macadmin.fraserhess.com

Building Mac mini servers with Jamf Setup Manager

,

This is the second in a series of posts about Jamf Setup Manager. Read the first post to learn more about our decision to use it as our preferred tool for provisioning Macs.

Provisioning a server is the simplest of our Setup Manager provisioning processes. Prior to using Setup Manager, we had no formal process for setting up a Mac server.

Bootstrapping

Our server building process begins before Automated Device Enrollment, Jamf Pro, or Jamf Setup Manager enter the picture. Macs ship from Apple with productivity software preinstalled: Keynote, Numbers, Pages, iMovie, and GarageBand. When using a computer as a server, we want a minimal amount of software to run and maintain.

To bootstrap our provisioning process, we either restore the Mac with an IPSW file in DFU mode, if it’s just shipped from Apple; or use Erase All Content and Settings, if it’s an existing Mac in our fleet.

Enrollment

As we want to take advantage of Automated Device Enrollment and Auto Advance, these Mac minis are in Apple Business Manager. In ABM, they are assigned to our production Jamf Pro Cloud instance.

In Jamf Pro, the Macs are scoped to a PreStage Enrollment called Server. It has the following characteristics:

  • The MDM profile is mandatory and cannot be removed
  • Activation Lock is disabled
  • Auto Advance is enabled
  • All options in Setup Assistant are disabled
  • A managed local administrator account is created. (This will be deleted later after a Jamf Management Framework LAPS account is created.)
  • A configuration profile named Jamf Setup Manager – Server is assigned
  • An enrollment package containing branded images is assigned

One thing you might notice is that Jamf Setup Manager is not installed during the enrollment. I do this to force the branding images to be installed before Setup Manager.1

Smart group

Computers enrolled in the above PreStage are added to a smart group. We modified the default All Managed Servers group to add this criterion.

This group is used in dozens of places in our Jamf Pro instance, often to exclude servers, e.g. to not install our VPN software if it is missing.

Provisioning with Jamf Setup Manager

After Setup Assistant and enrollment, Jamf Setup Manager is installed by a Jamf Pro policy that is triggered by the enrollmentComplete trigger. The policy is scoped to the above smart group. Jamf Setup Manager is configured as follows:

  • Icon is symbol:server.rack
  • The title and message convey that this is a server install
  • Background is the default wallpaper
  • Accent color is our corporate color
  • Runs at loginwindow
  • Final action is the default (continue) and final countdown is 10 seconds
  • User entry only prompts for a computer name. The name must match our server naming rules. (These computers have an asset tag but there seems little point in re-entering it here when a) we use Inventory preload and b) the computer name is not based on it.)
  • Enrollment Actions (source material linked where possible):
    • Default Time Zone and City – Jamf policy – With Auto Advance, the time zone step in Setup Assistant is bypassed, so we run a script instead
    • Time Server – Jamf policy – Sets our on-premise time server
    • Defines YubiKeys and keyboards – Jamf policy – While it’s unlikely that a YubiKey would be used on these Macs, we can lift an existing policy to define keyboards and suppress Keyboard Setup Assistant
    • Particulars – Jamf policy – This may become an Installomator action when the bundled Installomator is next updated in Setup Manager
    • Here we wait for user data entry. It’s not strictly required, but the computer name is captured by the agents that are installed after this step.
    • Wait for /Library/Managed Preferences/com.crowdstrike.falcon.plist – Wait for this file to exist as proof that the CrowdStrike Falcon configuration profile has been installed
    • CrowdStrike Falcon N-2 – Jamf policy
    • Ivanti Endpoint Management – Jamf policy – All of our computers and servers are inventoried by a common system
    • “Prepare for next step” – Jamf policy – this creates and launches a launch daemon that waits for Jamf Setup Manager to exit before installing Jamf Connect
Data entry
Server Provisioning

Process

By plugging this computer into Ethernet and bootstrapping it as described above, enrollment into Jamf Pro automatically occurs. When that completes, Jamf Setup Manager is installed and run at the login window. The computer name is prompted for while the first set of policies run. Policies are then completed. Jamf Setup Manager exits automatically, and Jamf Connect is installed.

Next Steps

After a user logs in, the Jamf Management LAPS account is created, and the admin created during Setup Assistant can be deleted. As this computer will be used as a server, it will run headless in a datacenter or wiring closet. Screen Sharing can be enabled in the Management tab of the computer’s inventory record in Jamf Pro, by a Jamf API command. FileVault should not be enabled.

Other server configurations, such as assigning a static IP address or installing and configuring server software, can also be done.

Limitations

I had an enrollment action that should have disabled the Wi-Fi interface. It did not. It’s possible this cannot be disabled until after the first login. (I say that because the same action does work in our Zoom Rooms process.)

Up next

Part of my objective in documenting these processes is to demonstrate the versatility of Jamf Setup Manager when operating in non-default environments, meaning outside of Setup Assistant. In next post, I’ll look using Jamf Setup Manager in Zoom Rooms, where it runs in user space.

  1. It’s been my experience that the actual installation order of packages in a PreStage Enrollment cannot be determined. Despite trying to use both priority and alphabetical ordering, I have seen packages install in the wrong order in the install.log file ↩︎

Leave a comment