Skip to content

Configuring a MicroMDM Imaging Setup

Jump to bottom
jenjac edited this page Jan 9, 2019 · 13 revisions

Setting up your micromdm server in the following way will create a "Set it and forget it" type scenario for configuring your Apple devices out of the box. Especially if you use the option in "Apple School Manager" to auto-assign devices to a particular MDM Server.

1. Add a Bootstrap Package

To bootstrap management tools such as Munki, you have to upload the package to micromdm. Packages deployed using MDM must be signed. You can sign packages during upload if you have a valid signing identity installed on your technician computer.

  1. Upload a package using mdmctl
    mdmctl apply app -pkg ~/Downloads/munkitools-3.0.0.3333.pkg -sign "Developer ID Installer: name (myid)" -upload

    Point to your own bootstrap package for the "-pkg" parameter, and replace the "-sign" parameter value with your installed signing identity.
    You can omit the "-sign" parameter if your package is already signed.

2. Add Configuration Profiles

Configuration profiles needed during Munki bootstrap, or for other purposes can be uploaded as well.

  1. Upload a configuration profile using mdmctl
    mdmctl apply profiles -f /path/to/MunkiSettings.mobileconfig

3. Add an Auto Setup Admin Account User

You may want to create an Auto Setup Admin Account on all your clients with the same password. To do so, you will create an account and add it to a Blueprint. You can create a Blueprint in the next section.

  1. Get a user account template using mdmctl . mdmctl apply users -template > ~/Documents/micromdm/admin.json

    This will create a template file at ~/Documents/micromdm/admin.json that you must edit to create the user.

  2. Fill in the template like the one below, putting in the values that you want to use, and save the file.

{
  "user_shortname": "admin",
  "user_longname": "Administrator",
  "hidden": false
}

  1. Apply the user to micromdm with a password using mdmctl
    mdmctl apply users -f ~/Documents/micromdm/admin.json -password password

    The value for the "-password" parameter will be the account password for the created admin account.

  2. After applying the user, the account information and password will be stored in the micromdm database. The admin.json file on your technician machine will also be modified with the same information stored in the database. You don't have to keep the admin.json file at this point, but if you inspect it, it should look similar to this file generated using the password "password".

{
  "uuid": "e2fc5dbe-8d02-430f-82b6-f07b6f74bf1c",
  "udid": "",
  "user_id": "",
  "user_shortname": "admin",
  "user_longname": "Administrator",
  "auth_token": "",
  "password_hash": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPjxkaWN0PjxrZXk+U0FMVEVELVNIQTUxMi1QQktERjI8L2tleT48ZGljdD48a2V5PmVudHJvcHk8L2tleT48ZGF0YT5rcE1LM2syTjZiakZpMDZCSk05ZDUyWEsvWW1VNG5ueCtPZHRsOFhvbDkybzM0QnFMUHZESVBpMFdhWkFudzBPNlZNM21zUFBIQXdYY0tyZEpURzIvd3VLMVExNlIva0EvK3JlWGlhQ0JoOFAzTHhGZER0aXF2WUN5UVF1SU5OM2tEdFZnSlFCZVBlUEhXVUlDTkVvZUFpNWxoTThld0FzbUh3SWJsclJHRmc9PC9kYXRhPjxrZXk+aXRlcmF0aW9uczwva2V5PjxpbnRlZ2VyPjM1MjE2PC9pbnRlZ2VyPjxrZXk+c2FsdDwva2V5PjxkYXRhPmNmUitYbWZQVXpZTWV1U204Q1d0cVoxVVJQaFI3Qy9yVnlKUHRQNk41bE09PC9kYXRhPjwvZGljdD48L2RpY3Q+PC9wbGlzdD4K",
  "hidden": false
}

4. Add a Blueprint

In order to have micromdm perform the needed tasks for an Imaging like setup, when a device enrolls, you will have to set up a Blueprint.

  1. Get a blueprint template using mdmctl . mdmctl apply blueprints -template > ~/Documents/micromdm/blueprint.json

    This will create a template file at ~/Documents/micromdm/blueprint.json that you must edit to create the blueprint.

  2. Fill in the template like the one below, putting in the values that you want to use, and save the file.

{
  "uuid": "1f10c27d-6d4b-4332-ad10-ec94d25b7f36",
  "name": "exampleName",
  "install_application_manifest_urls": [
    "https://your.server.url/repo/exampleAppManifest.plist"
  ],
  "profile_ids": [
    "com.example.my.profile"
  ],
  "user_uuids": [
    "your-admin-account-uuid"
  ],
  "skip_primary_setup_account_creation": true,
  "set_primary_setup_account_as_regular_user": false,
  "apply_at": [
    "Enroll"
  ]
}

Don't use the example template shown on this page directly. Always generate a template using the command in step one. Generating a template will create a new Blueprint uuid automatically, and it will fill in your own server url into the "install_application_manifest_urls" example.

