Skip to main content
Question

Best way to manage device enrollment

  • June 11, 2025
  • 6 replies
  • 50 views
stephaniemm77
Forum|alt.badge.img+5

Hello Everyone

Looking for some help/advice....

So we have multiple SITES set up in out JAMF Pro Instance, but right now every device is using the same pre-stage enrollment and then we have to go in and move the devices from the main jamf pro to the proper site manually. Is there a better way to do this? I have seen some folks say that you can do it in ASM with a different token for each site but you need to change the devices at that level before they get enrolled. I am thinking this is the best way, wondering if anyone has experience with this?

    6 replies

    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • June 11, 2025

    I was facing this same delimma last year. We are a global company. We have 5 sites, each representing the different regions. We have our Jamf Pro server integrated with Microsoft Entra ID. This allows us to pull in information about each user and have it in the Jamf Pro inentory for each Mac. We also use an enrollment customization in our PreStage that requires the user to login using their Microsoft Entra ID account. This enables Jamf Pro to associate the Mac with the user and display their location that is listed in Entra ID in the Jamf Pro inventory. We use extension attributes to gather this information. I created a script that uses the Jamf API to assign each Mac to the site they need to be in. The criteria is the country where the user is located. I'm happy to share the script with you. I will need to first remove my company specific information from the script. This was actually my first ever use of the Jamf Pro API.

    dletkeman
    Shyamsundar
    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • June 11, 2025

    Here's my script. I recently changed the API login to use an API client and client secret. To change site assignment make sure the API client you are using has the permission to make site changes and to read sites.

    #!/bin/zsh :<<ABOUT_THIS_SCRIPT -------------------------------------------------------------------------------------- Assigns a Mac to a specific site. Under Jamf Pro API Login, specify your Jamf URL, API client ID and client secret. Use Jamf parameter 4 for API client ID. Use Jamf parameter 5 for API client secret. Get site ID from Settings - Sites - Select the site you want. Use Jamf parameter 6 for site ID. Use Jamf parameter 7 for site name. This script uses an API client created in Settings - API roles and clients. To verify login information, specify "yes" for the "verify" variable. 4/10/2024 | Howie Canterbury -------------------------------------------------------------------------------------- ABOUT_THIS_SCRIPT url="https://yourserver" # Specify your server URL. client_id="$4" # Use Jamf parameter 4 or specify the client ID here. client_secret="$5" # Use Jamf parameter 5 or specify the client secret here. verify="yes" # To verify login information, specify "yes". Leave blank if you do not need to verify. # Jamf Pro API login jamfAPI_auth() { response=$(curl --silent --location --request POST "${url}/api/oauth/token" \\ --header "Content-Type: application/x-www-form-urlencoded" \\ --data-urlencode "client_id=${client_id}" \\ --data-urlencode "grant_type=client_credentials" \\ --data-urlencode "client_secret=${client_secret}") token=$(echo "$response" | plutil -extract access_token raw -) token_expires_in=$(echo "$response" | plutil -extract expires_in raw -) token_expiration_epoch=$(($current_epoch + $token_expires_in - 1)) } # Jamf Pro API authentication jamfAPI_auth # Validate API login. This will display in the Jamf Pro policy log. if [ "$verify" = "yes" ]; then echo $token echo $token_expires_in echo $token_expiration_epoch fi # Site variables site_id="$6" # Use Jamf parameter 6 or specify the site ID here. site_name="$7" # Use Jamf parameter 7 or specify the site name here. site_xml="/private/tmp/site.xml" # Function - Create site XML file function siteXML() { echo "Writing site assignment XML to /private/tmp/site.xml" tee "$site_xml" << EOF <computer> <general> <site> <id>$site_id</id> <name>$site_name</name> </site> </general> </computer> EOF } # Determine Jamf Pro device id echo "Getting the Jamf Pro device ID..." # Computer serial number serialNumber=$(system_profiler SPHardwareDataType | grep Serial | /usr/bin/awk '{ print $4 }') deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${token}" ${url}/JSSResource/computers/serialnumber/"$serialNumber" | xmllint --xpath '/computer/general/id/text()' -) echo "Device ID: $deviceID" # Create the site XML file - run the function siteXML # Assign Mac to the site. echo "Assigning Mac to "$site_name" site." curl -sfk -H "Accept: text/xml" -H "Authorization: Bearer ${token}" "${url}/JSSResource/computers/id/${deviceID}" -T "$site_xml" -X PUT # Remove the site XML file echo "Removing the site XML file from /private/tmp." rm "$site_xml"
    Shyamsundar
    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • June 11, 2025

