Coca-Cola IT macOS Enrollment Guide

Workstation Management Solutions

V1.1

Classified - Confidential
Table of Contents
Requirements............................................................................................................................. 3

Supported macOS versions......................................................................................................3

Out-of-the-box enrollment.........................................................................................................3

Re-enrollment process............................................................................................................ 11

Common Issues....................................................................................................................... 14

How-to questions..................................................................................................................... 14

Changelog................................................................................................................................ 15

Classified - Confidential
Enrollment process for all new macOS workstations
Carefully read the below requirements before starting the macOS activation
process.

Requirements
All new macOS devices need to be assigned to TCCC’s Apple Business Manager (ABM) account by the
vendor during the purchase order. (Check in the Jamf console or reach out to the Client Platform Engineering
team to check if the device is in ABM).

If the device has not been added to ABM by the vendor, please follow the manual process to add the Mac to
the ABM account, available here.

If the device is running macOS 11 Big Sur or an older version, it must be updated to macOS 12 Monterey and
factory reset before adding it to ABM using the manual process.

Supported macOS versions

Currently, the following macOS versions are supported in TCCC:

- macOS 12.5.1 Monterey

- macOS 12.6 Monterey

Computers running macOS versions prior to 12.5.1 should immediately be upgraded to the latest supported
version

Out-of-the-box enrollment
Before beginning the enrollment process, make sure you have the user's credentials as you will need to
provide them immediately after the process logs the Administrator out and asks you to log in with the user's
credentials. Again, this should be done without delay.

Classified - Confidential
 Connect the Mac to TCCC’s wired network using an
Ethernet adapter or docking station.

Note: Do not connect to the Mac to the _iGuest network or USB to Ethernet
a direct Internet connection

Thunderbolt to Ethernet

USB Type-A docking station

USB Type-C Thunderbolt

docking station

Take the Mac out of its box and switch it on. Follow the on-
screen prompts to select the Language, Country or Region,
Written and Spoken Languages as well as the Accessibility.

Click “Continue” when presented with the “Remote

Management” screen to start the enrollment process.

TCCC Workstation Management Solutions 4

Classified - Confidential
 On the “Select Your Time Zone” screen, check “Set time
zone automatically using current location”, click “Turn On
Location Services” and “Continue”.

Log in to the Mac with the following account:

- Name: administrator
- Password: password provided by the Client Platform
Engineering team

Once logged in, wait for 1-2 minutes for the Self Service
app to start automatically, then go to “Staging” and click the
“Enroll” button under the “Enroll Mac” policy.

If prompted, click “OK” to allow the “Jamf” to control

“System Events”.

TCCC Workstation Management Solutions 5

Classified - Confidential
 Click “Continue”

Type in the KO ID of the user you are enrolling the Mac for
and click “Next”

The next few steps are fully automated:

 A new computer name will be created based on the

user’s KO ID and a random 4-digit number

 The computer will be joined to the domain. This step

might take up to 2 minutes so don’t be surprised if there
is no on-screen activity

 A notification will mark the completion of the process.

click “Finish” and “Log Out”, then log back in with the
user’s credentials.

When logged out, log in with the user’s KO ID and

password. This needs to be done immediately after this
screen is presented.

VERY important: Only log in with the user’s account

using his KO ID and password (no need to use domain\
KO ID). Do not log in with any other user’s account

TCCC Workstation Management Solutions 6

Classified - Confidential
 Launch Self Service, go to the “Staging” tab and click
“Encrypt” under the “Encrypt Mac” policy

If prompted, click “OK” to allow the “Jamf” to control

“Finder” and “System Events”.

When prompted, click “Close” and “Log Out”, then log

back in with the user’s credentials.

Note: It can take up to 5 minutes to fully enable encryption

so be patient and don’t run the policy twice.

TCCC Workstation Management Solutions 7

Classified - Confidential
 When logged out, log in with the user’s KO ID and
password. A prompt will appear asking to enable FileVault.
Click “Enable Now” then “OK”.

Note: When prompted to sign in to xxx.KO.COM (xxx

depending on where the user’s account is in the local AD),
enter the user’s KOID and Password, then click “Sign In” to
enable the synchronization with the AD account.

Note: When prompted by Microsoft AutoUpdate with the

“Required Data Notice”, click “OK”

TCCC Workstation Management Solutions 8

Classified - Confidential
 Launch Self Service, go to the “I.T. Support” tab and click
“Sync” under the “Sync device” policy.

This will trigger a check-in of the device with Jamf to start

downloading and installing all the required apps and
configurations.

Some applications (i.e. Microsoft Office) are as large as

1.5GB so downloading and installing them may take time
depending on your TCCC office’s Internet connection
speed.

Hint: You can monitor the enrollment process by launching

the “Console” app and selecting Log Reports > jamf.log

Note: When the Company Portal app starts automatically,

do one of the following actions:

- If the user is available, follow the steps described

here to register his device with Azure AD and Intune
(MFA will be required).

- If the user is NOT available, close the Company

Portal app, and click “OK” on the “Registration with
Intune failed” notification. You will need to run the
registration policy manually from Self Service before
giving the device to the user (see below).

TCCC Workstation Management Solutions 9

Classified - Confidential
 Note: When you get the security prompt to allow Changes
to the System Certificate Trust Settings, enter the
administrator account credentials and click Update
Settings. This is required for the Hive Streaming agent to
work properly.

