• Diff for "admn2511"
Last updated at 2019-06-20 13:16:57 by admn2511
Differences between revisions 2 and 3
Revision 2 as of 2018-03-29 13:04:00
Size: 10036
Editor: admn2511
Comment:
Revision 3 as of 2019-06-18 11:38:53
Size: 13733
Editor: admn2511
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== Mac tips for Windows switchers == = Commissioning a Mac for Orchard on macOS 10.13 onwards =
Line 3: Line 3:
=== Learn how to perform some common tasks on your new Mac. === <<TableOfContents(3)>>
Line 5: Line 5:
== Right click == == Overview ==

This is the standard method of commissioning an Orchard Mac. The Mac needs an [[SupportedOS|Orchard-supported version of macOS installed]] and is then enrolled via web browser to the Orchard JSS. A successful enrolment creates a computer record in the JSS and installs the 'jamf' management binary on the client.

This is automatically followed by the 'Planting' stage where essential configuration for security, binding, branding etc and installation of the munki software deployment tools including the Orchard Software Centre. Once Planting is complete the user is prompted to restart and Orchard Software Centre (munki) will deploy software.

For macOS 10.13 onwards the jamf binary is downloaded via MDM.

== Prerequisites ==

 1. You have an account on the Orchard JSS with the privilege 'JSS Actions' --> 'Enrol Computers and Mobile Devices'.
 1. You have the credentials for an admin account on the Mac. All BSG Macs use ‘ladmin’ as the local admin account username. The Site Admin account, or ‘sadmin’ is installed automatically as part of enrolment.
 1. The Mac has been assigned a name based on the computer name list found on Live. The name must always have the ‘bsg-‘ prefix. The only exception to this rule is for the AV Mac Mini’s.
 1. Print out and stick a name label onto the back of the Macbook if it's a new device. Make a note or assign an Asset Tag number and stick the corresponding sticker on the back also.
 1. If the Mac has an ethernet port, this needs to be put on the [[https://nac.bsg.ox.ac.uk/tips/tipsLogin.action|NAC]] under the 'User' Vlan.
 1. The Mac's storage has a single partition named 'Macintosh HD'.

== Process ==

=== Prepare for enrolment ===

 1. Whether the Mac is fresh out of the box or a reinstallation, create an {{{ladmin}}} account as part of the Setup Assistant. You can use an easy password for this section of enrolment for ease. You will need to set a complex password and record this in 1Password later.
 1. Login to the Mac using this {{{ladmin}}} account if you have not already done so.
 1. In System Preferences --> Sharing, check the Computer Name has the bsg- prefix eg. {{{bsg-Macbook}}}. This will be the name used to create the Computer Record in the Orchard JSS. It will also be used to bind the Mac to the BSG Active Directory.
 1. Close all open documents and applications.

=== Enrol and prepare for Planting ===

 1. On the Mac to be commissioned, browse to {{{https://jss.orchard.ox.ac.uk/enrol}}} to start the enrolment process.
 1. ''Complete this process to add your Mac'': Enter your JSS User Account credentials.
 LOGIN PAGE PICTURE
 1. ''Assign to user'': enter the end-user's SSO username (abcd1234), click the spyglass and wait for a tick or cross to appear.
  * If a cross appears this means the user needs to be added to the JSS, first check if an AD account has been created for them. If this is going to be a shared computer, enter your own SSO instead and click the spylass again. You can then amend the user details in the JSS after enrolment has completed.
  * The user search relies on the Orchard JSS being bound to an Active Directory containing your users' data. If this has not been configured, leave the username field blank and set it in the Computer Record after enrolment.
ASSIGN TO USER PICTURE
 1. ''Assign to user'': Once the tick has appeared click 'Enrol'.
 1. ''To continue with enrolment...'': Click Continue to download and open the MDM profile.
ENROL PICTURE DOWNLOAD
 1. ''Are you sure you want to install...'': Click Continue to install the MDM profile.
 INSTALL STEP 2
 1. ''Are you sure you want to install...'': Check the details of the profile then click Install.
INSTALL STEP 3
 1. ''Profiles wants to make changes'': Enter credentials for the ladmin account.
 STEP 4
 1. ''Profiles'': Note the MDM profile is now Verified.
 STEP 5
 1. ''Profiles'': The Privacy Preferences Policy profile should then install automatically.
 STEP 6
 1. Enrolment is now complete and Planting policies will start executing in the background.

