MacBook Install Guide for Vogelwarte Devices

This setup works for macOS Tahoe

Manual Setup (until we have a MDM)

Prerequisites:

You need to be in Sempach at a staging docking station to have access to the internal network

Step 1: Out-Of-The-Box Setup Guide

Follow the setup guide and create a user Scientific IT (UNIX username "scientific.it") with the password from Bitwarden ("Mac Laptop Admin Login"). Disable Location Services, disable Siri, disable analytics, skip Touch ID, skip Apple Account.

Step 2: Install Updates or update to macOS Tahoe

Go to system settings and check for updates. So far, M4 devices were still shipped with macOS Sequoia 15. Thus an update to macOS Tahoe is necessary. Proceed with said update.

Step 3: Enable FileVault encryption

Step 4: Install Sophos and FortiVPN

Conect to smb://vogelwarte.ch/dfs and navigate to Teamwork > IT and copy the FortiVPN online installer & SophosInstall folder to the machine. Install Sophos. During the installation you will be prompted to enter the password multiple times to enable extensions. Additionally you need Full Disk Access for multiple Sophos services. In Sophos Endpoint Self Help under Prerequisits, you find an icon to drag & drop to the Full Disk Access Setting in macOS which makes this setup easier.

Next, install FortiVPN. The configuration of FortiVPN is done in a later step.

Step 5: Install M365 Apps

Download Office Apps from microsoft.com. You can temporary login with your Vogelwarte account. Install pending updates with the Microsoft AutoUpdate app. Do not open the apps yet.

Step 6: Connect to AD

Find the WissIT AD Admin in Bitwarden
Open "Directory Utility"
Unlock and double click on Active Directory in the service list.
Enter the following
- Active Directory Domain: vogelwarte.ch
- Computer ID: <desired computer ID>
- In advanced options > User Experience : Check "Create mobile account at login" & "Require confirmation before creating a mobile account"
- In advanced options > Administrators > Preferred Domain Server: dc01.vogelwarte.ch
Click Bind, you will first be asked for the local admin password and then for the AD admin account. Enter those details. Wait for activation
Log out
Now log in with your (or the owners) Vogelwarte account. You'll be asked to create a mobile account. If the laptop is for you, click yes, if not, do not create one. Mobile accounts are accounts which remain on the device and are useful if you want to keep the account on the machine.
If you set up a mobile account, you will be asked again for the scientific.it password to unlock the boot drive encryption (FileVault) with the new account.
Once the account setup is done make sure to enable admin rights for the new account

Step 7: Install Printers

Install the most recent drivers for macOS

Make	Model	Driver
HP	HP LaserJet M606*	HP Easy Admin
Canon	Canon iR-ADV C5840/5850*	PS Printer Driver & Utilities for Mac

For the label printers, the drivers are already preinstalled on macOS

Revision #10
Created 2025-12-09 08:05:40 UTC by Mario Fischer
Updated 2025-12-09 13:00:30 UTC by Mario Fischer