  1. Edit the "name" item.
  2. Edit the "install_application_manifest_urls" item to include the path to the manifest for your bootstrap package that you created in the "Add a Bootstrap Package" section. If you can't remember the path you can use this command:
    mdmctl get apps
  3. Edit the "profile_ids" item to include the ids of any configuration profiles uploaded and needed during bootstrap that you uploaded in the "Add Configuration Profiles" section. If you don't want to apply any profiles you can make the value an empty array "profile_ids": [].
    If you don't know the ids you can view them using this command:
    mdmctl get profiles
  4. Edit the "user_uuids" item to include the ids of any admin users that you created in the "Add an Auto Setup Admin Account User" section. If you don't want to apply any users you can make the value an empty array "user_uuids": [].
    If you don't know the uuids you can view them using this command:
    mdmctl get users
  5. Set the "primary_setup_account" values as needed.
    Setting "skip_primary_setup_account_creation" to true will skip the user account setup screen in Setup Assistant if desired so users can log in using a directory account.
    Setting "set_primary_setup_account_as_regular_user" to true will allow the user account setup screen in Setup Assistant but the created account will be a standard user.
  6. Make sure the file is saved, and upload the Blueprint to micromdm using mdmctl
    mdmctl apply blueprints -f ~/Documents/micromdm/blueprint.json

5. Add a DEP Profile

In order to get your clients to enroll to your micromdm server at activation, you will have to set up a DEP profile.

  1. Get a DEP profile template using mdmctl . mdmctl apply dep-profiles -template > ~/Documents/micromdm/dep.json

    This will create a template file at ~/Documents/micromdm/dep.json that you must edit to create the DEP profile.

  2. Fill in the template like the one below, putting in the values that you want to use, and save the file.

{
  "profile_name": "(Required) Human readable name",
  "url": "https://mymdm.example.org/mdm/enroll",
  "allow_pairing": true,
  "is_supervised": false,
  "is_multi_user": false,
  "is_mandatory": false,
  "await_device_configured": false,
  "is_mdm_removable": true,
  "support_phone_number": "(Optional) +1 408 555 1010",
  "support_email_address": "(Optional) support@example.com",
  "org_magic": "(Optional)",
  "anchor_certs": [],
  "supervising_host_certs": [],
  "skip_setup_items": ["AppleID","Biometric","Diagnostics","DisplayTone","Location","Passcode","Payment","Privacy","Restore","SIMSetup","Siri","TOS","Zoom","Android","HomeButtonSensitivity","iMessageAndFaceTime","OnBoarding","ScreenTime","SoftwareUpdate","WatchMigration","Appearance","FileVault","iCloudDiagnostics","iCloudStorage","Registration","ScreenSaver","TapToSetup","TVHomeScreenSync","TVProviderSignIn","TVRoom"],
  "department": "(Optional) support@example.com",
  "devices": []
}

The parameters should be familiar to those who have worked with MDM before. For a more detailed explanation refer to the MDM Protocol Reference.

The protocol reference document lists all of the options for "skip_setup_items" as they are made available. I have included all the options that are currently available in the example above. So applying a profile with those options would currently skip all setup screens. Options that don't apply to a particular type of device are ignored by the device.

  1. Make sure the file is saved, and upload the DEP profile to micromdm using mdmctl
    mdmctl apply dep-profiles -f ~/Documents/micromdm/dep.json
    IMPORTANT: Take note of the output after importing the profile. It should look something like this:
    Defined DEP Profile with UUID 02E61ACD1BA06171ED25AAC1ED02F672
    You will use the UUID in the next section.

6. Add a DEP AutoAssigner

A key component to the "Set it and forget it" scenario is the DEP AutoAssigner. It will set up micromdm to auto-assign a DEP profile to newly assigned devices. Working in conjunction with the feature in Apple School Manager to auto-assign devices to a particular MDM, setting the DEP AutoAssigner can enable your newly acquired devices to all auto-enroll and be configured how you want, without changing another setting from this point on!

  1. Set the auto assigner using mdmctl
    mdmctl apply dep-autoassigner -filter='*' -uuid=UNIQUEID

    UNIQUEID refers to the UUID of the DEP profile applied in the last section.

Now that you have your server set up, you will want to assign a device for testing. Instructions are included in the next section: Assigning a Test Device

Clone this wiki locally