-
Notifications
You must be signed in to change notification settings - Fork 11
Getting Started
The following items are required to setup the MDM-Prestage-User-Enrollment workflow.
- The Apple DEP portal was initially launched as a stand alone console but now exists as a nested feature within Apple Business Manager
- Need a DEP account? Click here to sign up.
To implement this zero-touch workflow a MDM server must be configured to deploy the MDM profiles and PKG payload to DEP enrolled machines.
- Jamf KB article: Integrating with Apple's Device Enrollment (formerly DEP)
- Simple MDM KB article: How to Enroll in MDM with Apple DEP
An Apple Developer Account is required to sign the macOS package created in this workflow.
- Need a Apple Developer Account? Click here to sign up.
- A "Developer ID Installer" Certificate is required to sign packages. The Developer ID installer must be imported into Keychain Access to sign packages.
WhiteBox Packages or an alternative macOS packaging tool
The JumpCloud Bootstrap configuration script configured in this guide must be packaged and signed using an Apple Developer ID.
- WhiteBox Packages is an easy to use packaging application that is used in this workflow to build a deployable .pkg.
- Download WhiteBox Packages
- JumpCloud KB article: Getting Started: Users
The following terms are commonly used throughout the configuration guide. Refer to these definitions if a configuration step is unclear.
DEP: The Apple Automated Enrollment program, formally and commonly known as the Apple Device Enrollment Program.
MDM Server: A Mobile Device Management server registered with Apple DEP.
jumpcloud_bootstrap_template.sh: The template .sh file that contains the logic for the zero-touch workflow. This file has variables that must be populated with org specific settings and has fields to populate with a user configuration module. This .sh file is converted to a PKG and is the payload which is run which drives the zero-touch workflow.
LaunchDaemon: A LaunchDaemon will be created to drive the completion of the jumpcloud_bootstrap_template.sh script. LaunchDaemons are processes which run as root and are invoked at system startup.
Enrollment User: The admin account pushed down via the MDM. Logging into this account is the first step in kicking off the zero-touch workflow. This account is taken over and deactivated on the system during the zero-touch workflow. Logging in with an Enrollment User is required to install the JumpCloud service account which manages SecureTokens and FileVault enabled users.
JumpCloud Service Account: The JumpCloud Service Account is created using the Enrollment User credentials. The JumpCloud Service Account is required to manage SecureTokens and FileVault enabled users. This user is created as a hidden user on macOS computers.
JumpCloud Decryption User: The UID of this account is used to encrypt the JumpCloud API key in tandem with the JumpCloud Org ID (find your Org ID) using an encryption function. The encrytption function is located within the jumpcloud_bootstrap_template.sh file and titled: "EncryptKey()". The Decryption user account is pushed down to a computer during zero-touch enrollment, the UID is used to decrypt the "$ENCRYPTED_KEY" variable.
JumpCloud System Context API: A method for authenticating to the JumpCloud API without an API key. A system can modify only it's direct associations using this authentication method. Learn more here.
JumpCloud DEP Enrollment User Group: A JumpCloud user group which contains two members, the Enrollment User account and the JumpCloud Decryption User account. This user group is bound to the JumpCloud DEP Enrollment System Group.
JumpCloud DEP Enrollment System Group: The JumpCloud system group that a system adds itself to using System Context API authentication. When a system adds itself to the DEP Enrollment System group, the Enrollment User account is taken over and converted to a standard user. The JumpCloud Decryption User is then bound to the machine. The zero-touch workflow removes the system from this group after DEP enrollment which deactivates both the Enrollment User and the JumpCloud Decryption User accounts.
JumpCloud DEP POST Enrollment User Group: A JumpCloud user group which contains one member the Default Admin account. This user group is bound to the JumpCloud DEP POST Enrollment System Group.
JumpCloud DEP POST Enrollment System Group: The JumpCloud system group that a system adds itself to add the end of DEP enrollment. When a system adds itself to the DEP POST Enrollment System Group, the Default Admin account is bound to the system.
JumpCloud Bootstrap PKG: The product archive package created from a configured jumpcloud_bootstrap_template.sh file using WhiteBox Packages or an alternative macOS PKG building tool.
DEPNotify: The application that drives the UI of the zero-touch workflow.
JumpCloud Agent: The JumpCloud Agent is installed after the Enrollment User signs in. This agent manages local accounts on macOS computers and creates the JumpCloud Service Account.
JumpCloud API: The JumpCloud API is used in the jumpcloud_bootstrap_template.sh to drive the zero-touch workflow. MTP administrator accounts have admin access to all organizations within a given MTP portal. Administrators of a JumpCloud Multi-Tenant Portal MTP must configure a single tenant administrator account for each organization they intend to implement this workflow with. An unique, single tenant organization administrator's, API key must be used when configuring this workflow to make it specific to an org. MTP admins should not use their MTP admin API key to configure this workflow. MTP admins should follow the API key instructions under Variable Definitions on Step 3.
Password Configuration Window: An osascript that presents users with an input box to set a secure password with regex validation. A Privacy Preferences MDM Profile is configured to suppress the security pop-up prompts and to streamline the enrollment process.
PreStaged JumpCloud Users: Pending JumpCloud users configured with access to JumpCloud resources who activate their accounts using the zero-touch workflow.