=== Planting and software deployment ===

 1. The Planting policies are triggered automatically after enrolment and will take around five minutes to complete. These configure security, binding, branding etc and install 'Orchard Software Centre' (munki) for software deployment.
  * To follow the results of the Planting policies, run {{{tail -f /var/log/jamf.log}}} in a Terminal window.
 1. ''Computer record'': While waiting for the Planting policies to complete, sign into the Orchard JSS at https://jss.orchard.ox.ac.uk and find the new computer.
  * ''General'' In the General, edit the page and add an Asset Tag number based on the sticker you chose.
 GENERAL ASSET TAG PICTURE
 1. ''Computer record'': In User & Location, check the user and correct it to the end-user's if necessary.
 {{attachment:8 computer-record-user.png}}
 1. ''Computer record'': In Purchasing, set the Billing Start Date to today's date. If you require an audit trail enter the support ticket/incident number in 'Commissioning: RT Reference'.
 {{attachment:9 computer-record-purchasing.png}}
 1. ''A restart is needed'': Once the Planting policies are complete you will see this dialog. Click the 'Restart in 2 Minutes' button and '''wait for the Mac to automatically restart'''.
 {{attachment:mdm7 planting-restart.png}}
 1. ''Orchard Software Centre'': After the Mac restarts, the login screen should appear but be locked immediately. Orchard Software Centre should then automatically install Apple Software Updates followed by software titles. This may require one or more automated restarts.
  * If the Mac is already !FileVault encrypted then Orchard Software Centre may not automatically launch. Login as normal then launch Orchard Software Centre or log out.
 {{attachment:11 orchard-software-centre.png}}
 1. Orchard Software Centre will close after all software is installed.

=== MacBooks only: Initiate FileVault encryption ===

If you are commissioning a !MacBook it will receive a Configuration Profile to enable !FileVault at login. Encryption will only proceed if the '''same admin account''' used for the above is the one to log in; it will not happen if any other account logs in.

Follow the encryption workflow for macOS 10.13 onwards on [[ITSS/FileVault#Supported_workflow_for_encrypting_macOS_10.13_or_later|'FileVault - Information for IT Support Staff']], then return here to complete the remainder of the commissioning process.

=== Confirm Configuration Profiles, restrict admin rights and hand over to user ===

 1. On the Mac, confirm in ''System Preferences >>> Profiles'' that all the Configuration Profiles listed in the Mac's JSS Computer Record under Management have been installed.
 1. Restrict admin rights as appropriate:
  * It is a requirement of the ''Orchard Fully Managed'' product that all end-user accounts be Standard not Admin. If the device is a desktop Mac, log in using 'orchard' credentials and delete any other administrator accounts in System Preferences --> Users & Groups. If the device is a laptop, create account ladmin/Local Administrator, then log in and ask the user to set a password, then remove any administrator accounts besides 'orchard' and 'ladmin'.
  * We recommend that ''Orchard For ITSS'' Macs also have only the minimum required Admin accounts.
 1. You should now be able to hand over the Mac to the user.

To troubleshoot issues check the computer record in the JSS for failed policies (History --> Policy Logs), and check the Orchard Software Centre install log for failures at {{{/var/log/munki/Install.log}}}


