After deleting computer from Jamf, computer can no longer check in?

Contributor II

Doing some testing as we are making a policy to remove computer records from jamf if they have not checked in after 160 days.

I noticed if I delete a computer record from Jamf and run sudo jamf recon from that computer I get:

Device Signature Error - A valid device signature is required to perform the action.

The computer still has its MDM profiles and Jamf binary installed. Is this expected behavior? 

I believe in the past that Jamf would just create new computer record? 



New Contributor III

It is to be expected. The device needs to be re-enrolled.

Contributor II

That is the expected behavior. Because of that, I would not recommend deleting stale records unless you're sure the device is no longer in use.  Our workaround to accomplish something similar to what your doing is to have an "active computers smart group" based on last activity which we use for most things. 

Yeah. Our Windows MDM does not work this way. If you delete a computer from that system and it checks back in it will become enrolled again. I am kind if surprised Jamf works this way, especially with the MDM profile still being on the computer.

Valued Contributor

Better to set computers to 'Unmanaged' instead of deleting for this reason.

This is what we do, and then create a report for devices that are unmanaged and checked in within last x amount of days so they can be put back into management properly if they do show up again. It does feel like something that should be automated in some capacity though, and I've brought this up with our jamf reps in regards to license management.

I have a feature request that fits into this a bit, can be found here, take a look and vote if you feel this needs to be added to a future version of Jamf.

yeah, seems if we had a stored or quite mode it would be great. There is no point in unmanaging these systems as they will never get the command until they are active again and at that point if they are activate I would want them to be managed and talking to Jamf. 

Deleting is more for clean up in reports and not having config profiles showing pending forever. But at the same time If the computer comes back online (not wiped) we would want to know about it and have it be managed (at least have a tech know the computer is active and get it back into jamf)

Valued Contributor

Unmanaged Macs still communicate with Jamf, it just won't attempt to enforce policies or push MDM commands. This is why I suggested setting up a smart group for unmanaged, active Macs and taking action when needed. iOS devices are another story.

I agree that deleting is cleaner but this is not how Jamf Pro (currently) works. If you delete a device, it's gone until you re-enroll it.

New Contributor III

It's expected behavior.  Once the Macs are removed from JAMF Pro, they are effectively stuck with what they have in terms of policies and profiles.  You'd need to re-enroll in order to regain control from JAMF Pro again.  If the Mac was enrolled through Automatic Device Enrollment (formerly DEP), then you'll need to completely wipe the Mac and redeploy it.  If the Mac was enrolled via user initiated enrollment, then you can just remove the profiles and JAMF binary and then re-enroll the Mac all over again.