/build/static/layout/Breadcrumb_cap_w.png

Migrating macOS Lab Setup from SDA to SMA

A few years ago, we discovered that Faronics' Deep Freeze wouldn't work with Apple's Fusion Drives. So, we followed instructions published by others (one's I consolidated into a previous blog post) to split the fusion drive / core storage volume. Ever since then, we've been chasing the next issue with Mac imaging (APFS, for example). This summer, we finally abandoned the idea of Mac imaging all together. We have yet to see how it will go once the students return to campus, but we've settled on a process that resolves our immediate roadblocks while simultaneously addressing some of our older concerns (some of the ones leading us to Deep Freeze and imaging in the first place). 

We've started looking at more robust and/or consolidated solutions (Jamf, Apple Server), but are classically understaffed and overtasked, so we're charging through this transitional summer as macOS survivalists putting our Quest SMA to the test. If we aren't the last to make this transition, here's what my first round attempt looks like so far (I will, of course, refine as we validate):

Manual tasks
This is where we will continue to pursue automation options over the next year with device enrollment (maybe?).

Install the latest OS on systems we're refreshing
Walk through initial setup
Install the KACE agent


SMA Managed Installations
These installation currently use device name-based smart labels.

System Center Endpoint
our NAC policy key
Chrome
Firefox


SMA Scripted Installations - Run Once
So far, these are clusters of tasks. As we verify they are working as we expect, I'll begin creating more logical clusters or migrating them to Managed Installations so there aren't quite so many manual steps.

Task for overall system setup:
sudo systemsetup -setusingnetworktime on -setnetworktimeserver TIMESERVERNAME -setremotelogin on
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users USERNAME -privs -all -restart -agent -menu
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
sudo defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true
sudo pmset repeat poweron MTWRFSU 6:30:00
sudo pmset -a displaysleep 180 disksleep 0 sleep 0

Microsoft Office Suite install - will be migrating to Managed Installation

Microsoft Office Suite enable updates - using mobileconfig

Microsoft Office Suite bypass initial setup:
sudo defaults write /Library/Preferences/com.microsoft.Word kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.PowerPoint kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.Excel kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.OneNote kSubUIAppCompletedFirstRunSetup1507 -bool true
sudo defaults write /Library/Preferences/com.microsoft.Outlook kSubUIAppCompletedFirstRunSetup1507 -bool true

Bind to domain:
sudo dsconfigad -add DOMAIN -username SERVICEACCOUNT -password SERVICEACCOUNTPASSWORD -domain DOMAIN -ou "OU= ,DC= ..." -mobile enable -mobileconfirm disable -localhome disable -useuncpath disable -groups "DOMAIN\ADMINGROUPNAME" -alldomains enable -passinterval 0

Install Flash Player NPAPI - will be migrating to Managed Installation

Install Flash Player PPAPI - will be migrating to Managed Installation

Enable right click - using mobileconfig

Task to hide setup prompts at initial login and disable DS store file creation:
for USER_TEMPLATE in "/System/Library/User Template"/*
    do
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE      
        /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores -bool TRUE
    done
Task to bypass the Secure Token Prompt - using mobileconfig


Scripted Installation - set to run every night

Delete non-persistent user accounts:

users=`find /Users -type d -maxdepth 1 | cut -d"/" -f3`

for i in $users
do
    if [ "$i" = "PERSISTENTACCOUNT" ] || [ "$i" = "PERSISTENTACCOUNT" ] || [ "$i" = "PERSISTENTACCOUNT" ]
    then
        continue
    else
        # echo "then"$i
        dscl . -delete /Users/$i
        Rm -Rf /Users/$i
    fi
done






Comments

  • How has this worked for you? Looking like we will have to do what you are doing too. - fleminsa 6 years ago
    • It has worked so well in the labs that I am now working on automating it based on smart labels for setting up all our new non-lab iMacs/MacBooks. I've been able to convert the SMA scripted installations I've listed above to Managed Installations that apply to devices with a KACE record creation date within the last 5 days. We install the agent on a properly named iMac or MacBook, and software starts installing, system preferences get changed, it joins the domain, and then we reboot it and it's ready to go. - sarahmurray 6 years ago
      • Thank you. I have been doing something similar to this. I setup the machine with the main account, provision the Kace agent and have been using managed installs to install software and scripting to join domain. I am going to start looking into using labels to streamline the process. - fleminsa 6 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