I help a lot of organizations integrate Macs into their one to one environments, and I’ve noticed a trend that just doesn’t make sense to me. Almost every admin I work with wants to do the same thing; erase the OS that Apple ships and lay down their own “clean” copy of the OS. But is this really a necessary step? In my mind, no. The OS that Apple ships is the latest, the build is compatible with the machine it’s on, and it’s ready to go. Why nuke and pave when you already have a clean, never touched OS on the box? So what does a deployment look like in a post-imaging world? Here’s my take on it.
The release of version 9 of the Casper Suite brought one of my favorite features ever: the “enrollment complete” policy trigger. This does exactly what it sounds like. When a machine completes enrollment, it will run any policies on this trigger that have the machine in it’s scope. If anything is going to kill imaging, it’s this feature.
Imagine this workflow. The machine is shipped directly to the end user (save for maybe being asset tagged by IT before it hits the user’s hands). The user boots the machine for the first time, and goes through setup assistant, creating their local account and setting the machine up the way they want it. Included in the box with the computer is a simple one page instruction manual, telling the user to go to the JSS enrollment URL. The user then enrolls their own machine.
Wait, why would the user want to enroll their own machine? If you haven’t read my post on how to get your users excited about device management, it’s worth a read, but the basic idea is that you put everything your users want in self service. They’re not going to get very far without the software, printer access and network settings they need.
So the user enrolls the machine, and the “enrollment complete” trigger kicks off the things that absolutely have to be on the computer (Flash, Java, Printer Drivers, etc) and creates the IT department’s hidden admin account. Everything else the user can grab as needed from Self Service. Doesn’t that sound a lot easier than having to constantly refresh base OSs and NetBoot images every time there’s a hardware rev?