One of the major challenges with MacOS is that DEP is nice, but still requires significant user interaction. With the release of Catalina, things have become a bit easier. VMware Workspace ONE has elevated this to a new level with Workspace ONE UEM 1912 and rotating admin account credentials, delivering stronger security posture. Lets get started and show how we make the magic happen.

Building the DEP Profile to Deliver the Experience

Enhancing your DEP experience is not a huge undertaking. Typically, it means you need to make a few changes and validate that it makes sense with your environment. My design expects you are using Apple Enterprise Connect, which you SHOULD be doing if you care about Macs and your users. I will walk you through the changes that you need to make on your DEP profile for Workspace ONE. If you arent doing it already, make sure your Macs and iPhone/iPads are on separate DEP profiles as a good best practice.

First, you need to make sure that Await Configuration is enabled

Next, you configure the account type as you see below. There are a few features that require Catalina, such as passing the User Name and Full Name to standard account creation. If you arent on Catalina, you may need to configure the standard user account, which is not a huge deal. If you notice what I did here, I set the Mac users display name to be their first and last name and setting their user name as their AD username.

The last part is configuring the admin account, which I setup as sysadmin for testing purposes along with setting the Full Name for it. Additionally, you enable Unique Random Password and set it to be Hidden to complete the configuration. Once done, you will click Save

Walking Through the Users Out of Box Experience

One thing to point out, if the Mac has ever been powered on before, you will need to erase the disk and reinstall the OS for it to pickup the new DEP configuration. Its a 30-minute annoyance, but thats the way things go most times. Now we can walk through the out of box experience for our new DEP setup.

Starting off on boot, you will see your typical screen to get started. You click continue to get started!

From there, you connect to a network (wired or wireless) to kick things off and start your DEPerizing!

Your Mac picks up on your DEP configuration and you put in your Active Directory credentials to start the enrollment. Simply click Continue, input your credentials, and click Connect

You will see that your Mac starts installing profiles, completing enrollment tasks, and gets your Mac ready

Depending on how you set things up, you will go through the setup wizard at this point. Personally, I like showing Data Privacy and helping people setup location services. Its totally up to you obviously, but Ill show you what mine looks like.

I find that showing Data & Privacy builds confidence with your users, which is becoming huge today as many of you know.

Location Services is very helpful especially with Apple as many of their features rely on time services, like Microsoft. When things are off, everything starts to crumble..

Using Set time zone automatically using current location makes it simple and does the hard work for you.

Once thats done, youre good to go! Its beautiful as now youre at the login screen

Using VMWare Workspace ONEs new Rotating Admin Credentials on MacOS

Many of us have been very excited about the new rotating admin credentials, which have become popular with many great platforms like CyberArk. So many IT organizations are using the same account with the same password, which never expires and its a poopshow. YES I SAID POOPSHOW!

Simply, open the device in AirWatch and click the Security tab.

You will notice the new Managed Admin User section where you can click the View Admin Password button. But does it work?!

Now you have access to the password like getting an encryption key out of the console. This password will rotate every 8 hours on THAT Mac. You have been able to increase your security posture and deliver an amazing experience now to your users and ship Macs to them directly.

The added bonus to accentuate the user experience is the ability to give someone remote admin credentials to install an application without worrying they will have admin access forever now.

Lessons Learned

I did learn a few interesting things through this process that I wanted to highlight, which are mainly Workspace ONE UEM driven:

• You cannot use Token-Based Enrollment or it completely FUBAR’s the whole thing
• You cannot use Look-up Values or anything “cute” to automate the admin account/user account/display name/etc
• Simpler is better, which is why I settled on the same admin account for all Macs
• You always want to do 1 Standard Account/1 Admin Account to mesh with Enterprise Connect
• Catalina is strongly recommended but not required, one extra screen isn’t the end of the world.
• Catalina is noisy as hell 🙂
• There’s no right or wrong way to for doing DEP. Show the screens you want to show, but always automate user accounts and credential rotation.

Summing Things Up

As you have seen, we need to constantly think about how were moving forward on every platform. Complacency is the most epic failure of all. The end user experience is constantly evolving and by implementing my new Near Zero Touch MacOS Enrollment you can now ship Macs directly to users without giving them full admin access.

We need to constantly be better and take things to the next level. There are many ways to design and architect your MacOS strategy, but we can all agree that seamless is always better.