Suite enable updates - using mobileconfig
Microsoft Office Suite bypass initial setup:
sudo defaults write /Library/Preferences/com.microsoft.Word kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.PowerPoint kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.Excel kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.OneNote kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.Outlook kSubUIAppCompletedFirstRunSetup1507 -bool true
Bind to domain:
sudo dsconfigad -add DOMAIN -username SERVICEACCOUNT -password SERVICEACCOUNTPASSWORD -domain DOMAIN -ou "OU= ,DC= ..." -mobile enable -mobileconfirm disable -localhome disable -useuncpath disable -groups "DOMAIN\ADMINGROUPNAME" -alldomains enable -passinterval 0
Install Flash Player NPAPI - will be migrating to Managed Installation
Install Flash Player PPAPI - will be migrating to Managed Installation
Enable right click - using mobileconfig
Task to hide setup prompts at initial login and disable DS store file creation:
for USER_TEMPLATE in "/System/Library/User Template"/*
do
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores -bool TRUE
done
Task to bypass the Secure Token Prompt - using mobileconfig
Scripted Installation - set to run every night
Delete non-persistent user accounts:
users=`find /Users -type d -maxdepth 1 | cut -d"/" -f3`
for i in $users
do
if [ "$i" = "PERSISTENTACCOUNT" ] || [ "$i" = "PERSISTENTACCOUNT" ] || [ "$i" = "PERSISTENTACCOUNT" ]
then
continue
else
# echo "then"$i
dscl . -delete /Users/$i
Rm -Rf /Users/$i
fi
done
Comments