Obstacles to Zero Touch deployment for Macs

Comes here often

Obstacles to Zero Touch deployment for Macs

So far I am aware of at least two issues standing in the way of Meraki Systems Manager being able to be used to deploy Macintoshes without extensive handling by the administrator:


1. Inability to create a user account on first boot on MacOS, as detailed in this thread.


2. Apparent requirement to send two separate profiles, at two separate times, in order to escrow a recovery key and set up Filevault encryption, as detailed in these instructions.


Zero-touch provisioning for Macs including account creation and encryption is available with other MDM providers, including JAMF and Fleetsmith. 


Has anyone found any way around these issues?


Are there any other obstacles to zero-touch MacOS deployment in Systems Manager? Any movement towards making it possible?


Kind of a big deal
Kind of a big deal

Ditto for Windows.   There is no Windows Autopilot support. 

Building a reputation

@mdmike There's somewhat of an update/addendum to the first issue with account creation.


SecureToken behavior has changed a bit under Mojave, now any admin account will get secureToken if that is the first user account to sign into the Mac. Not all environments can take advantage of this in your deployment workflow, but here's an example of how that could work:


-Use a tool like Installr or Bootstrappr to install a pkg that creates an admin account and skips the user creation portion of the Setup Assistant.

-Power on the Mac, Meraki pushes the enrollment profile as you go through the non-skippable Setup Assistant screens like language, country, etc.

-Reach the sign-in screen, then log into the admin account that was created with the pkg you previously installed.

-That admin user now has secureToken, and you can then create additional users via System Preferences, script, etc.

Just browsing

Has anyone still don't find any way around this Zero Touch deployment for Macs? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.