Overview
This is the standard method of commissioning an Orchard Mac. The Mac needs an Orchard-supported version of macOS installed and is then enrolled via web browser to the Orchard JSS. A successful enrollment creates a computer record in the JSS and installs the 'jamf' management binary on the client.
This is automatically followed by the 'Planting' stage where essential configuration for security, binding, branding etc and installation of the munki software deployment tools including the Orchard Software Centre. Once Planting is complete the user is prompted to restart and Orchard Software Centre (munki) will deploy software.
For macOS 10.13 onwards the jamf binary is downloaded via MDM. The workflow is different for macOS 10.12 and earlier, see this page instead.
Prerequisites
1. You have an account on the Orchard JSS with the privilege 'JSS Actions' --> 'Enrol Computers and Mobile Devices'.
2. You have the credentials for an admin account on the Mac. If the Mac is already in use and the end user currently has admin rights on their personal account, this should be reduced to a Standard account and a Local Admin ('ladmin') or Site Admin ('sadmin') be used for the commissioning process. All Orchard laptops currently require a ladmin account as laptop support is still in beta.
3. The Mac has been registered for DNS with a valid hostname:
o For Connect AD, review their latest Naming Scheme and request a hostname from the Desktop Services Team.
o Units should use their own preference.
o NSMS generically uses naming scheme unit-hostname.unit.ox.ac.uk e.g. obg-taxus.obg.ox.ac.uk.
4. The Mac has been registered for DHCP, preferably having a fixed IP address.
5. The Mac's storage has a single partition named 'Macintosh HD'.
Process
Prepare for enrolment
1. On the Mac to be commissioned, log in with an admin account named ladmin, sadmin or setupuser. If it's a fresh out of the box Mac then use one of these three names for the initial user created during Setup Assistant.
2. In System Preferences --> Sharing, check the Computer Name is set to the first part of the DNS hostname eg. admn-dap1234dev. This will be the name used to create the Computer Record in the Orchard JSS. If configured it will also be used to bind the Mac to an Active Directory.
3. Close all open documents and applications.
Enrol and prepare for Planting
1. On the Mac to be commissioned, browse to https://jss.orchard.ox.ac.uk/enrol to start the enrollment process.
2. Complete this process to add your Mac: Enter your JSS User Account credentials.
3. Assign to user: enter the end-user's SSO username (abcd1234), click the spyglass and wait for a tick or cross to appear.
o If a cross appears this means the user needs to be added to the JSS, which can be done later. Enter your own SSO instead and click the spylass again.
o The user search relies on the Orchard JSS being bound to an Active Directory containing your users' data. If this has not been configured, leave the username field blank and set it in the Computer Record after enrolment.
Line 7: Line 115:
=== Click the right corner of your Apple mouse, or click with two fingers on your Apple trackpad. You can change this in Mouse preferences and Trackpad preferences. Scroll, swipe, click Settings for scroll direction, swipe gestures, and button assignments are also in Mouse and Trackpad preferences. ===

== vClose & resize windows ==

Buttons for closing, minimizing, and maximizing a window are in the upper-left corner of the window. Change volume Use the volume control in the menu bar, or use the volume keys on your Apple keyboard.

Find files Use Spotlight to quickly find and open apps, documents, and other files. Open apps You can also use Launchpad and the Dock to open your apps (programs).

Browse for files Looking for Windows File Explorer? Learn about the Finder. Throw files away Looking for the Recycle Bin? Use the Trash, which is in the Dock.

Rename files Click the file once to select it, then press the Return key and type a new name. Press Return when done. Preview files Preview most files on your Mac using Quick Look. Click the file once to select it, then press Space bar.

Back up files Time Machine keeps a copy of all your files, and it remembers how your system looked on any given day. Change Mac settings Looking for the Control Panel? Use System Preferences instead.

Many Mac keyboard combinations use the Command (⌘) key. Learn more keys and keyboard shortcuts. Cut Command-X Copy Command-C Paste Command-V

Undo Command-Z Print Command-P Close window Command-W

Switch apps Command-Tab Quit app Command-Q Forward delete Fn-Delete or

Find files Command–Space bar Force quit app Option-Command-Esc Take screenshot Shift-Command-3

