Skip to main content

Hello,


 


I work for a large Fintech company and currently we have our macs enrolled in their JAMF with all their security endpoints.


The company I work for is splitting off from the larger company.


Me and another guy have been building out our JAMF and it's going well, it's looking to go live May 2025 with some of the first actual enrollments as the migration kicks off but obviously will be testing it more thoroughly first.


 


The discussion now is how to create the smoothest transition for the users.


One method is to erase all the macs and have them enrolled clean in our JAMF. This is the one we want to do.


The second method being pushed by the higher ups is to remove the JAMF framework, get all the security software uninstalled and leave no trace and make sure they all work. The issue with that one is we are not admins in the current company and do not have access to the removal of the security endpoints so we either need to ask for the all the passwords (not likely) or have them try to do it for us remotely.


 


Has anyone had an experience similar to this and can offer advice or a suggestion?


 


I was trying to keep this clear and concise but feel like I failed. 😄


 


Thanks!

Wipe and load is the way to go. Each device will take about 5-10 minutes with next to no hands-on time by IT to finish. 


 


The other option is asinine. Assuming you have policies to remove all your security clients, you will want to do that before you remove the framework. That and there is no way to ensure you removed all traces of all software you remove as Apple does not force developers to make uninstallers, so it's all really just scouts honor on what the vendors actually remove. If you will not be reinstalling these clients, this is a really bad approach. Your devices are also unhardened, and not under management for a period of time which is an excellent opportunity for a malicious actor to do things. Even if you were not removing the security clients, this would be about 1hr of hands-on time for IT with each device. Sure, it's only 5 minutes to enroll, and another 5 minutes to change the enrollment type, but nothing ever goes as planned.


 


Jamf migration services may have some offerings, but I'm not aware of any off the top of my head as you are moving to an existing Jamf instance. The last impactful migration for both IT and users is a wipe and load, save the manual migration for whiteglove situations and even then its a bad idea.

Wipe and load is the way to go. Each device will take about 5-10 minutes with next to no hands-on time by IT to finish. 


 


The other option is asinine. Assuming you have policies to remove all your security clients, you will want to do that before you remove the framework. That and there is no way to ensure you removed all traces of all software you remove as Apple does not force developers to make uninstallers, so it's all really just scouts honor on what the vendors actually remove. If you will not be reinstalling these clients, this is a really bad approach. Your devices are also unhardened, and not under management for a period of time which is an excellent opportunity for a malicious actor to do things. Even if you were not removing the security clients, this would be about 1hr of hands-on time for IT with each device. Sure, it's only 5 minutes to enroll, and another 5 minutes to change the enrollment type, but nothing ever goes as planned.


 


Jamf migration services may have some offerings, but I'm not aware of any off the top of my head as you are moving to an existing Jamf instance. The last impactful migration for both IT and users is a wipe and load, save the manual migration for whiteglove situations and even then its a bad idea.


This is exactly the case we are making to them, thank you for confirming what we thought as well.


 

There are people at Jamf who can assist you with this.  Migration is their job.  I'd suggest contacting either Jamf Support or your Jamf Success manager to get the process started.

100% what AJPinto has said. I have done the above and wipe and re-enrol is seamless.


Just make sure that you flip the MDM the Mac is assigned to in ABM and then initiate a wipe.


We did 300 Macs in less than a week using this method. Easy and painless.

Dont put yourself through the hassle of trying to migrate your systems; as others have suggested, erase and re-enroll is the way to go. 

Unless you planned on having each computer be touched by an IT representative (help desk, in person drop by, etc) you'd be at the mercy of the associate actually performing the re-enrollment.  Erase and then enrollment at boot is the only way to ensure enrollment. If you remove the framework, you can't guarantee associates re-enroll. There's obviously no reason why someone WOULDN'T reenroll, but obviously it happens. 

Terms & ConditionsCookie settings