Below is a step-by-step guide to the standard process we use for configuring a Mac for new users.
Set up will require the following and can take a couple of hours to fully complete
- Network Connection
- VPN details
- Local Admin account for the Mac
1. Navigating to System Preferences
Log into the device using an account with Administrator privileges. Navigate to the top left, click on the Apple logo -- System Preferences > Network. Click the padlock in the bottom left of the window and enter the local admin account credentials
2. Configuring the VPN
Add a new connection by clicking the "+" on the pane to the left of the window. Set "Interface" type as "VPN". "VPN Type" to "L2TP over IPSec". "Stanleybet VPN" as "Service Name"
Leave the "Configuration" as "Default". Enter the Server Address - 85.199.231.187. Account name will just prefill the username when authenticating to the VPN so this can be left blank or filled in with the Users AD Username
Select "Authentication Settings...", the "Password:" option can be left blank, similar to the "Account Name" on the previous page. Tick the "Shared Secret:" checkbox and enter the Pre shared key for the VPN. If this isn't known, it can be found in OnePassword or the Password document.
OK and Apply the changes.
Connecting from here should prompt for a sign in. Enter AD credentials, OK and you should now be connected to the VPN.
In the bottom right of the Network window, select "Advanced...". Under the Options tab, ensure "Disconnect when switching user accounts" and "Disconnect when user logs out" are UNCHECKED
OK and Apply changes
3. Domaining the Device
Head back to "System Preferences" and select "Users & Groups". Click the padlock in the bottom left and enter local admin credentials to allow changes. Select "Login Options" on the left hand side pane.
For the "Display login window as:" option, select "Name and password"
At the bottom of the menu, select "Join" next to the "Network Account Server" option. On the windows that opens, click the "+" icon and enter "Stanleybet.com" as the server. This will then show additional options when the domain is discovered.
"Client Computer ID" will be the display name of the device when searching the AD. It is recommended to set this as the SIB number of the device. To complete the addition of the device to AD, you must enter you AD Admin account credentials. You may also be prompted to enter the local admin account credentials after this. It may take a few minutes to complete the process.
You will know if the device has been added successfully as the bottom of the "Users & Groups" windows should show a green dot next to the domain name.
From here, select "Edit" next to the domain name and then select "Open Directory Utility". Unlock editing by clicking on the padlock in the bottom left of the newly opened window, enter local admin credentials and then select "Active Directory" from the list and click the pencil icon at the bottom to edit.
Expand the "Show Options" menu, and ensure "Create mobile account at login" is checked.
Navigate to the "Administrative" tab. Check the "Allow administration by:" option. Ensure "Domain admins" is present in the list. You can customise this further should you need to lock the device down to a specific few admins. Alternatively, you can also provide administrator privileges to any AD account by adding it to the last should you need to.
OK and Apply all windows
4. Signing in With an AD Account
Before signing out of the local admin account, ensure you are still connected to the VPN or have an ethernet connection to the network. If so, sign out.
You should be brought to a sign in screen that requests a username and password instead of showing a list of accounts. If this is not the case and you can only select an account to sign into, log back in to the local admin account and revisit the second paragraph of step 3.
Assuming you are prompted for a username and password, you should be able to enter the credentials of any account on the AD domain and sign in successfully. Signing in with an AD Administrator account will also grant you administrator privileges on the device.
5. Creating a Separate Local Admin Account for the User
Although the user will be using their AD account primarily, they will be prompted for an admin account when installing some software. As we can't provide access to our local admin account, we will need to create one for them. Advise them that this is only to be used when prompted for an admin account and is not intended to be signed in to.
Click the Apple icon in the top left, select "System Preferences", "Users & Groups" and click the "+" at the bottom of the left hand panel. In the "Full Name" field, type "admin(first initial)(last name)" E.g. For Shaun Baker, type "adminSBaker". The "Account Name" will auto populate. Set up a secure password and make a note of it in OnePassword. The account credentials will need to be provided to the user when the device is handed over.
6. Setting Up Automatic Security Updates
Select the Apple Icon in the top left. This brings up a window showing some system info such as S/N, OS info, etc. Select "Software Update" and check the box that says "Automatically keep my Mac up to date". Select the "Advanced" option and ensure all boxes are ticked, apart from "Install macOS updates"
7. Setting Up Drive Encryption
Click the Apple Icon in the top left, Select
8. Required Software Installs
Before handing out a configured Mac, we need to ensure FreshServ Agent and Bit Defender are installed. This can be done by opening "Finder" on the bottom hot bar. Once open, press the "Command" and "K" keys together. This will bring up a menu that allows you to enter a server address. Enter smb://10.101.3.151/ into the address bar, enter credentials if prompted then select "IT_Dept" from the list. Find the "Software" folder and open it.
In the "Software" folder, find "FreshServ Agent Mac", open the folder, and drag the latest "fs-mac-agent.tar.gz" to the desktop. Once the file is transferred, double click the file on the desktop and follow the install instructions. Once installation is complete, give it a few minutes and then check the device shows in the asset list on https://support.magellanrobotech.com/helpdesk/dashboard. When it does show, edit the asset and change the "Asset Tag" field to the correct one.
Next, open the "Software" folder again and look for "BitDefender" then drag the "Bitdefender_for_MAC.dmg to the desktop. Double click the file on the desktop and follow all the install instructions. Once installed, you'll need to provide full access to the Disk for the application for it to run correctly. To do this, click the apple icon on the top left, "System Preferences", "Security & Privacy", select the "Privacy" tab and click on "Full Disk Access". Ensure "BDLDaemon" and "EndpointSecurityforMac" are both checked then close out of the window. A Restart of the device will be needed for these changes to take affect.
Notes:
After first login, the credentials of the account are cached so you no longer need to be connected to the VPN to sign in. This means you could then disregard the last paragraph of step 2. However, if you need to log into a new AD account on the device that isn't cached, you will need to revert the changes made.
This was tested on a Macbook Pro 2018 running macOS Mojave ver. 10.14.6. This should work the same way on most devices and all future OS' but the steps may differ slightly
Tested one of the new Macbooks Pro 2021s in the office. Found out there is an issue connecting to the network via VPN when using RED wifi. Trying to domain the mac when on RED resulted in an error 2100 - Domain authentication failed. Domaining via GREEN is possible but the network will disconnect when you log out of the local admin account, meaning you can't log into a new AD account.
The only workaround I have found for this so far is using a mobile hotspot, connecting to the VPN, signing out of local admin, signing into an AD account and following the setup. After this, it shouldn't matter what network you're on as long as you're only signing into an already cached account