If you’re not sure what something is called on the Mac, here’s a list of Windows and Mac terms to help you find what you’re looking for. Note: On a portable Mac, you must press and hold the Fn key before pressing the other keys of a shortcut; for example, press Fn-Control-F2. Windows term Mac term Use Alt key Option key To enter special characters, press and hold the Option key in combination with letter keys. For example, to enter é, press Option-E, then press the E key again. Alt key Control-F2 To use the keyboard to open menus in the menu bar at the top of the screen, press Control-F2, then use the arrow keys to select a menu. Press Return to open the selected menu, then use the arrow and Return keys again to choose menu options. Alt-Tab Command-Tab To switch between open apps, press Command-Tab. Release the keys when the app you want is selected. Alt-Tab Exposé To see all the open windows in the current app, press and hold its icon in the Dock. Release the trackpad or mouse when thumbnail images of the windows appear. To see another app’s windows, press Tab. Close button Close button To close a window, click the red button in the top-left corner of a window. Control key Command key To perform actions or shortcuts, use the Command key with keyboard combinations. For example, pressing Command-S usually saves a document or file. Control Panel System Preferences To select preferences such as your desktop background, choose Apple menu > System Preferences. Device Manager System Information System Information gives you detailed information about your Mac hardware and software. Choose Apple menu > About This Mac. Disk drive eject button Media Eject key To open and close the optical drive, press the Media Eject key ⏏ on your keyboard. To eject disks in other types of drives (or if your keyboard doesn’t have the Media Eject key), select the disk in the Finder, then choose File > Eject.

Exit Quit To exit from an app, choose Quit from the app menu. (The app menu is labeled with the app’s name; for example, Safari or Mail.) Flip 3D Mission Control To see all your open windows, press the Mission Control key (or use the Control Strip) or press Control-Up Arrow. To temporarily move all windows so you can see the desktop, press the Command and Mission Control keys at the same time. Gadgets Dashboard widgets Notification Center Today view Dashboard includes widgets to do things like take notes, monitor stocks, and show the weather. To open Dashboard, click the Launchpad icon in the Dock (or tap in the Control Strip). You can also get quick information in Today view in Notification Center. To open Notification Center, click its icon in the menu bar.

Microsoft Photo Editor Photos Use the Photos app to import your photos from your iOS device or camera, edit your photos, share your photos, and more. Mouse Mouse (one-button) If you have a one-button mouse and want to open a shortcuts menu, press and hold the Control key as you click. Mouse Magic Mouse, Mighty Mouse, or Apple Mouse If you have a Magic Mouse or other multiple-button mouse, you can customize the buttons by choosing Apple menu > System Preferences, then clicking Mouse. My Computer, This PC In the Finder, choose Go > Computer You see disks connected to your Mac, CDs and DVDs inserted in your optical disc drive, network volumes you’re connected to, and any disk partitions you have. My Documents, Documents folder Documents folder To store a document, use the Documents folder. To see your Documents folder, open a Finder window, then click Documents in the sidebar. My Pictures, Pictures folder Pictures folder The Pictures folder is located in your home folder. In the Finder, choose Go > Home. My Recent Documents Recent Items (in the Apple menu) As you open apps and files, their names are kept in the Recent Items list in the Apple menu. You can use Recent Items to quickly reopen apps and documents. Many apps include an Open Recent command in the File menu that lists documents you worked on recently. Network Connections Network preferences To configure network settings, choose Apple menu > System Preferences, then click Network. For help setting up or solving network problems, click “Assist me” in Network preferences. On-Screen Keyboard (OSK) Keyboard Viewer To open the Keyboard Viewer, in the menu bar click the Input menu (identified by the Show Emoji & Symbols icon or an input method character), then choose Show Keyboard Viewer. If you don’t see the menu, choose Apple menu > System Preferences, click Keyboard, click Keyboard, then select “Show keyboard and emoji viewers in menu bar.” Performance control panel Activity Monitor To see how your Mac is performing and which processes it’s running, open Activity Monitor (located in the Utilities folder in the Applications folder). Printers & scanners Printers & Scanners preferences To select and set up printers, choose Apple menu > System Preferences, then click Printers & Scanners. Print Screen Shift-Command-3 Shift-Command-4 To take a picture of the entire screen, press Shift-Command-3. To take a picture of part of the screen, press Shift-Command-4, then drag the pointer to select an area. Programs menu Launchpad For quick access to all your apps and utilities, click the Launchpad icon in the Dock (or tap in the Control Strip). Properties Get Info To see information about a file, folder, disk, server, or other item, select it in the Finder, then choose File > Get Info. In the Info window, you can set ownership and permissions for the item. For files, you can select the app that you want to open the file. Recycle Bin Trash (in the Dock) To delete files and folders, drag them to the Trash. To permanently delete the files, choose File > Empty Trash. Search Spotlight To find files, documents, apps, email, and other items, click the Spotlight icon in the menu bar, then enter a word or phrase. Many apps, such as the Finder, Mail, and Contacts, provide a search field in the toolbar where you can quickly search for items in the app. Shortcuts Alias To make an alias, select the file or app, then choose File > Make Alias. Snipping Tool Grab Use the Grab app (located in the Utilities folder in the Applications folder) to take pictures of a window, the screen, or a section of the screen. Standby Sleep (in the Apple menu) Sleep is a low-power mode. To put your computer to sleep, choose Apple menu > Sleep. Start menu and Task bar Dock Use the Dock to open your favorite apps, files, folders, and websites. By default, the Dock appears at the bottom of the screen. To add a file or folder to the Dock, drag it to the right of the Dock’s separator line. Start menu Spotlight To find files, email, and other items, click the Spotlight icon in the menu bar.

