Fully Automated Lab iMac Deployment with Jamf Pro & ADE: Part 2 - PreStage to Auto Logon

Fully Automated Lab iMac Deployment with Jamf Pro & ADE: Part 2 - PreStage to Auto Logon

Hello and welcome to the second post in this series. If you haven't already read the first, I'd suggested you go back and read it. It's quite important, as it covers some prerequisites for getting this workflow up and running. Skipping parts may result in something not working. Go on, we'll wait for you:

Fully Automated Lab iMac Deployment with Jamf Pro & ADE: Part 1 - ASM to PreStage
In this first post of the series, we cover Apple School Manager, Jamf ADE, and the initial PreStage settings.

In this post, I was going to cover the creation of all the scripts and smart groups. However, by the time I'd finished just one part, it felt like enough. So, this post will cover the creation of the scripts, smart groups, and extension attributes required to take us to the auto logon stage of our setup.


Auto Advance PreStage Smart Group

If you're new to Jamf, you may not fully appreciate the usefulness of Smart Groups … yet! They can make life so much easier. For us, they're going to be incredibly helpful in ensuring we scope policies to exactly where we want them to go, and at the right time. If you haven't already, I'd suggest you read up on Smart Groups:

Smart Groups - Jamf Pro Documentation | Jamf
Jamf Pro allows you to create smart groups for managed computers, mobile devices, or users. You can create smart groups based on one or more inventory attributes. To avoid issues, smart group criteria ...

Anyway, the first Smart Group we're going to make use of is one that contains devices that are enrolled via the Lab - Auto Advance PreStage method.

An image speaks a thousand words, so we're going to be making heavy use of them in this post!

Jamf Smart Group Creation Settings
Jamf Smart Group Creation Criteria

Any devices that come through that PreStage will now be automatically added to this Smart Group. OK, great. Now, we're going to want to do something with this group, otherwise what's the point.

Auto Logon Script

One of the major issues I've been facing up to this stage has been giving the local technician decent feedback about how the software installation has been going. So far, I've just been running policies in the background while the device has been seemingly idle at the log on window. This is not overly helpful for them unless they're checking the policy history. I wanted more, and it's taken a few months to get to this stage. But the answer was "simple".

We're going to have the device automatically sign in as our local admin user that was created as part of our PreStage settings. Unfortunately, this doesn't seem to be an option in Jamf Pro right now, which I think is incredibly short-sighted. You're allowed to skip account creation, but then not sign in … Might be worthy of a feature request.

To achieve our goal, we're going to make use of this:

macAdminTools/setAutoLogin.jamf.sh at main · brunerd/macAdminTools
Tools for the MacAdmin. Contribute to brunerd/macAdminTools development by creating an account on GitHub.

Which I discovered over on brunderd's blog here:

Automating automatic login for macOS – brunerd

From here, we're going to need to add this script to our Jamf Pro instance, and configure the options (makes it easier in future if you name these now). After that, we're going to create a policy to actually do something with the script, and scope it to our Devices - Lab - Auto Advance smart group that we created earlier.

Jamf Pro - Adding the script
Jamf Pro - Adding the script parameter labels

So here, we've added the script to Jamf, and then updated the parameter labels to Username and Password. This will make it much easier to remember what does what when it comes to creating the policy.

Auto Logon Policy

Next, we'll create a new computer policy. I've prefixed this with a "00." in an attempt to help ensure that it is the very first thing that runs when it tells Jamf that the enrolment is complete.

Jamf Pro - Auto Logon Script Policy General Tab
Jamf Pro - Auto Logon Script Policy Script Tab

Above, you can see where those parameter labels come in to play.

Below, we've configured the device to automatically restart as soon as the script completes. This is important, as we've just configured the device to automatically login as this user on startup, not when the script runs.

Jamf Pro - Auto Logon Script Policy Restart Tab

With those two parts done, we now have a policy that will run at enrolment complete for any device that comes through that PreStage. It will run the script to enable the auto logon at startup. Now we need to make use of this new-found freedom.

