Configure a System Upon DEP Enrollment

January 30, 2019 - 3 minute read -
mac jamf

Now that imaging is dead, it’s essential for MacAdmins to leverage DEP and MDM when provisioning macOS in the Enterprise. While not all setting can be managed using a configuration profile, many of them can be manipulated using a bash script.

The example below should be executed by a policy immediately after enrolling a device into Jamf Pro using a PreStage Enrollment. It’s designed to make customizations that are not currently possible using configuration profiles alone.

#!/bin/sh

' :
This script should be executed by a policy immediately after successfully enrolling a device into Jamf Pro using a PreStage
Enrollment and the Device Enrollment Program. It is designed to make the following customizations that are not currently
possible using configuration profiles alone.

Your policy must include script parameters for the administrator username and password created as part of your PreStage
Enrollment, as well as the username and password for the standard local user account that you are creating. For more
information on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.
'

#########################
# VARIABLES
#########################

adminUser="$4"
adminPassword="$5"
userName="$6"
userPassword="$7"


#########################
# FUNCTIONS
#########################

# Create a standard local user account.
createLocalUserAccounts() {
    if [ "$(dscl . list /Users | grep "$userName")" == "" ]; then
        /usr/sbin/sysadminctl -adminUser $adminUser -adminPassword $adminPassword -addUser $userName -password $userPassword -picture /Library/User\ Pictures/Animals/Parrot.tif > /dev/null 2>&1
        /bin/echo "Created local user account $userName."
    fi
}
createLocalUserAccounts

# Set the computer name to something uniquely generated (Example: DEPC03FF3GFGFBB).
enableComputerName() {
    computerName="DEP`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`"
    /usr/sbin/scutil --set ComputerName $computerName
    /usr/sbin/scutil --set HostName $computerName
    /bin/echo "Set computer name to $computerName."
}
enableComputerName

# Enable File Sharing.
enableFileSharing() {
    /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist
    /bin/echo "Enabled File Sharing."
}
enableFileSharing

# Enable Remote Login, ($adminUser only).
enableRemoteLogin() {
    /usr/sbin/systemsetup -setremotelogin on
    /usr/sbin/dseditgroup -o edit -a $adminUser -t user com.apple.access_ssh
    /bin/echo "Enabled Remote Login for $adminUser."
}
enableRemoteLogin

# Enable Remote Management, ($userName only).
enableRemoteManagement() {
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -clientopts -setmenuextra -menuextra yes > /dev/null 2>&1
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $userName -access -on -privs -all > /dev/null 2>&1
    /bin/echo "Enabled Remote Management for $userName."
}
enableRemoteManagement

# Enable all users for printer administration.
enablePrinterAdministration() {
    /usr/bin/security authorizationdb write system.print.admin allow > /dev/null 2>&1
    /bin/echo "Enabled Printer Administratrion for all users."
}
enablePrinterAdministration

# Enable Location Services (macOS 10.13 only).
enableLocationServices() {
    if [ "$(/usr/bin/sw_vers -productVersion | cut -c 1-5)" == "10.13" ]; then
	    /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1
        /usr/sbin/chown -R _locationd:_locationd /var/db/locationd
        /bin/echo "Enabled Location Services."
    fi
}
enableLocationServices

# Enable Location-Based Time Zone.
enableLocationBasedTimeZone() {
    /usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true
    /bin/echo "Enabled Location-Based Time Zone."
}
enableLocationBasedTimeZone

# Disable Computer Sleep.
disableComputerSleep() {
    /usr/bin/pmset -a sleep 0
    /bin/echo "Disabled Computer Sleep."
}
disableComputerSleep

# Flush the Policy History for the computer on Jamf Pro.
flushPolicyHistory() {
    /usr/local/bin/jamf  flushPolicyHistory
    /bin/echo "Flushed Policy History on Jamf Pro."
}
flushPolicyHistory