IMPORTANT: Please follow the latest update in this series by using this link: https://techitout.xyz/ade-sym/
Setup Your Mac is a fantastic project that gives end-users a great dialog to let them know what is going on with their Mac as organizational apps are being installed. This dialog added onto Automated Device Enrollment is an awesome replacement to a legacy DEPNotify onboarding workflow.
Recently, SYM has had some amazing features added, including the option to have multiple arrays of policy triggers so the end-user can choose which configuration best works for them. The latest SYM script can be found at: https://github.com/dan-snelson/Setup-Your-Mac
The postinstall script has been updated so there is no need to package swiftDialog with the prestage package. The script will fetch the latest version of swiftDialog and install on the computer to be utilized with the Setup Your Mac script. The script will also create a Launch Daemon and two scripts on the computer.
Important note: You will need to create an additional policy in Jamf Pro to run the clean up script that is created on the Mac. The cleanup script is located in: ${tempUtilitiesPath}/${organizationIdentifier}.sym-prestarter-uninstaller.zsh
In this guide, we will walk through what needs to be done to bring the Setup Your Mac workflow into your Automated Device Enrollments with Jamf Pro.
Requirements:
- A certificate used for signing your Prestage pkg. If you’d like to learn more on how this is done, you can use the following link: https://techitout.xyz/2023/03/08/guide-creating-a-signed-certificate/
- The Payload Free Package Creator: https://github.com/rtrouton/Payload-Free-Package-Creator/releases
- The postinstall script for your pkg: https://raw.githubusercontent.com/robjschroeder/SetupYourMac/main/postinstall-SYM.zsh
- The Setup Your Mac script configured with your policy arrays in Jamf Pro
Getting Started:
- Download the Payload Free Package Creator to your Mac computer and install.
- Download the latest postinstall-SYM.zsh script to your computer.
- Feel free to make any modifications on this script to fit your organizational needs. As is, the script is configured to call a Jamf Pro policy with a custom trigger of ‘
symStart' - When opening the Payload Free Creator app, you will see prompt letting you that you will need to select the script you would like to package, select the postinstall-SYM.zsh script.
- Enter a name for your package and click OK
- Enter a package identifier and click OK
- Finally, enter a version number for your package, and click OK. You will be asked to enter your username and password before the package is created.
- The package will be created at /private/tmp/nameOfPackage
- Next we will need to sign our newly created package. Open the Terminal app and run the following commands:
# Create temp folder sudo mkdir -pv /private/tmp/NameOfPackage/out # Build Package sudo productbuild --package /private/tmp/NameOfPackage/NameOfPackage.pkg /private/tmp/NameOfPackage/out/NameOfPackage.pkg # Sign Package productsign --sign "CN Name Of Signing Certificate" /private/tmp/NameOfPackage/out/NameOfPackage.pkg ~/Desktop/NameOfPackage.pkg # Verify Signature On Package pkgutil --check-signature ~/Desktop/NameOfPackage.pkg
- The signed version of the package will be located on your desktop. This package can now be uploaded to Jamf Pro and added to your PreStage for deployment.
For the configuration of your Jamf Pro policy and Setup Your Mac script, I would recommend checking out Dan’s blog post: https://snelson.us/sym
If you wanted to see the original post on this subject, free free to go to: https://techitout.xyz/2023/01/16/setup-your-mac-and-automated-device-enrollment/
Thanks for checking it out!
12 responses to “Automated Device Enrollment and Setup Your Mac version 1.8.1”
[…] Thanks to Robert Schroeder for the excellent write-up on using Setup Your Mac with Jamf Pro PreStage Enrollments. […]
Hello,
Thanks Robert Shcroeder for your hard work and sharing!
I just have some stuff to add because I encounter an issue during the package creation (Step 9).
I had to use the prebuild commande like this (in order to run the package during the prestage):
#Creating the productbuild of the pkg
productbuild –package /private/tmp/Prestage-SYM/Prestage-SYM.pkg /private/tmp/Prestage-SYM/out/Prestage-SYM.pkg
#Sign the pkg file
productsign –sign “CN Name Of Signing Certificate” /private/tmp/Prestage-SYM/out/Prestage-SYM.pkg ~/Desktop/Prestage-SYM.pkg
# Check the certificate of the pkg
pkgutil –check-signature ~/Desktop/Prestage-SYM.pkg
Also, I use already a policy to remove all files during the SYM process (the SYM call a policy to clean up at the end during the “finale configuration step”. And It works great.
What would be the best practice to rerun the SYM only when a new user log in to the mac for the first time? I was think of creating a policy to run once per user per computer calling the SYM Script again but it can be an issue during the enrollement process (I am afraid that the SYM script will be executed 2 times.
Best regards,
CDE
Hey Charles, thank for the comment. I’ll update the page with your insights on productbuild. Also, would you need to run SYM per user? For instance, if you install Word it installs for all users, it wouldn’t need to be installed per user. If you do have configurations that are user specific, then maybe you can have an additional SYM script and policy with those items and make it available via Self Service?
Hello Robert,
Thanks for the quick reply!
Well we have some mac used by multiple users and yes, during the SYM there is specific setup base on the user.
Actually, what I do right know is enrolling the device with the user account and then adding the admin account after that and run the SYM with the Self Service only on the admin session.
But if a third user want to log in for the first time to this same mac (total of 3 users), the SYM wont work and the user has to use the Self Service.
And training users to use Self Service is a pain 😂
Btw, we run mac OS Ventura 13.2.1 and are using Jamf Connect with Azure AD.
Sounds like then you may want your user specific configurations to run with a login trigger once per user per computer.
I am working to build the Self Service experience which I believe will save us a lot of time answering end-user requests. It is some good work lol.
We also are running Ventura, using Jamf Connect with Azure AD!
[…] Thanks to Robert Schroeder for the excellent write-up on using Setup Your Mac with Jamf Pro PreStage Enrollments. […]
[…] Thanks to Robert Schroeder for the excellent write-up on using Setup Your Mac with Jamf Pro PreStage Enrollments. […]
First off – this was so amazing to stumble upon while searching for something to replace DEPnotify. Thank you!
Second – does your script still need to call for the latest version of swiftDialog now that SYM 1.10.0 includes the call for the latest version itself?
Hey Shane! Thanks for the comment and I’m glad you found this post helpful. I’ll be writing up a new post soon as SYM 1.10 was released earlier this week
Awesome! I will gladly wait for the updated script and spend the time experimenting and practicing with the SYM script itself. If anyone can answer this … Is it easier to break it into pieces and work on – or is there an easier way than using CodeRunner line by line?
I use CodeRunner as well, I would suggest going through the script entirely to get a good understanding of what is going on. Things may go awry if you start taking it apart to test. I usually wipe my test Mac and run through enrollment for my testing, but I’m not saying that’s the best approach. It may be useful to run SYM in CodeRunner with debug on and monitor you logs for any important messaging
That’s exactly what I’ve been doing. I’m trying to revamp the SYM to be less “actual user that will end up with the computer” as the initial setup variable. Our IT dept actually logs into a machine first with the local admin account created at enrollment. I need them to be able to input the end user’s info that it’s going to. That should then update the info in JAMF and then run a naming convention script that I already use that’s specific to the end user. (or is this just an insane approach?)
*Our IT dept already has to physically get the computer first to apply asset tags, scan it into ServiceNow for asset management, etc.