Hi all,
We have several Mac builds deployed across the University, with the majority of devices using a core “Staff” build within Jamf Pro. When we introduce a new build, we typically create a new PreStage enrolment profile and re-scope existing Macs to that profile. The intention is that if a device is rebuilt or reset at any point during its lifecycle, it will receive the latest build and updated setup experience. I assume this is fairly standard practice, and up until this point, it’s otherwise had no unintended consequences.
However, something I’ve noticed this year is that Macs running older builds, but now scoped to a newer enrolment profile, are unexpectedly migrating.
I’ve traced this back to the point where the MDM profiles renew on the client. During this process, the value of the following attribute in the computer record appears to be overwritten:
Enrollment Method: PreStage enrollment = XXXX
We currently rely on Smart Groups based on this value to scope configuration profiles and policies, so this behaviour is causing devices to fall into unexpected scopes. It seems happen around 2/3 of the time, so not all Macs get this value updated upon renewal.
Has anyone else seen this behaviour? My prior understanding of this value is that it’s basically immutable, and only changes upon enrolment - this doesn’t appear to be the case. We’re now face with either:
- Re-scoping things back to the older PSE
- Forewarning users with messaging, linked to MDM profile expiry
- Totally rethinking smart group criterias
