• Diff for "admn2511"
Last updated at 2019-06-20 13:16:57 by admn2511
Differences between revisions 9 and 10
Revision 9 as of 2019-06-20 12:51:26
Size: 10739
Editor: admn2511
Comment:
Revision 10 as of 2019-06-20 13:16:57
Size: 4244
Editor: admn2511
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
== Installing Windows 10 == == Process ==

=== Installing Windows 10 ===
Line 29: Line 31:
== Binding to BSG Domain == === Binding to BSG Domain ===
Line 50: Line 52:
== Software Setup == === Software Setup ===
Line 71: Line 73:

This is automatically followed by the 'Planting' stage where essential configuration for security, binding, branding etc and installation of the munki software deployment tools including the Orchard Software Centre. Once Planting is complete the user is prompted to restart and Orchard Software Centre (munki) will deploy software.

For macOS 10.13 onwards the jamf binary is downloaded via MDM.

== Prerequisites ==
 1. You have an account on the Orchard JSS with the privilege 'JSS Actions' --> 'Enrol Computers and Mobile Devices'.
 1. You have the credentials for an admin account on the Mac. All BSG Macs use ‘ladmin’ as the local admin account username. The Site Admin account, or ‘sadmin’ is installed automatically as part of enrolment.
 1. The Mac has been assigned a name based on the computer name list found on Live. The name must always have the ‘bsg-‘ prefix. The only exception to this rule is for the AV Mac Mini’s.
 1. Print out and stick a name label onto the back of the Macbook if it's a new device. Make a note or assign an Asset Tag number and stick the corresponding sticker on the back.
 1. If the Mac has an ethernet port, this needs to be put on the [[https://nac.bsg.ox.ac.uk/tips/tipsLogin.action|NAC]] under the 'User' Vlan.
 1. The Mac's storage has a single partition named 'Macintosh HD'.		 === Prerequisites ===
Line 86: Line 77:
 1. Whether the Mac is fresh out of the box or a reinstallation, create an {{{ladmin}}} account as part of the Setup Assistant. You can use an easy password for this section of enrolment for ease. You will need to set a complex password and record this in 1Password later.
 1. Login to the Mac using the {{{ladmin}}} account.
 1. In System Preferences --> Sharing, check the Computer Name has the bsg- prefix eg. {{{bsg-Macbook}}}. This will be the name used to create the Computer Record in the Orchard JSS. It will also be used to bind the Mac to the BSG Active Directory.
 1. Close all open documents and applications.
Line 92: Line 80:
 1. On the Mac to be commissioned, browse to {{{https://jss.orchard.ox.ac.uk/enrol}}} to start the enrolment process.
 1. ''Complete this process to add your Mac'': Enter your JSS User Account credentials.

{{attachment:Enrol 1.png}}

 1. ''Assign to user'': enter the end-user's SSO username (abcd1234), click the spyglass and wait for a tick or cross to appear.
  * If a cross appears this means the user needs to be added to the JSS, first check if an AD account has been created for them. If this is going to be a shared computer, enter your own SSO instead and click the spylass again. You can then amend the user details in the JSS after enrolment has completed.
  * The user search relies on the Orchard JSS being bound to an Active Directory containing your users' data. If this has not been configured, leave the username field blank and set it in the Computer Record after enrolment.

{{attachment:Enrol 2.png}}

 1. ''Assign to user'': Once the tick has appeared click 'Enrol'.
 1. ''To continue with enrolment...'': Click Continue to download and open the MDM profile.

{{attachment:Enrol 3.png}}

 1. ''Are you sure you want to install...'': Click Continue to install the MDM profile.

INSTALL STEP 2

 1. ''Are you sure you want to install...'': Check the details of the profile then click Install.

INSTALL STEP 3

 1. ''Profiles wants to make changes'': Enter credentials for the ladmin account.

STEP 4

 1. ''Profiles'': Note the MDM profile is now Verified.

STEP 5

 1. ''Profiles'': The Privacy Preferences Policy profile should then install automatically.

STEP 6

 1. Enrolment is now complete and Planting policies will start executing in the background.		  
Line 131: Line 83:
 1. The Planting policies are triggered automatically after enrolment and will take around five minutes to complete. These configure security, binding, branding etc and install 'Orchard Software Centre' (munki) for software deployment.
  * To follow the results of the Planting policies, run {{{tail -f /var/log/jamf.log}}} in a Terminal window.
 1. ''Computer record'': While waiting for the Planting policies to complete, sign into the Orchard JSS at https://jss.orchard.ox.ac.uk and find the new computer.
 1. ''Computer record'': In General, edit the page and add an Asset Tag number based on the sticker you chose.
Line 136: Line 84:
GENERAL ASSET TAG PICTURE
Line 138: Line 85:
 1. ''Computer record'': In User & Location, check the user and correct it to the end-user's if necessary. === Laptops only: Initiate Bitlocker encryption ===
Line 140: Line 87:
USER & LOCATION PICTURE

 1. ''Computer record'': In Purchasing, enter the PO Number and PO Date.

PURCHASING PICTURE

 1. ''A restart is needed'': Once the Planting policies are complete you will see this dialog. Click the 'Restart in 2 Minutes' button and '''wait for the Mac to automatically restart'''.

