Skip to main content
Solved

Restrict all policies from a computer

  • May 27, 2016
  • 4 replies
  • 37 views
R
Forum|alt.badge.img+8

Hello everyone,

We have a couple computers that are enrolled in JAMF, but we want to make sure they never get any packages or certificates pushed to them. We like the reporting that JSS gives us, especially with the inventory / IP for remote services; but we don't want to risk pushing out a policy to the computer.

Is this possible? I know for each policy we can exclude it. Not only is this a lot of work to do, but we also run the risk of an accidental deployment if someone isn't paying attention.

Best answer by stevevalle

@Ricky Have you thought about using sites to do this.

You can create two sites. A "Main" site and a "No Policy" site (or whatever you want to call them!). If you add these computers to the "No Policy" site, then it's a matter of adding all policies to the "Main" site.

As long as all policies are in the "Main" site, policies won't deploy to the "No Policy" site machines.

It's a bit of work to edit all current policies, but it will do the job. It Also saves excluding machines from every policy!

    4 replies

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • May 27, 2016

    @Ricky this might be accomplished by unmanaging them in the JSS.. Although I think that breaks recon.

    Another thing you can do is add them to a Static Group, & then add that group as an exclusion for each policy & profile.

    dpertschi
    Forum|alt.badge.img+19
    • dpertschi
    • Contributor
    • May 28, 2016

    @Ricky

    I know for each policy we can exclude it. Not only is this a lot of work to do, but we also run the risk of an accidental deployment if someone isn't paying attention.

    Yep, this actually jogs my memory about a feature request I've been meaning to submit- we need the simple ability to create templates. Templates for policies, smart groups, advanced searches. I can't tell you how many sets of screenshots and lists I have to remember to setup for certain situations.

    But yeah, create a exemption static group and always add that.

    S
    Forum|alt.badge.img+10
    • stevevalle
    • Contributor
    • Answer
    • May 29, 2016

    @Ricky Have you thought about using sites to do this.

    You can create two sites. A "Main" site and a "No Policy" site (or whatever you want to call them!). If you add these computers to the "No Policy" site, then it's a matter of adding all policies to the "Main" site.

    As long as all policies are in the "Main" site, policies won't deploy to the "No Policy" site machines.

    It's a bit of work to edit all current policies, but it will do the job. It Also saves excluding machines from every policy!

    D
    Forum|alt.badge.img+11
    • dmw3
    • Valued Contributor
    • May 30, 2016

    We actually do the reverse that @stevevalle does in that no policies are applied to computers unless they belong to a group, we are using AD security groups for this.

    Terms & ConditionsCookie settingsAccessibility statement