macOS Setup Lite
macOS Build Guide
Table of Contents
Preface
This guide assumes that the Mac you're setting up is already enrolled in the DEP program and thus will automatically enroll into our MDM. If it isn't, please consult the Manual MDM enrollment guide.
First Boot
Upon first boot, the Mac will go through the setup assistant process. Select The desired Region, Language, and Internet connection. After connecting to a network with an Internet connection, the Mac should ping the MDM server and pull the selected policies.
Skip Migration assistant and create a local administrator account with the username Administrator and a password H3ifer2810!.
Enabling location services is optional but is recommended to automatically set the appropriate time zone.
After selecting your location preference, the Mac should exit Setup Assistant and proceed to the macOS Desktop.
Assigning a User in MDM
For the Mac to download applications, it must have a user assigned to it in MaaS. Navigate to the MaaS 360 website, locate the Mac using its serial and click it. You should be presented with a page that looks like this. To assign a user, click More in the top right and then Assign User.
Type the user that is intended for this system and set the policy to No Restrictions so that systems updates may be installed. Finally, click Continue.
macOS Desktop
By now, the Mac should be presenting you with MaaS 360 prompts. Answer all of them in the affirmative then reboot the computer.
Upon rebooting, you should be greeted with a new login screen. Enter the username: Administrator and password: H3ifer2810!.
Once logged in, a new icon should be present in the toolbar in the top right. Click it and then click the refresh button to force the MDM to install the App Catalog.
After clicking Refresh, you should be prompted again to allow the App catalog access. Again, answer in the affirmative.
This should begin the process of the App Catalog installing and then installing the core Microsoft Apps. The App Catalog should be present in the Applications folder. You can view the available applications and currently installed ones here.
Create User Account
Next, we'll be creating a local administrator user account for the intended user. Open System Preferences, click Users and Groups, and an Administrator user account for the intended user. A temporary password should have been generated for the user when first coordinating the upgrade. If this is a new Hire, a temporary password should be defined in the employee's welcome letter.
System Updates
Open System Preferences and click Software Update. If the option is greyed out, navigate back to the MaaS admin portal and change the policy to the unrestricted one.
Install Enterprise Apps
Log out of the Administrator Account and log in to the newly created user account.
Download the Applications Bundle
A zip file will be provided here: Save it to a local folder on the Mac
Rename Mac
Run the Mac Naming Script and assign the system an appropriate name. The name will be in the format Username-Suffix. The suffix of the name will depend on the work environment of the user. Users who will primarily be working from HQ will receive the MHQ suffix. All others will receive MRG as their suffix. Reboot the Mac after renaming.
Enable MaaS
After logging in to the new account, we'll need to launch MaaS once to enable it for the account. Perform a spotlight search by hitting "Command + Space Bar" and type maas. Click MaaS360 Messages to launch it.
Bomgar
After installing Bomgar, additional permissions need to be granted to allow screen sharing. Open System Preferences, Navigate to Security & Privacy, unlock administrator access, Scroll to Screen Recording, and grant access to Remote Support Customer Client.
Initiate a remote session with the Mac to grant the remaining permissions The should be an entry under Accessibility and Full Disk Access.
Forticlient
After installing Forticlient, open the Forticlient console and verify that it is connected to the EMS. If not enter the URL FCEMS.heifer.org in the EMS IP field and click Connect.
Remaining Apps
Install the rest of the apps in the Application bundle and grant their permissions when requested.
Log Into Microsoft Apps
Core Office Apps
Sign in to one of the core Microsoft Office apps (With the intended user's credentials.) e.g., Word, Outlook, Excel, PowerPoint. Outlook is recommended so that you can also log into the user's mail as well.
OneDrive
Next, well log into OneDrive. Assuming you've already logged into a core MS office app, as outlined in the previous step, it should allow you to bypass the password. When asked where to put the OneDrive folder, use the default location in the user's home folder.
Teams
The last of the MS apps is Teams. Launch it and log in as you did in previous steps.
Log into Zoom
Open the zoom app, click Sign In, SSO, for the URL prefix, enter Heifer, click continue, and enter the user's credentials at the Federation login.
Additional Applications
Depending on the user's role, they may need additional Applications that aren't a part of the Application bundle e.g. The Adobe Creative Suite, Visio, etc. Check with the user or their NAF to see if any additional applications are needed.
Reset the MDM Policy
Once you've completed the preceding steps, the system is almost ready to give to the user. Before doing so, we'll need to reset the policy back to the restricted one. Navigate back to the MaaS360 admin portal, search the SN of the Mac again, click More, and click Change Policy
Select The Heifer Mac OS Policy V1 and click Submit.
Update Asset Explorer
Assign the Mac to the intended user in asset explorer. This will also set the system's status to in use if it has not already been set.
Conclusion
The system is now ready for delivery to the end-user. If the steps were followed, the Users account will be set up using a temporary password. It is recommended to include a printout about how to change the user's local account password when shipping or dropping off the system. Alternatively, a remote session can be performed to assist the user with doing this.