Skip to main content
Question

Smart Groups from Enrolled Macbooks

  • October 27, 2022
  • 4 replies
  • 13 views
L
Forum|alt.badge.img+2

Looking to see if there's a way to create a Smart Group for Macbooks already enrolled in the Jamf database. These Macbooks need to be unenrolled from Jamf on-prem server and reenrolled to the Jamf cloud. My hope is that when we move these Macbooks over without Jamf cloud seeing them as fresh out-of-the-box Macbooks and push out the zero-touch enrollment for these devices which adds all our company apps to the process. Adding 10-20 minutes of downloads and installs unnecessarily.

Can there be a Smart Group that can differentiate these devices from Macbooks that never enrolled?

    4 replies

    brockwalters
    Forum|alt.badge.img+8
    • brockwalters
    • Valued Contributor
    • 64 replies
    • October 27, 2022

    Are you working with Jamf to do your migration to Jamf Cloud? There are ways to migrate from the on-prem instance to  Jamf Cloud that would not require re-enroll. 

    L
    Forum|alt.badge.img+2
    • larsendl
    • Author
    • New Contributor
    • 1 reply
    • October 27, 2022
    We are not working with Jamf services. We have scripts available in
    Self-Service to do the unenroll and reenroll. But our Jamf Cloud sees the
    Macbook as a new device to enroll and pushes out our zero-touch
    policies and packages.

    These Macbooks need to be enrolled unless I suppress the new hire
    enrollment policy; I am having a hard time setting up an attribute
    extension that can read the device-assigned date in Pre-Stage enrollment as
    an option to differentiate the out-of-the-box Macbooks with the Macbooks
    that need to be enrolled to the Jamf Cloud from on-prem. If that makes
    sense.
    --

    *Best regards,*

    * David Larsen*

    Sr. Systems Analyst

    1330 O’Brien Drive

    Menlo Park, CA 94025

    *T: ‪(650) 229-8216‬ | M: (510) 316-0419*

    *david.larsen@personalis.com *

    www.personalis.com

    --

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    This message may contain privileged and / or confidential  information. If
    you are NOT the intended recipient of this message, copying, printing,
    disseminating, forwarding or any other use or action derived from its
    content is strictly prohibited. Please notify the sender immediately by
    e-mail if you have received this e-mail by error and delete this e-mail
    from your system. If you received the email by error and this message
    contains patient information, please report the error by contacting the
    Personalis Clinical Laboratory at clinical@personalis.com
    .
    T
    Forum|alt.badge.img+19
    • Tribruin
    • Honored Contributor
    • 582 replies
    • October 28, 2022

    You woudl have to be something on your existing devices that you could write an extension attribute against. For example, we have a BOM fail that we write at the end of enrollment that indicates enrollment is complete, That way, if we have to re-enroll a computer, the main enrollment script does not run. 

    You could also do a Smart Group that looks for an application to be installed, maybe a security product that your computers already have installed?

    brockwalters
    Forum|alt.badge.img+8
    • brockwalters
    • Valued Contributor
    • 64 replies
    • October 31, 2022

    I agree with this approach. I might make it even easier: create a policy that drops some dummy file in like /Users/Shared/ or some other more hidden path like /private/var/tmp/.enrolled.mac & set the permissions to 1644 or whatever so that the automations that clean up don't remove that file. You can then make an EA that  detects the presence of that file.


    Terms & ConditionsCookie settingsAccessibility statement