Status icons Status menus Status menus appear as icons in the right half of the menu bar. Use status menus to connect to a wireless network, check the battery status of your portable Mac, and more. Task Manager Activity Monitor To see how your Mac is performing and which processes it’s running, open Activity Monitor (located in the Utilities folder, which is in the Applications folder). Windows Explorer Finder To organize files, folders, and apps, use the Finder. To open a Finder window, click the desktop, then choose File > New Finder Window. Windows Media Player QuickTime Player iTunes To play movies and music, use QuickTime Player. To listen to music CDs, purchase music from the iTunes Store, and create your personal digital music library, use iTunes. Windows MovieMaker iMovie To download video from your digital video camera and create your own movies, use iMovie. Cortana Siri Ask Siri to do things like open files or apps, or find things on your Mac or on the Internet. You can easily keep your Siri results handy on your desktop or in Notification Center. To use Siri, click the Siri icon in the menu bar (or use the Touch Bar).		 4. Assign to user: If the Mac is on the Orchard Fully Managed product choose the required Site and click 'Enroll'.
o Orchard for ITSS customers will not see the Site menu.
5. To continue with enrollment...: Click Continue to download and open the MDM profile.
6. Are you sure you want to install...: Click Continue to install the MDM profile.
7. Are you sure you want to install...: Check the details of the profile then click Install.
8. Profiles wants to make changes: Enter credentials for the admin account.
9. Profiles: Note the MDM profile is now Verified.
10. Profiles: The Privacy Preferences Policy profile should then install automatically.
11. Enrolment is now complete and Planting policies will start executing in the background.
Planting and software deployment
1. The Planting policies are triggered automatically after enrolment and will take around five minutes to complete. These configure security, binding, branding etc and install 'Orchard Software Centre' (munki) for software deployment.
o To follow the results of the Planting policies, run tail -f /var/log/jamf.log in a Terminal window.
2. Computer record: While waiting for the Planting policies to complete, sign into the Orchard JSS at https://jss.orchard.ox.ac.uk and find the new computer.
o Orchard Fully Managed administrators should correct the Site here if needed.
 
3. Computer record: In User & Location, check the user and correct it to the end-user's if necessary.
4. Computer record: In Purchasing, set the Billing Start Date to today's date. If you require an audit trail enter the support ticket/incident number in 'Commissioning: RT Reference'.
5. A restart is needed: Once the Planting policies are complete you will see this dialog. Click the 'Restart in 2 Minutes' button and wait for the Mac to automatically restart.
6. Orchard Software Centre: After the Mac restarts, the login screen should appear but be locked immediately. Orchard Software Centre should then automatically install Apple Software Updates followed by software titles. This may require one or more automated restarts.
o If the Mac is already FileVault encrypted then Orchard Software Centre may not automatically launch. Login as normal then launch Orchard Software Centre or log out.
 
7. Orchard Software Centre will close after all software is installed.
MacBooks only: Initiate FileVault encryption
If you are commissioning a MacBook it will receive a Configuration Profile to enable FileVault at login. Encryption will only proceed if the same admin account used for the above is the one to log in; it will not happen if any other account logs in.
Follow the encryption workflow for macOS 10.13 onwards on 'FileVault - Information for IT Support Staff', then return here to complete the remainder of the commissioning process.

Commissioning a Mac for Orchard on macOS 10.13 onwards

Contents

  1. Commissioning a Mac for Orchard on macOS 10.13 onwards
    1. Overview
    2. Prerequisites
    3. Process
      1. Prepare for enrolment
      2. Enrol and prepare for Planting
      3. Planting and software deployment
      4. MacBooks only: Initiate FileVault encryption
      5. Confirm Configuration Profiles, restrict admin rights and hand over to user

Overview

This is the standard method of commissioning an Orchard Mac. The Mac needs an Orchard-supported version of macOS installed and is then enrolled via web browser to the Orchard JSS. A successful enrolment creates a computer record in the JSS and installs the 'jamf' management binary on the client.

This is automatically followed by the 'Planting' stage where essential configuration for security, binding, branding etc and installation of the munki software deployment tools including the Orchard Software Centre. Once Planting is complete the user is prompted to restart and Orchard Software Centre (munki) will deploy software.

For macOS 10.13 onwards the jamf binary is downloaded via MDM.

Prerequisites

  1. You have an account on the Orchard JSS with the privilege 'JSS Actions' --> 'Enrol Computers and Mobile Devices'.

  2. You have the credentials for an admin account on the Mac. All BSG Macs use ‘ladmin’ as the local admin account username. The Site Admin account, or ‘sadmin’ is installed automatically as part of enrolment.
  3. The Mac has been assigned a name based on the computer name list found on Live. The name must always have the ‘bsg-‘ prefix. The only exception to this rule is for the AV Mac Mini’s.
  4. Print out and stick a name label onto the back of the Macbook if it's a new device. Make a note or assign an Asset Tag number and stick the corresponding sticker on the back also.

  5. If the Mac has an ethernet port, this needs to be put on the NAC under the 'User' Vlan.

  6. The Mac's storage has a single partition named 'Macintosh HD'.

Process

Prepare for enrolment

  1. Whether the Mac is fresh out of the box or a reinstallation, create an ladmin account as part of the Setup Assistant. You can use an easy password for this section of enrolment for ease. You will need to set a complex password and record this in 1Password later.

  2. Login to the Mac using this ladmin account if you have not already done so.

  3. In System Preferences --> Sharing, check the Computer Name has the bsg- prefix eg. bsg-Macbook. This will be the name used to create the Computer Record in the Orchard JSS. It will also be used to bind the Mac to the BSG Active Directory.

  4. Close all open documents and applications.

Enrol and prepare for Planting

  1. On the Mac to be commissioned, browse to https://jss.orchard.ox.ac.uk/enrol to start the enrolment process.

  2. Complete this process to add your Mac: Enter your JSS User Account credentials. LOGIN PAGE PICTURE

  3. Assign to user: enter the end-user's SSO username (abcd1234), click the spyglass and wait for a tick or cross to appear.

    • If a cross appears this means the user needs to be added to the JSS, first check if an AD account has been created for them. If this is going to be a shared computer, enter your own SSO instead and click the spylass again. You can then amend the user details in the JSS after enrolment has completed.
    • The user search relies on the Orchard JSS being bound to an Active Directory containing your users' data. If this has not been configured, leave the username field blank and set it in the Computer Record after enrolment.

ASSIGN TO USER PICTURE

  1. Assign to user: Once the tick has appeared click 'Enrol'.

  2. To continue with enrolment...: Click Continue to download and open the MDM profile.

ENROL PICTURE DOWNLOAD

  1. Are you sure you want to install...: Click Continue to install the MDM profile. INSTALL STEP 2

  2. Are you sure you want to install...: Check the details of the profile then click Install.

INSTALL STEP 3

  1. Profiles wants to make changes: Enter credentials for the ladmin account. STEP 4

  2. Profiles: Note the MDM profile is now Verified. STEP 5

  3. Profiles: The Privacy Preferences Policy profile should then install automatically. STEP 6

  4. Enrolment is now complete and Planting policies will start executing in the background.

Planting and software deployment

  1. The Planting policies are triggered automatically after enrolment and will take around five minutes to complete. These configure security, binding, branding etc and install 'Orchard Software Centre' (munki) for software deployment.

    • To follow the results of the Planting policies, run tail -f /var/log/jamf.log in a Terminal window.

  2. Computer record: While waiting for the Planting policies to complete, sign into the Orchard JSS at https://jss.orchard.ox.ac.uk and find the new computer.

    • General In the General, edit the page and add an Asset Tag number based on the sticker you chose.

    GENERAL ASSET TAG PICTURE

  3. Computer record: In User & Location, check the user and correct it to the end-user's if necessary. [ATTACH]

  4. Computer record: In Purchasing, set the Billing Start Date to today's date. If you require an audit trail enter the support ticket/incident number in 'Commissioning: RT Reference'. [ATTACH]

  5. A restart is needed: Once the Planting policies are complete you will see this dialog. Click the 'Restart in 2 Minutes' button and wait for the Mac to automatically restart. [ATTACH]

  6. Orchard Software Centre: After the Mac restarts, the login screen should appear but be locked immediately. Orchard Software Centre should then automatically install Apple Software Updates followed by software titles. This may require one or more automated restarts.

    • If the Mac is already FileVault encrypted then Orchard Software Centre may not automatically launch. Login as normal then launch Orchard Software Centre or log out.

    [ATTACH]

  7. Orchard Software Centre will close after all software is installed.

MacBooks only: Initiate FileVault encryption

If you are commissioning a MacBook it will receive a Configuration Profile to enable FileVault at login. Encryption will only proceed if the same admin account used for the above is the one to log in; it will not happen if any other account logs in.

Follow the encryption workflow for macOS 10.13 onwards on 'FileVault - Information for IT Support Staff', then return here to complete the remainder of the commissioning process.

Confirm Configuration Profiles, restrict admin rights and hand over to user

  1. On the Mac, confirm in System Preferences >>> Profiles that all the Configuration Profiles listed in the Mac's JSS Computer Record under Management have been installed.

  2. Restrict admin rights as appropriate:

    • It is a requirement of the Orchard Fully Managed product that all end-user accounts be Standard not Admin. If the device is a desktop Mac, log in using 'orchard' credentials and delete any other administrator accounts in System Preferences --> Users & Groups. If the device is a laptop, create account ladmin/Local Administrator, then log in and ask the user to set a password, then remove any administrator accounts besides 'orchard' and 'ladmin'.

    • We recommend that Orchard For ITSS Macs also have only the minimum required Admin accounts.

  3. You should now be able to hand over the Mac to the user.

To troubleshoot issues check the computer record in the JSS for failed policies (History --> Policy Logs), and check the Orchard Software Centre install log for failures at /var/log/munki/Install.log

