This article outlines the ideal way to deploy a new Mac or repurpose/redeploy an existing one to a new user. We also discuss what can go wrong and how to recover from the unexpected.
Assumptions
Most of these assumptions can be verified in the client's Addigy or Apple sidebar of ITGlue/MyGlue.
- The client works with Ntiva to build a Proposal or Recommend System at ecommerce.apple.com.
- The client purchases using their Apple Custom Store for Business at ecommerce.apple.com.
- The client has an Apple Business Manager account at business.apple.com.
- The client works with us to configure Addigy Identity to leverage Microsoft, Google, or Okta for authentication.
- Online accounts for the new user are created before unboxing — especially email (Microsoft or Google).
- The client is using macOS Monterey or later on a Mac with Apple silicon or a Mac with the Apple T2 Security Chip.
Overview
New Mac
- If this is for a new hire, the client's HR team contacts Ntiva to schedule the creation of online accounts and confirms details of the new Mac.
- The client purchases the new Mac at ecommerce.apple.com and ships it directly to the user.
- The user unboxes their Mac and logs in using their email credentials and 2FA.
- Following the first login, pre-approved software and security profiles are automatically installed. Additional software is available via MacManage.
- Employees use SupportMenu to contact Ntiva if they have questions or need support.
Existing Mac
- If this is for a new hire, the client's HR team contacts Ntiva to schedule the creation of online accounts and confirms which existing Mac the new employee will use.
- Ntiva schedules a date to erase all content and settings on the agreed-upon Mac.
- The user receives the Mac and logs in using their email credentials and 2FA.
- Following the first login, pre-approved software and security profiles are automatically installed. Additional software is available via MacManage.
- Employees use SupportMenu to contact Ntiva if they have questions or need support.
Deployment Details
Ntiva uses Apple's Automated Device Enrollment (ADE) to deploy Macs. ADE is commonly referred to as "Zero Touch" because IT is not required to touch the device physically. ADE allows clients to deliver new Macs directly to their team so they can have the Apple unboxing experience. ADE also allows existing Macs to be reset using the erase all content and settings feature so a repurposed Mac can feel new.
Verifying that a newly purchased Mac is ADE-ready is possible by checking Apple Business Manager (ABM) a few days after the purchase and before the unboxing. If the device is listed in ABM as preconfigured for Ntiva's Addigy MDM Server, it's ready for ADE (see screenshot below).
A newly unboxed, ADE-ready Mac will automatically enroll in Ntiva's mobile device management system within minutes. It may take another hour for it to appear in Vision-Bot.
Unboxing a New Mac
Ideally, new hires perform the unboxing. Allowing employees to unbox their equipment is much more satisfying than receiving an opened box. Plus, the unboxing fosters a sense of ownership that often leads to users treating the machines with greater care. Remember, for the best results; the unboxed Mac should be plugged into power and have a solid network connection (Wi-Fi or Ethernet).
Preparing an Existing Mac
If an existing Mac is being repurposed, we recommend clients contact Ntiva to schedule a time to erase the Mac and restore it to factory settings (EACS). The EACS process will destroy all data and decrypt the Mac. Just like a new Mac, only the base operating system will remain.
What To Expect
Setup Assistant
We recommend taking full advantage of the time and money Apple invests in perfecting their Mac setup instructions. However, skipping any or all of the Setup Assistant panes is possible with an ADE-enrolled Mac. When a pane is skipped, the more privacy-preserving setting is used. Our default recommendations are listed below.
Important: Unless we also permanently restrict these features using our MDM solution, users can set up any of the settings that were set to the default values after the Mac is set up.
- Privacy [Skip]
- Location Services
- Siri
- Apple ID [Skip]
- Terms and Conditions [Skip]
- App Analytics [Skip]
- FaceID/TouchID
- True Tone Display [Skip]
- Choose Your Look
- Setup New or Restore [Skip]
- Apple Pay [Skip]
- Screen Time [Skip]
- iCloud Desktop and Document [Skip]
- iCloud Diagnostics [Skip]
- FileVault
- Registration [Skip]
- Unlock Your Mac with Your Apple Watch [Skip]
Mac Account
We recommend using Addigy Identity with Microsoft, Google, or Okta, so the user will be asked to enter their email address and password to create the first Mac account. If Addigy Identity is not configured or does not work as expected (it can happen), Apple Setup Assistant will prompt the user to create an account.
TIP: We have seen Addity Identity not trigger fast enough during the initial unboxing. When this happens, the user will be presented with their Microsoft, Google, or Okta credentials during the next restart — and they will be asked to Sync to a user account. They should select the initial account they created and continue.
First Login
Once the user is logged in, we recommend they open the built-in Safari browser to check email and enable their online accounts while MDM continues to install software and apply settings.
Automation Policies
Below are a few examples of the software we often install immediately upon unboxing. Upon the first launch of these apps, users will be prompted to enter their email, password, and two-factor authentication.
Every Organization Gets:
- Endpoint Protection
- Security Profiles
If Email is Hosted at Microsoft
- Microsoft Suite (Word, Excel, PowerPoint, and Outlook)
- Microsoft Edge
- Microsoft OneDrive
- Microsoft Teams
If Email is Hosted at Google
- Google Chrome
- Google Drive
- Slack
TIP: The time it takes for a Mac to be ready for use is determined by the user's internet speed and the number of automations. For example, a slow internet connection could take several minutes to download the Microsoft Office suite, which is over 8GB (Word, Excel, PowerPoint, and Outlook).
Permission Prompts
During initial setup, it's common to see several prompts asking the user to approve updates or security and privacy settings. These should be read and responded to accordingly. We try to pre-approve and configure as much as possible. However, Apple's reliance on user approval for transparency in communication means there will be several prompts to address when setting up a new Mac. FileVault and Nudge are two common prompts that should not be ignored.
Ask For Help
Users who need anything beyond what is configured for automation can turn to MacManage for manual installations or request support from our service desk.
Problems?
Once everything listed in the Assumptions section is complete, setting up new Macs is often smooth and consistent. And with all this automation, what could go wrong? Unless a client sets up new devices every day, a lot may have changed since the last time they unboxed a Mac. A week (often a day) doesn't go by without changes such as new macOS updates, Microsoft or Adobe patches, security fixes, or router/firewall/Internet/wireless/certificate changes. Even seemingly minor changes can contribute to unexpected results. It's okay if something doesn't work as expected. There's always a way forward. A Mac can be enrolled into management, and software can be deployed in various ways.
- Manual enrollment links can be found in the client's Addigy sidebar of ITGlue/MyGlue. If Automated Device Enrollment is not set up or fails, Macs should be manually enrolled using these custom links (and only these links). Enrollment instruction links are at the bottom-right of every Vision-Bot page.
- Automated software deployment or self-service installation via MacManage is preferred over manually downloading the software directly from the internet or the App Store. The software we build is preconfigured and tested to work in client environments with fewer prompts and no Apple IDs. Our pre-approved software is more secure and easier to deploy, update, support, and remove. If a client wants additional software options, ask them to send a request to our service desk.
- The Mac's internet connection (or lack of) is a common contributor to setup issues. If the connection is too slow or the user didn't connect to Wi-Fi or Ethernet during setup, then the automation will not work as expected, or it will work slowly. The user may become impatient and start manually installing software, leading to additional prompts to click through apps being misconfigured.
In all cases, please direct users or our service desk if something is not as they expect. We always prefer to hear from clients so we can make adjustments and automate as much as possible for a more seamless unboxing of the next Mac.
See also
Comments
0 comments
Please sign in to leave a comment.