Skip to main content

Hello to you all.

The cause of this is due to some problems to do OS updates remotely, but firstly I'll give you some context.

We have deployed MacBooks Air M1 during last year' summer in our hardware rollout. By the time JAMF School wasn't able to keep the bootstrap token on the server side (it was assigned to a local admin deployed with the MDM configuration) and Big Sur didn't have a stable way to update remotely (this was on Monterey roadmap, and they did solve this part)  so we've waited to the Monterey debut and JAMF School updates.

By todays day all of this is working and we are adapting to this changes, and this is what we had to do:

--> Check if the only user with a Secure token is the local admin

--> Send the Bootstrap token to the server side

--> Push the update on JAMF

--> Wait until it updates since it runs silently and you only now when it restarts.

 

By now we've managed to successfully update two laptops individually by deploying that script and forcing the updade to the device., so, the next step is to turn this into production and separate the devices that had already executed the script from the ones who haven't (only way to guarantee that the BootStrapToken is on server side). Therefore I was thinking to automatically add the devices that executed the script via Smart Group but i cannot find a way to do this straighforward. Does the member filter "BootStrap Token not stored" does the trick.

Anyone knows a way to filter these devices ?

 

Best regards from Portugal

The "Bootstrap token stored" filter for a Smart Group would be the way I would go, along with filters for the correct device type (otherwise iPads will be included), and then scoping the script for that group. Then, as long as it is left as a Smart Group, the devices will leave the group once their details update to show the token is stored.

The "Bootstrap token stored" filter for a Smart Group would be the way I would go, along with filters for the correct device type (otherwise iPads will be included), and then scoping the script for that group. Then, as long as it is left as a Smart Group, the devices will leave the group once their details update to show the token is stored.


I did try that but at the same time it doesn't give me the results I want to. I filter with the OS beeing macos and the Bootstraptoken not stored, and it should only appear 3 devices, which are the ones I've escrowed to the MDM, but it appears way more. I tried the profile status -type bootstraptoken on one of those and it has the bootstraptoken stored (theoretically it should have been filtered with the "no Bootstrap Token stored" filter).

So, still looking for a way to solve this situation.

The "Bootstrap token stored" filter for a Smart Group would be the way I would go, along with filters for the correct device type (otherwise iPads will be included), and then scoping the script for that group. Then, as long as it is left as a Smart Group, the devices will leave the group once their details update to show the token is stored.


Okay so. this maybe be the way as I've might been looking at this the wrong way. "Bootstrap stored" is a filter that checks if the token is stored in the MDM and not on the device as I was thinking it was.

Thank you very much!!

Terms & ConditionsCookie settings