Mac MDM Deployment Assisstance

1

I am hoping someone can point me in a direction or let me know if what I want to do is even possible.

I recently acquired a client with a lot of Macs. We started using an MDM (Mosyle) a while back but have not really done too much in it. I can send someone a link to the Mosyle onboard tool, and it will put them in that system.

So far I have been able to get Mosyle to automatically deploy Screenconnect to the device.

I have had no luck getting Syncro to deploy to the device through Mosyle. Most likely because the tool cannot (or I lack the scripting ability) to step the installer through the install process.

I would also like to eventually have Mosyle deploy SentinelOne and DNS FIlter, both of which require a client ID code to be passed to the installer.

Do I have a better chance of getting Mosyle to install Syncro, S1 and DNSF, or am I better off getting the user to self enroll in Syncro, and then create scripts in Syncro that will install S1, DNSF, and enroll the user in Mosyle?

Mosyle enrollment has to happen in Safari, and it creates a profile in Mac OS that allows the MDM to manage the device.

My fallback for now is to send the client the Mosyle link and have them self enroll, and then at least Mosyle installs SC, which means I can remote to the machine and push Syncro, S1 and DNSF from the SC toolbox.

But ultimately I woould love to have this be a matter of the client enrolling in either Mosyle or Syncro, then let the automation do its thing.

I would gladly pay someone who could make this happen.

2

I have had partial success with this bash script via Mosyle to deploy the Mac Agent to a client’s Macbook fleet. It seems to have installed on about half of them over the last 2 months, and downloaded on the other half, but had partial failures - which I’m still investigating. On top of that, we’re still having issues getting the permissions for Splashtop to deploy the permissions to be able to remote in without admin permissions, but I think we’re nearly there to at least let the users allow the permissions without administrative permissions on their machines.

Here is the bash script to push through Mosyle (worked with Mosyle support to get this formatting ironed out:

#!/bin/bash
POLICY_ID=<INSERT POLICY ID HERE> (REMOVE <>)
echo $POLICY_ID > /tmp/syncro-deploy-id
/usr/bin/curl -L1 https://production.kabutoservices.com/desktop/macos/setup -o /tmp/SyncroDesktop.pkg
installer -pkg /tmp/SyncroDesktop.pkg -target /
/bin/rm /tmp/SyncroDesktop.pkg

Security & Privacy Permissions 1)
Full App Code Req:
identifier SyncroDesktop and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y3LYQ633EF

image
image866×641 26.3 KB

Security & Privacy Permissions 2)
Full App Code Req:
identifier "com.splashtop.Splashtop-Streamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CPQQ3AW49Y
image
image863×328 14.7 KB

Hope this helps a little!

3

That helps a lot thanks. I am copmpletely new to Mac scripting but learning slowly. I worked with Mosyle support and they helped me get the Syncro working using the exact script you posted. If I am not mistaken that install script is taken directly from Syncro’s documentation.

I used what I learned from them to get Mosyle to install SentinelOne and DNS Filter in the same method. So now all my tools install when the client onboards with the Mosyle code.

But the permissions script is a genius idea. Thanks for passing that along. I will have to give that a try.

One of the best things I did which should make learning much quicker is setup a VMware Mac instance that I can play around with a revert when I mess it up.