Hello and welcome to the second post in this series. If you haven't already read the first, I'd suggested you go back and read it. It's quite important, as it covers some prerequisites for getting this workflow up and running. Skipping parts may result in something not working. Go on, we'll wait for you:
In this post, I was going to cover the creation of all the scripts and smart groups. However, by the time I'd finished just one part, it felt like enough. So, this post will cover the creation of the scripts, smart groups, and extension attributes required to take us to the auto logon stage of our setup.
Auto Advance PreStage Smart Group
If you're new to Jamf, you may not fully appreciate the usefulness of Smart Groups … yet! They can make life so much easier. For us, they're going to be incredibly helpful in ensuring we scope policies to exactly where we want them to go, and at the right time. If you haven't already, I'd suggest you read up on Smart Groups:
Anyway, the first Smart Group we're going to make use of is one that contains devices that are enrolled via the Lab - Auto Advance PreStage method.
An image speaks a thousand words, so we're going to be making heavy use of them in this post!
Any devices that come through that PreStage will now be automatically added to this Smart Group. OK, great. Now, we're going to want to do something with this group, otherwise what's the point.
Auto Logon Script
One of the major issues I've been facing up to this stage has been giving the local technician decent feedback about how the software installation has been going. So far, I've just been running policies in the background while the device has been seemingly idle at the log on window. This is not overly helpful for them unless they're checking the policy history. I wanted more, and it's taken a few months to get to this stage. But the answer was "simple".
We're going to have the device automatically sign in as our local admin user that was created as part of our PreStage settings. Unfortunately, this doesn't seem to be an option in Jamf Pro right now, which I think is incredibly short-sighted. You're allowed to skip account creation, but then not sign in … Might be worthy of a feature request.
To achieve our goal, we're going to make use of this:
Which I discovered over on brunderd's blog here:
From here, we're going to need to add this script to our Jamf Pro instance, and configure the options (makes it easier in future if you name these now). After that, we're going to create a policy to actually do something with the script, and scope it to our Devices - Lab - Auto Advance smart group that we created earlier.
So here, we've added the script to Jamf, and then updated the parameter labels to Username and Password. This will make it much easier to remember what does what when it comes to creating the policy.
Auto Logon Policy
Next, we'll create a new computer policy. I've prefixed this with a "00." in an attempt to help ensure that it is the very first thing that runs when it tells Jamf that the enrolment is complete.
Above, you can see where those parameter labels come in to play.
Below, we've configured the device to automatically restart as soon as the script completes. This is important, as we've just configured the device to automatically login as this user on startup, not when the script runs.
With those two parts done, we now have a policy that will run at enrolment complete for any device that comes through that PreStage. It will run the script to enable the auto logon at startup. Now we need to make use of this new-found freedom.
Auto Logon Extension Attribute
Next, we're going to want to know when a device has auto logon enabled. Without knowing this, we can't really act on it reliably. I think the easiest option here is to make use of Extension Attributes:
We're going to create an extension attribute that runs a script on the device to see if auto logon in enabled, then return a status to Jamf. Once that information is back, we can act on it.
We can achieve this by making use of the incredibly helpful answer from thoule in the Jamf Community:
With a few tweaks, we can check for our entry on the login window to see if the result matches our local admin username, then return a result based on that. We knew it was writing out to this file on line 108 of brunerd's login script.
If we check the Extension Attributes page of the device that we have deployed with this policy scoped to it, this looks to be true:
On reflection, I probably could have shortened this to simply return "Enabled" or "Disabled".
Auto Logon Status Smart Group
Phew, we've come a long way already, but there's still so much left to do. Now that we've got devices telling us if they have Auto Logon Enabled or not, we need to do something with that information.
I want to scope our next set of policies to run on devices that are sat there waiting on the desktop for us. It's important that this happens at the desktop due to the way DEPNotify displays things. This will be more obvious later. For now, let's create a Smart Group based on this extension attribute.
Here's the Smart Group with the criteria, checking that the Auto Logon Status is Auto Logon Enabled. Any machine that is returning that information to Jamf will now automatically be made a member of this Smart Group. If we check that, we can indeed see that the device that is waiting at the desktop is indeed a member:
We've actually covered quite a lot of ground in this post, and I think that adding any more to it would actually be detrimental. Especially with my scattered way of thinking.
For this post, we've created a PreStage Smart Group to make use of the PreStage setup from the previous post. Created a script and a policy to automatically log on our local administrator created during PreStage Enrolment. And, created an extension attribute that runs a small shell script to query a machine to see if auto login is enabled, adding it to a new Smart Group if that is true.
Phew! If we add the previous achievements to this one, we've actually done quite a lot:
- Configured Apple School Manager for devices to be automatically added by suppliers
- Added MDM servers to Apple School Manager
- Added Automated Device Enrolment settings to Jamf to line up with ASM
- Created a PreStage Enrolment task that will automatically assign devices to it that are assigned to our Lab - DEP from ASM. When turned on, these devices will then make use of the Auto Advance feature in macOS Big Sur or later to automatically run through the setup screens. Jamf will create a local administrator account for us, and skip the rest of the account creation process.
- Created a script that will automatically log our new local administrator account in.
- Created a policy for that script that will run once enrolment is completed, and scoped that only to machines that come through our Lab - Auto Advance PreStage.
- Created an Extension Attribute that will query the machine to see if our auto login is enabled and active.
- Created a Smart Group that will automatically add devices to itself if that extension attribute comes back as our true statement.
At this stage, we can now have a device taken out of the box, plugged in and automatically sat waiting at the desktop within about 5 minutes. All we need to do now is push software at it. Easy … right? Oh Apple, you little tinker.
Again, if you have any feedback or suggestions on improving this process, I'd love to hear from you. You can usually find me lurking in the MacAdmins Slack in various channels: macadmins.slack.com