![]() ![]() While we've switched to DEP and MDM as our main deployment method, it still has a ways to go before it covers all cases. DEP still requires a human with physical access to set up the machine on first boot. It's possible to reinstall and set up a fleet of machines, with no human needed to touch them. Imaging is still also by far the most automatable solution, and the only one that can truly be zero touch. One solution is to preload all the necessary bits, see for example Facebook's AutoDMG Cache Builder. If you're onboarding hundreds of people in the same room at the same time, there's no WiFi in the world that can deliver the base config in a timely and reliable manner. ![]() Performance is also a factor, as you mention. Note that Secure Boot is very much a welcome feature in this scenario, as it also secures the machine's firmware. Imaging every device that you buy is still the only available protection against this threat. it's trivial to sideload a LaunchDaemon via Target Disk Mode, which the Mac will load on first boot, even with full protection, since FileVault hasn't yet been enabled by the user (or the MDM). The "secure" part of secure boot only protects booting macOS, it doesn't safeguard against actors intercepting shipments and dropping malware before the customer performs MDM setup via DEP. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
May 2023
Categories |