Is it possible for you to post some sort of video or documentation on the process of using MDS and a Mac Deploy Stick to erase and install macOS on a Mac and enroll it into Jamf?
It should be as easy as including the enrollment profile in a folder and selecting that folder under “Profiles” in the Resources section. Was it failing?
First of all, thank you for your reply. To answer your question, “Was it failing?” all I can say is, I cannot truthfully answer that question yet because I am at the ground floor in my understanding as to how this process works in the first place. So I was looking for some tutorials on how to get started. To help you understand how we currently do it, let me give you a brief description.
We first manually erase (wipe the computer) and install macOS onto the computer via a USB flash drive.
We next go through the various installer’s screens and install macOS with a temporary Administrator account.
We next log into that Administrator account and rename the computer to the correct name for our Jamf enrollment process. Next, we launch the Safari web browser and enter the address of our Jamf cloud enrollment server, with the appropriate credentials to enroll and then select the proper Jamf site for the enrolled computer. Jamf then downloads the necessary MDM’s to start the enrollment process.
After which Jamf downloads all of the necessary additional profiles, packages, and scripts based on the site that we enrolled the computer in too. Then Jamf restarts the computer.
Lastly, we login to the computer with its new permanent local Administrator account which Jamf created in the previous step and delete the temporary Administrator user, and check via Jamf for any missing installations or configurations.
So I guess my question to you is, “How do we automate this process with MDS?”
Thanks so much for your work on this tool. I’m hoping it’ll save us.
We are in the same boat as the OP: trying to use MDS to erase/install macOS and enroll in Jamf (non-DEP).
At first, I thought I was seeing success via the process you suggested: add Jamf’s enrollmentProfile.mobileconfig (and CACertificate.mobileconfig) into a folder and specify this folder when building the MDS image. Upon the first few tests, everything worked. However, when I try the same image on a second machine, the enrollment fails. I’m wondering if Jamf’s enrollment profiles would be use-limited to a single machine. Of note, I was able to repeatedly enroll the same machine using the same profile with success.
I’m not sure if this is something you can answer, but looking to the Jamf community does not yield any answers, as this method doesn’t seem to be a common practice. Others turn to Jamf’s QuickAdd pkg, but I was under the impression that we should be avoiding this method in favor of using the config profiles for MDM enrollment.
Any input would be enormously appreciated. Thanks again!
Correction: it does seem, via manual testing, that Jamf’s enrollment profile cannot be used more than one time, regardless of computer. It seems that QuickAdd is the only approach, then, but I would love to be enlightened if there is a method of generating a Jamf enrollment profile that CAN be used repeatedly.
I wanted to report back with my findings, in case it helps anyone else trying to enroll Macs into Jamf using MDS.
The mobileconfig profiles downloaded via https://xyz.jamfcloud.com/enroll/ are single-use profiles that will not enroll more than one computer, so these are not useful when using MDS.
Similarly, the QuickAdd.pkg downloaded via https://xyz.jamfcloud.com/enroll/?type=quickAdd also appears to be single-use and is likewise not useful with MDS.
The QuickAdd.pkg generated using Jamf Recon is multi-use capable and works perfectly with MDS when added as a package to be installed by MDS. No special steps are needed; it just works as you’d expect it to. This is the solution that ultimately worked for us.
Best of luck!
In my testing of using MDS I am having trouble with the approval of device profiles that JAMF creates when it enrolls. Can you help me by describing, in some detail, the methodology that you are using to achieve your success with MDS JAMF enrollment? I would really like this to work.
The process isn’t too complicated, to be honest. Here are the steps:
- Use Jamf Recon to generate a QuickAdd.pkg for your Jamf instance. This package will be multi-use and compatible with MDS.
- When generating an MDS installer, configure MDS to install this QuickAdd.pkg from step 1.
- Once the macOS installation is finished, the package should have been installed via MDS automatically and the machine should now be enrolled in Jamf. For us, it’s this simple.
I hope that helps! All other methods I tried failed in one way or another.
Thank you for your reply. The issue that I have noticed, though, is that while the Jamf MDS enrollment process seems to complete successfully, using this method. The problem lies in the approval of crucial Jamf MDM profiles, and since all Jamf MDM profiles are not getting approved on the deployed Mac’s in question. The User Approved MDM (UAMDM) is not entirely successful. Since the successful part, in our configuration, grays out the System Preferences > Profiles Applet, Tim Perfitt “Automating UAMDM enrollment with MDS Automaton,” https://www.youtube.com/watch?v=DtxKz1jFvyA&list=PLFtGGT240LAPsQXNx9s9PVc0VEzVpmR75&index=11&t=31s, this solution is not applicable.
Okay, I understand. The problem you’re having is that UAMDM profiles cannot (by design) be installed/approved by any automated solution. Not MDS nor any other non-Apple solution will install User Approved MDM profiles without some form of user input. Again, this is no fault of MDS or Jamf, but rather the intention of UAMDM profiles.
Of course, the official method to accomplish what you want is DEP, but if you’re like us, Apple won’t enroll your existing Macs into DEP, which is why you’re experimenting with MDS in the first place.
The only workaround I’ve found in my research (but have never attempted) is to retrofit MDS’s automaton (Arduino) solution to login to the machine following the macOS installation and click the necessary buttons to approve your UAMDM profile. I’ve seen such a solution posted on forums online, but again, I’ve never attempted it.
I hope that helps.
Edit: I found the original post that discusses the solution I referred to above. Here it is.