Auto Logon Extension Attribute

Next, we're going to want to know when a device has auto logon enabled. Without knowing this, we can't really act on it reliably. I think the easiest option here is to make use of Extension Attributes:

Computer Extension Attributes - Jamf Pro Documentation | Jamf
Extension attributes allow you to collect extra inventory information. Extension attribute values are populated using an input type, which can be any of the following: Text field Pop-up menu Script ...

We're going to create an extension attribute that runs a script on the device to see if auto logon in enabled, then return a status to Jamf. Once that information is back, we can act on it.

We can achieve this by making use of the incredibly helpful answer from thoule in the Jamf Community:

Re: Smart Group based on policy
Your smart group needs to identify the difference between a computer that has run your script and one that hasent. If nothing jumps out at you, then I tend to create a plist as part of my script defaults write /Library/Preferences/com.toddco.plist scriptWasRun -bool YES Then an extension attribute t…
Jamf Pro - Creating the extension attribute for checking Auto Logon

With a few tweaks, we can check for our entry on the login window to see if the result matches our local admin username, then return a result based on that. We knew it was writing out to this file on line 108 of brunerd's login script.

macAdminTools/setAutoLogin.jamf.sh at 9146c633b16534b2436727faea6de8df9395f7a4 · brunerd/macAdminTools
Tools for the MacAdmin. Contribute to brunerd/macAdminTools development by creating an account on GitHub.

If we check the Extension Attributes page of the device that we have deployed with this policy scoped to it, this looks to be true:

On reflection, I probably could have shortened this to simply return "Enabled" or "Disabled".

Auto Logon Status Smart Group

Phew, we've come a long way already, but there's still so much left to do. Now that we've got devices telling us if they have Auto Logon Enabled or not, we need to do something with that information.

I want to scope our next set of policies to run on devices that are sat there waiting on the desktop for us. It's important that this happens at the desktop due to the way DEPNotify displays things. This will be more obvious later. For now, let's create a Smart Group based on this extension attribute.

Jamf Pro - Creating a Smart Computer Group that checks for our Auto Logon Status extension attribute

Here's the Smart Group with the criteria, checking that the Auto Logon Status is Auto Logon Enabled. Any machine that is returning that information to Jamf will now automatically be made a member of this Smart Group. If we check that, we can indeed see that the device that is waiting at the desktop is indeed a member:


We've actually covered quite a lot of ground in this post, and I think that adding any more to it would actually be detrimental. Especially with my scattered way of thinking.

For this post, we've created a PreStage Smart Group to make use of the PreStage setup from the previous post. Created a script and a policy to automatically log on our local administrator created during PreStage Enrolment. And, created an extension attribute that runs a small shell script to query a machine to see if auto login is enabled, adding it to a new Smart Group if that is true.

Phew! If we add the previous achievements to this one, we've actually done quite a lot:

  • Configured Apple School Manager for devices to be automatically added by suppliers
  • Added MDM servers to Apple School Manager
  • Added Automated Device Enrolment settings to Jamf to line up with ASM
  • Created a PreStage Enrolment task that will automatically assign devices to it that are assigned to our Lab - DEP from ASM. When turned on, these devices will then make use of the Auto Advance feature in macOS Big Sur or later to automatically run through the setup screens. Jamf will create a local administrator account for us, and skip the rest of the account creation process.
  • Created a script that will automatically log our new local administrator account in.
  • Created a policy for that script that will run once enrolment is completed, and scoped that only to machines that come through our Lab - Auto Advance PreStage.
  • Created an Extension Attribute that will query the machine to see if our auto login is enabled and active.
  • Created a Smart Group that will automatically add devices to itself if that extension attribute comes back as our true statement.

At this stage, we can now have a device taken out of the box, plugged in and automatically sat waiting at the desktop within about 5 minutes. All we need to do now is push software at it. Easy … right? Oh Apple, you little tinker.

Again, if you have any feedback or suggestions on improving this process, I'd love to hear from you. You can usually find me lurking in the MacAdmins Slack in various channels: macadmins.slack.com

This blog post series image Photo is by Quaritsch Photography on Unsplash

Show Comments