Back to Case Studies
hours → 20min Provisioning time

Zero-Touch Deployments

How I designed a fully automated macOS deployment workflow that eliminated manual imaging and reduced provisioning from hours to under 20 minutes across 2,000+ endpoints.

Problem

Manual device provisioning was taking IT staff 2–4 hours per Mac, creating a bottleneck for new hires and refresh cycles across 2,000+ endpoints. Every new device required hands-on configuration — imaging, local account creation, app installation, and policy application. During hiring surges, IT couldn't keep pace. New employees sometimes waited days for a ready-to-work device.

Decision

Chose Jamf Setup Manager + Apple Business Manager (ABM) over manual imaging because it enables true zero-touch deployment, scales infinitely, and eliminates IT hands-on time entirely. The key insight: ABM's Automated Device Enrollment (ADE) lets us pre-configure every Mac before it leaves the factory. Combined with Jamf Pro's policy engine, we could automate the entire provisioning pipeline — enrollment, configuration, app deployment, compliance checks, and identity binding.

Architecture: Zero-Touch Deployment Flow

Apple Business Manager Device purchase → auto-enrolled in MDM Jamf Pro Enrollment Setup Manager → Prestage enrollment → Device assigned to user Configuration Profiles Wi-Fi · VPN · Certificates Security policies → App deployments User Opens Mac → Entra ID Login → Platform SSO → Ready to Work Total time: < 20 minutes · Zero IT touch · Secure Enclave-backed auth Step 1 of 4 Step 2 of 4 Step 3 of 4

Implementation

Built a complete zero-touch pipeline with five layers:

  • ABM Integration: Every Mac purchased through business channels automatically appears in ABM and is assigned to the Jamf Pro MDM server. No manual enrollment required.
  • Prestage Enrollment: Custom enrollment profiles in Jamf Pro define user experience — skip setup screens, enforce FileVault, require Platform SSO authentication.
  • Setup Manager: Branded provisioning workflow that guides users through the final steps — region selection, account creation, and a "Welcome to Patagonia" screen.
  • Configuration Profiles: Wi-Fi, VPN, certificates, security policies, and compliance baselines apply automatically during enrollment. No post-setup configuration needed.
  • App Deployment: Required applications (Office 365, security tools, internal apps) install silently via Jamf policies triggered by enrollment completion.

Result

  • Provisioning dropped from 2–4 hours to under 20 minutes per device.
  • IT staff reclaimed approximately 15 hours/week previously spent on manual imaging.
  • New hires receive ready-to-work devices on Day 1 without IT intervention.
  • Deployment scaled to handle 50+ simultaneous provisions during hiring surges.
  • Zero-touch means IT never physically touches the device — it ships directly to the employee.

Lessons Learned

The biggest challenge wasn't technical — it was change management. Users accustomed to IT-handled setup needed clear documentation and communication. We created a one-page "Getting Started" guide that shipped with every device. The second lesson: network dependencies matter. Zero-touch fails if the device can't reach Jamf Cloud during setup. We added offline enrollment fallback and documented the exact network requirements for procurement to communicate to new hires before their start date.

Jamf Pro Apple Business Manager macOS Entra ID Bash Setup Manager