Mac deployment runbook (on-site and remote)

Mac deployment
Windows deployment
Mac returned-device refresh
Windows returned-device refresh
macOS setup instructions

Scope: Google Workspace, Rippling enrollment, Apple ID aligned to the company (ABM pending workaround), standard open source tools, Bitwarden, OpenVPN client + pre-staged VPN profile.

Note: these are plain HTML forms with checkboxes. They do not save state unless you print to PDF or copy notes elsewhere.

0) Inputs you need (before touching the Mac)

1) Unbox and hardware sanity checks

2) macOS setup (baseline security)

Create the end user local account (Apple - Add a user or group) (standard user unless policy requires otherwise)
Create IT break-glass local admin account (Full Name: Cloud Computing Solutions Group; Account Name: cloudcomputingsolutionsgroup). Store password in approved vault.
Set device name (example): ET-lastname-mbp (use your naming standard)
Update macOS to current approved version (Apple - Update macOS)
Enable automatic security updates (Apple - Automatic updates; Rippling - device security and OS updates)
Configure screen lock (Apple - Require password after waking) (require password immediately on sleep/screensaver; short idle timeout per policy)
Enable FileVault disk encryption (Apple - FileVault; Rippling - enforce device encryption)
Store FileVault recovery key in your approved vault/MDM (Apple - Manage FileVault with device management; Rippling - recovery keys) (do not store in tickets)
Enable firewall (Apple - Firewall) (unless your MDM enforces it)

3) Google Workspace (productivity platform)

4) Rippling enrollment

5) Apple ID aligned to the company (ABM pending workaround)

Risk to avoid: tying the company MacBook to a personal Apple ID with no company recovery path. Until Apple Business Manager (ABM) is approved and integrated, use a company-controlled approach.

5.1 Interim approach (until ABM is live)

5.2 Migration once ABM is approved

6) Standard build - browsers, open source productivity tools, Bitwarden

6.1 Browsers (standard)

6.2 Typical open source productivity tools

6.3 Bitwarden (standard password manager)

7) OpenVPN (standard) - pre-deploy VPN config profile

Goal: the user receives a Mac that can connect to the corporate VPN on day 1. This requires (a) installing an OpenVPN client, and (b) staging/importing the correct VPN profile.

Mac deployment runbook (on-site and remote)

0) Inputs you need (before touching the Mac)

1) Unbox and hardware sanity checks

2) macOS setup (baseline security)

3) Google Workspace (productivity platform)

4) Rippling enrollment

5) Apple ID aligned to the company (ABM pending workaround)

5.1 Interim approach (until ABM is live)

5.2 Migration once ABM is approved

6) Standard build - browsers, open source productivity tools, Bitwarden

6.1 Browsers (standard)

6.2 Typical open source productivity tools

6.3 Bitwarden (standard password manager)

7) OpenVPN (standard) - pre-deploy VPN config profile

7.1 Install the OpenVPN client

7.2 Pre-deploy the VPN profile

7.3 Remote worker note

8) Final verification (before handoff)

9) Handoff process

9.1 On-site handoff

9.2 Remote handoff

10) Failure handling quick guide