As I have recently discussed with some of my colleagues, there have been some inconsistencies over the years managing the Setup Assistant experience on macOS when new users login. Lets talk about 2 ways many know to manage this:
- DEP Enrolment Profile, choosing items to Skip (such as a Jamf Pro PreStage Enrolment Profile)
- Manual Profiles Created by the MacAdmins community, like these:
- https://github.com/rtrouton/profiles/tree/master/SkipDarkorLightAppearance
- https://github.com/rtrouton/profiles/tree/master/SkipDataAndPrivacy
- https://github.com/rtrouton/profiles/tree/master/SkipScreenTimeSetup
- https://github.com/rtrouton/profiles/tree/master/SkipSiriSetup
- https://github.com/rtrouton/profiles/tree/master/SkipTouchIDSetup
- https://github.com/rtrouton/profiles/tree/master/SkipiCloudSetup
Here are the 3 issues I have encountered:
- All items being skipped for a new user login on a pre-configured computer, but the setting up your Mac screen still being displayed
- All except a couple items being skipped for a new user login on a pre-configured computer, even though we “ticked all the skip options in the DEP Enrolment Profile”
- Deploying the community sourced custom profiles above but only some of them work/don’t skip everything
Given I have been victim of all these scenarios I thought it was time to take a closer look.
First, to Apple’s documentation: https://developer.apple.com/documentation/devicemanagement/setupassistant
Stand out observations:
- There are 8 preferences keys for skipping items
- The profiles above only refer to 6/8, with one key per profile
- Documentation and the community profiles both refer to the PayloadType needing to be com.apple.SetupAssistant.managed
- Custom Settings Profiles from Jamf use com.apple.ManagedClient.preferences for the PayloadType when managing app preferences like those of Microsoft Office
So from this hit list of info, we see that our community profiles may be letting us down, possibly adding to one of our other issues we see as well.
Digging a bit further, I uploaded SkipiCloudSetup.mobileconfig to my test Jamf Pro and then re-downloaded and unsigned a copy of it to see if what I uploaded matched which I got back, it did’t. The important bits:
- PayloadType was still com.apple.SetupAssistant.managed
- SkipCloudSetup preference key was still there, but instead of being TRUE, it was FALSE
- SkipSiriSetup preference key magically joined it in the profile and was also FALSE
Looks like best practice for making sure Jamf doesn’t mess with your custom config profile by Signing/Encrypting it before upload still applies: https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro
This will undoubtedly be causing a bunch of issues and confusing things to no end, summary on custom profiles:
- Custom profiles we often refer to don’t include all the keys
- When they are uploaded to Jamf as is, unencrypted, they may not end up on the computer the way they started and therefore not work
So where does this leave us for the other 2 issues? A few simple thoughts:
- macOS changes as point releases come, so the behaviour of the Skip preference keys change, and new keys have been added over the last few major releases
- If the MDM deploys DEP Enrolment Profiles with the Skip items included for High Sierra, and then machine over its life is upgraded to Catalina, that profile is never re-installed to include the latest Skip items, even if the MDM has added them into the product. ts a one off set of settings that doesn’t change until the device is wiped or intentionally un-enrolled and re-enrolled
- In the same thought, the checkboxes we see in a Jamf PreStage do not mirror the preference keys in Apple’s documentation so likely these have changed and evolved over time and the behaviour of what is linked to what has changed. Jamf may be deployed deprecated Skip keys for some items, for example, satisfying all of the requirements but not quite 100% causing the “setting up your mac” screen to display as it tidies up the loose ends, especially if the user hasn’t logged in since an OS update
With all of this considered, it looks like deploying a set of managed setup assistant preferences to all machines ON TOP of the DEP Profile is desired to you want to be 100% sure the machine experience is what you intend.
Here is where we go off documentation…
As I said before, the PayloadType for these preferences, according to Apple, needs to be different to normal preference management we perform for other apps.
Testing on macOS Catalina 10.15.4 and 10.15.5b, here is what I have found:
Create a plist with all of the preference keys, upload it into a NEW Jamf Pro file into the Custom App Settings payload, and it works!
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipAppearance -bool truedefaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipCloudSetup -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipiCloudStorageSetup -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipPrivacySetup -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipSiriSetup -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipTrueTone -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipScreenTime -bool true
defaults write ~/Downloads/com.apple.SetupAssistant.managed.plist SkipTouchIDSetup -bool true
plutil -convert xml1 ~/Downloads/com.apple.SetupAssistant.managed.plist
As long as the Preference Domain is set as com.apple.SetupAssistant.managed and the uploaded property list file displays as such, were good
What happens in the background, is we get a profile with a PayloadType of com.apple.ManagedClient.preferences with sub items of:
- Key: com.apple.SetupAssistant.managed
- Dictionary -> Key: Forced
- Dictionary -> Key: mcx_preference_settings
- All sub preference keys we expect below that
As we are now delivering this as a FORCED MCX Preference for the Machine and therefore ALL existing AND new users, rather than a “set once” config per machine that MIGHT deliver to all users, this should give a more consistent experience in theory.
Its contrary to Apple’s explicit documentation, but in line with their overall ManagedPreferences framework: https://developer.apple.com/documentation/devicemanagement/managedpreferences
As I said, I have tested this flow and it works as expected with new users created after the profile was installed from a UIE/UAMDM Jamf configuration on 10.15.4/5 as well as a DEP configuration on 10.15.4/5.
Testing today on 10.15.5, having ONLY the DEP Profile with everything skipped resulted in the Setting Up Your Mac screen for a new user login. Applying my profile created with the attached plist from my example commands above, dismissed the Setup screen entirely on first login.
Conclusion
Use your DEP profile to set your desired 1st user experience for Setup Screens and use the Custom Profile (type com.apple.ManagedClient.preferences via Plist upload in the case of Jamf) to manage it from a ManagedPreferences engine/framework for all subsequent users that login to the Mac, keeping in mind the timing of delivery MAY override the 1st user experience settings in the DEP Profile (more testing to be seen on that).
Hope this is as helpful for other as it was for me.
Jamf Pro Plist: https://gist.github.com/aarondavidpolley/9e41928c64203c6cd65ba0a02a37b77b
//Aaron
