What "Zero-Touch" Actually Means
Zero-touch onboarding means a Mac can go from factory packaging to a fully configured, work-ready machine without any IT involvement. The new hire opens the box, powers on, signs in with their Okta (or any IdP) credentials during Setup Assistant, and Jamf takes it from there — installing apps, applying security settings, enrolling in management, all automatically.
This is made possible by three things working together: Apple Business Manager (ABM) for device enrollment, Jamf Pro as the MDM, and a well-designed prestage and policy setup. None of these alone is enough — the magic is in how you connect them.
Prerequisites
ABM is Apple's free portal for businesses. It lets you automatically enroll devices into your MDM the moment they're powered on — this is called Automated Device Enrollment (ADE), formerly DEP. Every Mac your company buys through Apple or an authorized reseller can be automatically linked to your ABM org and pushed directly into Jamf. If you buy from an authorized reseller, make sure to give them your ABM Organization ID at purchase time so devices are linked from the start.
In Jamf Pro, go to Settings → Global Management → Device Enrollment Program. Add your ABM token (download it from ABM under MDM Servers). Once connected, any Mac assigned to your Jamf MDM server in ABM will automatically appear in Jamf when it's powered on for the first time. This is the foundation of the whole setup.
If you're using Okta or Azure AD, you can configure Jamf Connect to show a custom login screen during Setup Assistant. The user logs in with their IdP credentials, which creates a local macOS account tied to their identity. This replaces the standard Apple ID flow and gives IT full control over account creation — no personal Apple IDs, no local accounts with unknown passwords.
The Setup: Step by Step
In Jamf Pro, go to Computers → PreStage Enrollments → New. This is the configuration that runs the moment a device enrolls via ABM. You'll configure: which Setup Assistant screens to skip (you can skip most of them), whether enrollment is supervised, which department and site to assign to, and MDM profile settings. Set "Require MDM enrollment" to prevent users from skipping management. Assign your new Macs to this prestage in ABM under Devices → Computers → your device → Edit → MDM Server.
Configuration Profiles are the core of your security and settings enforcement. In Jamf Pro, go to Computers → Configuration Profiles → New. Each profile handles a specific domain — FileVault encryption, password policy, screen lock timeout, Wi-Fi settings, certificate distribution, and so on. Create separate profiles for each category so you can scope them independently. At minimum, set up: FileVault enforcement, screen lock after 5 minutes, disable AirDrop on managed devices, and your corporate Wi-Fi profile.
Policies in Jamf run scripts and install packages on a trigger — enrollment, login, recurring check-in, or on-demand. Create an "Onboarding" policy scoped to a "New Enrollment" smart group (devices enrolled in the last 7 days). Set the trigger to "Enrollment Complete" and have it install your core apps: Google Chrome, Slack, Zoom, 1Password, whatever your stack is. For each app, upload the .pkg to Jamf's package list or use a Jamf-compatible package source.
Jamf Self Service is a macOS app that gives users an IT app store. Add optional apps (like developer tools, design software, or VPN clients) to Self Service so users can install them on-demand without submitting an IT ticket. Scope each Self Service item to the appropriate department or group — don't give everyone access to everything. This is one of the highest ROI things you can do in Jamf: it cuts help desk volume significantly.
Assign a test Mac to your prestage in ABM, factory reset it (or use a fresh unit), and power it on. Go through the full Setup Assistant flow as a new employee would. Watch the Jamf management logs in real time under Computers → your test device → History. Verify every profile applied, every policy ran, and every app installed. Fix any sequencing issues (some apps need to install before others) before your first real hire goes through it.
Common Gotchas
If a policy triggers at enrollment but the device isn't fully set up yet (no user logged in, no network), it will fail silently. Add a delay script or use a "Login" trigger instead of "Enrollment Complete" for policies that need a user context. Jamf's execution history will show you exactly which policies failed and why.
New Macs don't always appear in ABM immediately after purchase — it can take 24–72 hours for the reseller to sync. Always check ABM before shipping a Mac to a new hire. If a Mac was already powered on before it appeared in ABM, you'll need to erase and re-setup to trigger the ADE enrollment flow.
Even on supervised devices, some system extensions (like VPN clients or EDR agents) require explicit user approval during their first install. You can pre-approve these with a PPPC (Privacy Preferences Policy Control) configuration profile, but get the exact bundle identifiers right — a wrong PPPC profile can cause more problems than it solves. Test each one individually.
What the New Hire Experience Looks Like
When everything is set up correctly, this is what a new hire sees:
They receive a Mac in a box (shipped directly from Apple or forwarded from your office). They open it, plug it in, and power on. The Setup Assistant runs — most screens are skipped automatically. They reach a login screen branded with your company logo (if using Jamf Connect), enter their Okta credentials, and their local account is created.
Within the next 10–20 minutes, Jamf silently installs Slack, Zoom, Chrome, and your other core apps. FileVault encrypts the disk in the background. Security policies apply. The dock gets configured. By the time the new hire finishes their first HR onboarding call, their Mac is ready to go.
No IT ticket. No waiting for IT to configure the machine. No "I'll need to get IT to set that up for you." Just a working laptop from day one.
Zero-touch onboarding takes a few days to set up properly, but it pays off immediately with your first hire. The consistency alone is worth it — every Mac in your fleet is configured identically, every security policy is enforced, and IT spends time on real problems instead of clicking through Setup Assistant. If you're setting this up and run into specific issues, feel free to reach out at izzi@izzirenan.com.