How we leverage JumpCloud to provision new macs Part 1

We have several clients who use JumpCloud – which is why Richard and the HelpFully IT team have spent a fair amount of time creating the scripts over on RichardHickson.com. This post will go into the complete workflow on how we provision a new mac from unboxing to the user opening up and logging in with everything ready to go. There are two versions of this workflow covering two slightly different scenarios:

  1. The laptop is with us at HelpFully IT HQ. We configure it and ship it to the end-user. 
  2. The user was sent a brand new notebook and carried out the enrollment themselves.

Obviously, with option 1, we could download all the apps or have them pre-downloaded and run through them one by one = very time and labour intensive. Option two, we could use ZeroTouch enrollment to do it all for us. 

Unfortunately, most of our clients don’t use ZeroTouch as they are not registered with Apple Business Manager, or they buy their laptops from different Value Added Resellers.

This post will cover scenario 1, with scenario 2 to follow in a further blog post.

The laptop is unboxed, the Administrator user is created, and the machine is logged in running through the standard iCloud / Siri setup. The machine is then immediately enrolled into JumpCloud and assigned to the device groups that it needs. We also have a new enrollments group, and this group contains the commands we use to install the standard software that the recipient of the laptop will need. 

The other assigned device groups are used to give individual policies. To explain further, we have a device group for every policy that gets applied. So say, for example, our stock policies include screen lockout, USB storage blocking, FileVault Encryption and MDM enrollment. There is a device group for each of the policies. 

Appling policies like this makes troubleshooting much more straightforward. Suppose one of the policies fail, or there is an issue applying them. In that case, we can remove the troublesome machine from the problematic policy group knowing that the other policies will stay applied whilst we investigate further. Following a reboot or two, the mac is then reboxed up and shipped out to the end-user. 

On the receipt of the mac, the user will email the helpdesk or the contact in the business to say they have received it, and then we will supply the credentials, and they can then begin their day. 

Please keep your eyes out for Part two of this series of how we set up mac devices for our users.

Leave a Comment