macOS Enrollment

MRCUR
Kind of a big deal

macOS Enrollment

Hi everyone,

 

I'm working on deploying Macs currently and we're using Meraki SM with them. In the past we were manually enrolling them after imaging, but now we're trying to including enrollment during the imaging process. DeployStudio has a native step for this, which we've been using with some success. It seems to be about a 50% success rate that this method will work, but that's obviously not very good. 

 

Does anyone know of another way to automate Mac enrollment with SM that doesn't involve DEP? Having the source Mac enrolled doesn't help, having the source Mac DEP enrolled doesn't help and using the native DeployStudio enrollment step (with the Meraki SM .mobileconfig profile) doesn't work too well either. 

 

Thanks!

MRCUR | CMNO #12
5 REPLIES 5
sshort
Building a reputation

Hi!

 

I'm not using DeployStudio, but there are a couple of alternatives. My company uses Munki (https://github.com/munki/munki/wiki) to push and install apps. We include the Meraki agent as part of the install manifest so that we can remote desktop capability with our end users. Installing the agent will enroll the Mac in Systems Manager as well (even if the .mobileconfig is not installed). You can even use Munki to install the .mobileconfig itself, although that's not my current setup.

 

I don't know your background for not wanting/using DEP, but Apple did update the Apple Configurator app under High Sierra to support manual enrollment of devices, even if they were not directly purchased but your company or institution. https://support.apple.com/en-us/HT208040 This would then allow the enrollment profile to be automatically pushed to the device, without DeployStudio.

 

I realize Meraki hasn't announced any official compatibility with High Sierra yet, so Munki is probably the most practical of the above suggestions.

jared_f
Kind of a big deal

Without DEP, you are quite limited on completely automating setup. Could you possibly add a script to your deploy studio image to trigger the install of the MDM Profile and Meraki Agent (if you use it)? That should solve your issues with miss/hit enrollment.

 

Jared

Find this helpful? Click the kudos button. Thanks!
MRCUR
Kind of a big deal

@jared_f The real problem seems to be that after a period of time, the MDM profile stops working. I wonder if there is an expiration on each one that is downloaded, or something is being generated when you download a new one that is unique in some way. The agent install works fine, but that doesn't get us all the MDM control. 

 

DEP isn't really a possibility when you're doing monolithic imaging. Which we do to cut down on deployment time as these are all lab based deployments, usually with the entire Adobe CC suite installed. These aren't one off user deployments which is clearly what Apple has designed DEP for. 

MRCUR | CMNO #12
jared_f
Kind of a big deal

@MRCUR

 

I have experienced when the MDM profile loses connection to the Meraki server. To fix this issue, I have a login daemon that triggers the MDM profile to refresh itself with one stored on the machine. Basically it is a downloaded profile stored in /library and it is just re-installed every login (profiles do not have to be repushed then). 

Find this helpful? Click the kudos button. Thanks!
MRCUR
Kind of a big deal

@jared_f Interesting! Good to know I'm not the only one seeing this. 

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels