Staff Mac Device Deployment Guide
2023/2024
Joshua Scott
IT Services
End-User Computing Team
- Go to https://jamf1.rgu.ac.uk:8443
- Login with your delegated Admin user account.
- Select Computers > PreStage Enrollments – then select the correct PreStage Enrollment for the Mac.
(e.g. If we are setting up a Mac for a member of staff in Grays School of Art, the correct PreStage Enrollment would be ‘RGU – GSA Staff Macs’)
- Once you have opened the correct PreStage Enrollment select Scope (next to Options), then click on Edit in the bottom right-hand corner.
- In the search bar at the top left, input the serial number of the Mac.
- Once the correct device is found check the box for the Mac and click Save in the bottom right corner of the screen.
Note: The Mac has now been added to a PreStage Enrollment group which allows for automated configuration of the device. This can take up to 1 hour for the Mac to pick up the configuration.
The device at this point can be handed over to the user. They will need to be provided the ‘RGU user guide’ to run through initial setup of their new Mac device. The steps on the following page will need to be followed by IT/AV and Helpdesk once the device has been handed off to the user.
IMPORTANT! The primary user of the device should always be the first person to log into a Mac after it has been reset otherwise it breaks the secureToken workflow and prevents the device from encrypting via FileVault and won't allow the user to update the OS because their profile doesn't have a secureToken. If you log into the device with a local administrator account or with your own account before the primary user, you will need to reset the device again to correct this.
User Details & Asset Inventory
Please ensure you are detailing in full the user details in the User and Location section within the device record for a staff device that is being deployed. This needs to be detailed to ensure we know who the device belongs to and will allow us to retain an inventory. The device record should have full user and location details as noted below. The position NEEDS to be set to 'STAFF' in order to see the required applications. See how record should look for staff device in image below.
Please Note - Where there is perhaps not a correct department or building to be assigned to the user please complete the rest of the details and raise a ticket to the Systems support queue on FreshService and a new department or building can be created when requested and assigned to the device.
FileVault Encryption
Once the device has been given to the user you need to confirm that the user has followed the guidance provided here and configured their device -
As part of this configuration FileVault is run and the user is prompted to logout to enable it. This required to encrypt the drive to secure the users data and provide a seamless single login for the user without having to authenticate via Azure every time they log into their macOS device.
You can confirm the device has been Encrypted and that the Personal Recovery Key has been reported back to the Jamf Server. See below example of Jamf record for an encrypted device. This needs to be confirmed before closing off any Tickets raised on FreshService. Device that are not encrypted will be flagged and a ticket will be raised and assigned to the relevant team to follow up with the user to action the device encryption.