PLANTING RESTART PICTURE

 1. ''Orchard Software Centre'': After the Mac restarts, the login screen should appear but be locked immediately. Orchard Software Centre should then automatically install Apple Software Updates followed by software titles. This may require one or more automated restarts.
 1. Orchard Software Centre will close after all software is installed.

=== MacBooks only: Initiate FileVault encryption ===
If you are commissioning a !MacBook it will receive a Configuration Profile to enable !FileVault at login. Encryption will only proceed if the '''ladmin''' account is used; it will not happen if any other account logs in.

Follow the encryption workflow for macOS 10.13 onwards on [[https://docs.orchard.ox.ac.uk/ITSS/FileVault#Supported_workflow_for_encrypting_macOS_10.13_or_later|'FileVault - Information for IT Support Staff']], then return here to complete the remainder of the commissioning process.
Line 159: Line 89:
 1. On the Mac, confirm in ''System Preferences >>> Profiles'' that all the Configuration Profiles listed in the Mac's JSS Computer Record under Management have been installed.
 1. Restrict admin rights as appropriate:
  * Reset the 'ladmin' password using 1Password to both generate a password and to save it.
 1. Logout of the 'ladmin' account so that the standard Mac login screen shows. The new user can then enter their BSG credentials.
 1. You should now be able to hand over the Mac to the user.
 1. Once they have logged in, you will need to enter the 'ladmin' password stored in 1Password. This will then encrypt the laptop, and set the user as the main login account.

To troubleshoot issues check the computer record in the JSS for failed policies (History --> Policy Logs), and check the Orchard Software Centre install log for failures at {{{/var/log/munki/Install.log}}}

Editer

Commissioning a Windows Laptop for BSG Deployment

Contents

  1. Commissioning a Windows Laptop for BSG Deployment
    1. Overview
    2. Process
      1. Installing Windows 10
      2. Binding to BSG Domain
      3. Software Setup
      4. Prerequisites
    3. Process
      1. Prepare for enrolment
      2. Enrol and prepare for Planting
      3. Planting and software deployment
      4. Laptops only: Initiate Bitlocker encryption
      5. Confirm Configuration Profiles, restrict admin rights and hand over to user

Overview

This is the standard method of commissioning a BSG Windows Laptop onto the BSG domain. The laptop should be running Windows 10 Enterprise, and be BitLocker compatible.

Fresh out of the box Dell Computers will have Windows 10 Enterprise installed. If you need to install a fresh version of Windows 10 Enterprise, please follow the below steps.

Process

Installing Windows 10

  1. Download the latest Windows 10 bundle from the University Microsoft Download Page. You will need to login with your SSO username and password.

  2. Create a bootable Windows 10 USB drive. You will need this to install a fresh version of Windows 10.

  3. Boot from USB by pressing F12 on start-up, then choose your USB media from the boot options.
  4. Before installing Windows 10, wipe the hard drive to create a new single partition.
  5. Follow the steps to install Windows 10 Enterprise.
  6. Create an ladmin account when prompted, this will be the Local Admin account for the end-user. Create a sufficiently strong password and record this in 1Password. You can wait to do this till the end so that the rest of the process is quicker and easier.
  7. Set a name based on the current naming convention and make a record of this on ‘Windows Computer List’ excel spreadsheet. Assign an asset number and log this in the windows excel spreadsheet.
  8. Place a name and asset number sticker onto the back of the laptop.

Binding to BSG Domain

Once you have booted into windows 10, you need to assign the computer the to BSG domain. Do this by following the below steps.

  1. Login to the NAC and put the device on the 'User' VLan using its MAC address.

  2. Join the device to the BSG Domain, using your -s account to confirm.
    • On the Start screen, type Control Panel, and then press ENTER.
    • Navigate to System and Security, and then click System.
    • Under Computer name, domain, and workgroup settings, click Change settings.
    • On the Computer Name tab, click Change.
    • Under Member of, click Domain, type the name of the domain that you wish this computer to join, and then click OK.
    • Click OK, and then restart the computer.
  3. Once the computer has restarted, search for the new computer on the domain and place this in the correct computer group. This will then apply all necessary group polices for the computer.
  4. When the computer has restarted, login as the ladmin account. Remember to use the computer name with the username when logging in e.g. bsg-computername\ladmin.
  5. Check for any updates for windows and install them.

Software Setup

  1. Uninstall 'MyOffice' if present, then download and install Microsoft Office 2016 from the University Microsoft Download site.

  2. Navigate to Dell Support page and in install any missing drivers. Make sure to install any dock patches that may be needed.

  3. Install the following software:
    • Sophos Endpoint
    • Microsoft Teams
    • Chome

    • FireFox

    • Adobe Reader
    • Forticlient

  4. For Oracle Financials users, install the University Java package

  5. For CoreHR users you must follow the setup instructions at the CoreHR Local IT webpage.

  6. For Oracle Financial users, you must follow the setup instructions at the Oracle Financials Technical Support page.

Prerequisites

Process

Prepare for enrolment

Enrol and prepare for Planting

Planting and software deployment

Laptops only: Initiate Bitlocker encryption

Confirm Configuration Profiles, restrict admin rights and hand over to user