Once the staging is complete and all required applications

have been installed (see below the list of required apps),
the dock will be updated with the installed applications.

Before delivering the device to the user, check that:

- Device can connect to GlobalProtect VPN

- Device can connect to _ServiceCC WiFi

Once you are ready to deliver the device to the user, if you
have not done it previously, work with the user to register
the device with Azure AD and Intune, if not done previously.

Launch Self Service, select the “I.T. Support” category,

and click “Register” under the “Azure AD registration”
policy.

Once the Company Portal app starts automatically, click

“Sign In” and follow the steps described here.

Notes:

- make sure that the user is enabled for MFA

enrollment prior to the Intune Registration
- if you have registered the device to Azure AD and
Intune previously, you can skip this step
- do not manually start the Company Portal
application from the App Launcher but relaunch the
“Azure AD registration” policy from Self Service

Finally, assist the user to sign in and configure his corporate

applications such as Outlook, Teams, or OneDrive.

TCCC Workstation Management Solutions 10

Classified - Confidential
Keep in mind…

Do NOT un-bind the Mac from the na.ko.com domain even if the Mac is being enrolled
outside North America and even if you intend to re-bind it to the na.ko.com domain. Un-
binding the Mac from the domain causes issues with joining to the “_ServiceCC” wireless
network and the hard disk encryption process.

Re-enrollment process
When a previously used Mac needs to be assigned to a new user, it first needs to be wiped. Delivering a Mac
previously used by another user without first wiping and enrolling it for the new user is not allowed.

The easiest way to re-purpose a previously staged Mac is to initiate a Device Wipe from Jamf (see steps
below).

If for some reason the device cannot be wiped from Jamf or the process fails, you can factory reset a device
by following the steps provided by Apple here.

Wiping a Mac from Jamf

Log in to the Jamf console (https://jss.ko.com:8443)

and search for the device by going to Computers >
Search Inventory, entering the Device Name or
Serial Number and pressing the “Return” key.

Once on the device details page, go to

Management > Management Commands and
select Wipe Computer

TCCC Workstation Management Solutions 11

Classified - Confidential
 Select the “Clear Activation Lock” checkbox, enter
a 6-digit passcode, and click “Wipe Computer”.

Click OK to confirm.

Note: make sure the device is online and

connected to the internet.

Note: if you get a message that Activation Lock

could not be cleared, it is because the user has not
activated it. Just click OK to wipe the computer.

Once the Wipe Computer command is sent to the

device, it will automatically reboot.

After a few minutes, the device will be re-activated

and will restart automatically.

Note: If you are prompted to enter an Apple ID

during the activation process, that means that you
have probably forgot to check the “Clear Activation
Lock” checkbox.

TCCC Workstation Management Solutions 12

Classified - Confidential
 In that case, go to the device details page in the
Jamf console > Management > Activation Lock
Bypass and select “Show Activation Lock Bypass
Code”.

On the locked device, go to the “Recovery

Assistant” menu and select “Activate with MDM
key”

Enter the Activation Lock Bypass Code from the

Jamf device details and click Next to activate the
Mac.

After the restart it will be in the Out-of-the-box state,

and you can start the enrollment process above
again.

TCCC Workstation Management Solutions 13

Classified - Confidential
Common Issues
Issue: While reading the jamf.log file you will notice that the domain-join process fails

Reason: This is (most probably) a false positive. Open “System Preferences > Users & Groups > Login
Options” and check if there is a domain name next to “Network account server”

Solution: No action needed

Issue: The FileVault hard disk encryption process does not kick-in

Reason: Multiple

Solution: Open "System Preferences > Users & Groups" and check if the user's account is marked as
"Mobile". If not, edit the account and click the “Create” next to “Mobile account”. Then, with the
user logged in, initiate the FileVault encryption process from Self Service

Issue: The Mac will not connect to the _ServiceCC wireless network

Reason: This is a known issue with no known workaround

Solution: Activating _ServiceCC for a newly enrolled Mac can take up to 12 hours

Issue: The Mac has joined the na.ko.com domain during the enrollment process but the Mac is located
outside North America

Reason: -

Solution: This is not an issue. It really does not matter which domain a Mac joins. Keep in mind that you
should NOT un-bind the Mac from the domain and re-bind it to another domain.

How-to questions
Reinstalling mandatory software

Mandatory applications will not appear in Self Service if already installed however, there may be cases where
reinstalling a mandatory application is necessary as part of troubleshooting efforts. To re-install a mandatory
application:

1. Remove it and run “Update Inventory” from Self Service > I.T. Support
2. Refresh Self Service
3. Wait for 15-20 minutes or re-install the app manually from Self Service

TCCC Workstation Management Solutions 14

Classified - Confidential
The following applications are mandatory:

• Company Portal

• Crestron AirMedia

• DisplayLink

• Google Chrome

• Hive Streaming Agent

• Microsoft Defender ATP

• Microsoft Office

• Microsoft Teams

• OneDrive

• Palo Alto GlobalProtect

• Symantec DLP (where applicable)

Reinstalling macOS

If you need to reinstall the macOS, you can download the macOS installation app from this repository on your
Mac, then follow the steps to create a bootable installer for macOS.

Changelog

Versio Date Name Comment

n

1.0 04/08/2022 Pascal Bohr Initial version of the guide

1.1 09/16/2022 Pascal Bohr Adding the Supported macOS versions section

TCCC Workstation Management Solutions 15

Classified - Confidential