    I should add that scoping for this was done with smart groups. I have smart groups for US, Canada, Europe, Asia Pacific, and Latin America. I have policies that are setup using Jamf parameters 6 and 7 which are the site ID and site name. The policies are scoped to each smart group. I also use a version of the policy during the enrollment "zero touch provisioning" process so the Macs are in their assigned site from the beginning.

    leonkaesmann
    Forum|alt.badge.img+5
    • leonkaesmann
    • Jamf Heroes
    • June 12, 2025
    @stephaniemm77 wrote:

    Hello Everyone

    Looking for some help/advice....

    So we have multiple SITES set up in out JAMF Pro Instance, but right now every device is using the same pre-stage enrollment and then we have to go in and move the devices from the main jamf pro to the proper site manually. Is there a better way to do this? I have seen some folks say that you can do it in ASM with a different token for each site but you need to change the devices at that level before they get enrolled. I am thinking this is the best way, wondering if anyone has experience with this?

    We are doing this via ABM. We have set up the different locations there as well and depending on the assignment in ABM, the devices are then assigned to their respective Jamf Pro counterparts and automatically receive the correct PreStage enrollment profile.

    leonkaesmann
    Forum|alt.badge.img+5
    • leonkaesmann
    • Jamf Heroes
    • June 12, 2025
    @stephaniemm77 wrote:

    Hello Everyone

    Looking for some help/advice....

    So we have multiple SITES set up in out JAMF Pro Instance, but right now every device is using the same pre-stage enrollment and then we have to go in and move the devices from the main jamf pro to the proper site manually. Is there a better way to do this? I have seen some folks say that you can do it in ASM with a different token for each site but you need to change the devices at that level before they get enrolled. I am thinking this is the best way, wondering if anyone has experience with this?

    We are doing this via ABM. We have set up the different locations there as well and depending on the assignment in ABM, the devices are then assigned to their respective Jamf Pro counterparts and automatically receive the correct PreStage enrollment profile.


    Here's a step-by-step guide on how to do this: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Automated_Device_Enrollment_Integration.html

    Create an MDM server (or device management service as it's called in ABM now) for each location, e.g. Jamf Pro Minneapolis and Jamf Pro Amsterdam.

    You can then link the Automated Device Enrollment instance(s) you created in Jamf Pro to your desired PreStage enrollment profiles.

    Devices assigned to these in ABM will then automatically receive the PreStage enrollment profile you set.

    howie_isaacks
    howie_isaacks
    Forum|alt.badge.img+23
    • howie_isaacks
    • Esteemed Contributor
    • June 12, 2025

    Here's a step-by-step guide on how to do this: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Automated_Device_Enrollment_Integration.html

    Create an MDM server (or device management service as it's called in ABM now) for each location, e.g. Jamf Pro Minneapolis and Jamf Pro Amsterdam.

    You can then link the Automated Device Enrollment instance(s) you created in Jamf Pro to your desired PreStage enrollment profiles.

    Devices assigned to these in ABM will then automatically receive the PreStage enrollment profile you set.


    This works great, but for us it won't work. I never know what computers are supposed to be assigned to a specific site before they get enrolled. That's why I created the script that I posted above. It checks where the user is located according to AD and then assigns the Mac to the appropriate site. The policy that runs the script runs during the provisioning process right after enrollment.

    Terms & ConditionsCookie settingsAccessibility statement