Overview This is the standard method of commissioning an Orchard Mac. The Mac needs an Orchard-supported version of macOS installed and is then enrolled via web browser to the Orchard JSS. A successful enrollment creates a computer record in the JSS and installs the 'jamf' management binary on the client. This is automatically followed by the 'Planting' stage where essential configuration for security, binding, branding etc and installation of the munki software deployment tools including the Orchard Software Centre. Once Planting is complete the user is prompted to restart and Orchard Software Centre (munki) will deploy software. For macOS 10.13 onwards the jamf binary is downloaded via MDM. The workflow is different for macOS 10.12 and earlier, see this page instead. Prerequisites 1. You have an account on the Orchard JSS with the privilege 'JSS Actions' --> 'Enrol Computers and Mobile Devices'. 2. You have the credentials for an admin account on the Mac. If the Mac is already in use and the end user currently has admin rights on their personal account, this should be reduced to a Standard account and a Local Admin ('ladmin') or Site Admin ('sadmin') be used for the commissioning process. All Orchard laptops currently require a ladmin account as laptop support is still in beta. 3. The Mac has been registered for DNS with a valid hostname: o For Connect AD, review their latest Naming Scheme and request a hostname from the Desktop Services Team. o Units should use their own preference. o NSMS generically uses naming scheme unit-hostname.unit.ox.ac.uk e.g. obg-taxus.obg.ox.ac.uk. 4. The Mac has been registered for DHCP, preferably having a fixed IP address. 5. The Mac's storage has a single partition named 'Macintosh HD'. Process Prepare for enrolment 1. On the Mac to be commissioned, log in with an admin account named ladmin, sadmin or setupuser. If it's a fresh out of the box Mac then use one of these three names for the initial user created during Setup Assistant. 2. In System Preferences --> Sharing, check the Computer Name is set to the first part of the DNS hostname eg. admn-dap1234dev. This will be the name used to create the Computer Record in the Orchard JSS. If configured it will also be used to bind the Mac to an Active Directory. 3. Close all open documents and applications. Enrol and prepare for Planting 1. On the Mac to be commissioned, browse to https://jss.orchard.ox.ac.uk/enrol to start the enrollment process. 2. Complete this process to add your Mac: Enter your JSS User Account credentials. 3. Assign to user: enter the end-user's SSO username (abcd1234), click the spyglass and wait for a tick or cross to appear. o If a cross appears this means the user needs to be added to the JSS, which can be done later. Enter your own SSO instead and click the spylass again. o The user search relies on the Orchard JSS being bound to an Active Directory containing your users' data. If this has not been configured, leave the username field blank and set it in the Computer Record after enrolment.

4. Assign to user: If the Mac is on the Orchard Fully Managed product choose the required Site and click 'Enroll'. o Orchard for ITSS customers will not see the Site menu. 5. To continue with enrollment...: Click Continue to download and open the MDM profile. 6. Are you sure you want to install...: Click Continue to install the MDM profile. 7. Are you sure you want to install...: Check the details of the profile then click Install. 8. Profiles wants to make changes: Enter credentials for the admin account. 9. Profiles: Note the MDM profile is now Verified. 10. Profiles: The Privacy Preferences Policy profile should then install automatically. 11. Enrolment is now complete and Planting policies will start executing in the background. Planting and software deployment 1. The Planting policies are triggered automatically after enrolment and will take around five minutes to complete. These configure security, binding, branding etc and install 'Orchard Software Centre' (munki) for software deployment. o To follow the results of the Planting policies, run tail -f /var/log/jamf.log in a Terminal window. 2. Computer record: While waiting for the Planting policies to complete, sign into the Orchard JSS at https://jss.orchard.ox.ac.uk and find the new computer. o Orchard Fully Managed administrators should correct the Site here if needed.

3. Computer record: In User & Location, check the user and correct it to the end-user's if necessary. 4. Computer record: In Purchasing, set the Billing Start Date to today's date. If you require an audit trail enter the support ticket/incident number in 'Commissioning: RT Reference'. 5. A restart is needed: Once the Planting policies are complete you will see this dialog. Click the 'Restart in 2 Minutes' button and wait for the Mac to automatically restart. 6. Orchard Software Centre: After the Mac restarts, the login screen should appear but be locked immediately. Orchard Software Centre should then automatically install Apple Software Updates followed by software titles. This may require one or more automated restarts. o If the Mac is already FileVault encrypted then Orchard Software Centre may not automatically launch. Login as normal then launch Orchard Software Centre or log out.

7. Orchard Software Centre will close after all software is installed. MacBooks only: Initiate FileVault encryption If you are commissioning a MacBook it will receive a Configuration Profile to enable FileVault at login. Encryption will only proceed if the same admin account used for the above is the one to log in; it will not happen if any other account logs in. Follow the encryption workflow for macOS 10.13 onwards on 'FileVault - Information for IT Support Staff', then return here to complete the remainder of the commissioning process.