Help

After deleting computer from Jamf, computer can no longer check in?

BCPeteo
Contributor III

Posted on ‎08-21-2023 01:30 PM

Doing some testing as we are making a policy to remove computer records from jamf if they have not checked in after 160 days.

I noticed if I delete a computer record from Jamf and run sudo jamf recon from that computer I get:

Device Signature Error - A valid device signature is required to perform the action.

The computer still has its MDM profiles and Jamf binary installed. Is this expected behavior? 

I believe in the past that Jamf would just create new computer record? 

 

Reply
8 REPLIES 8

Dr_Jones
New Contributor III

Posted on ‎08-21-2023 03:31 PM

It is to be expected. The device needs to be re-enrolled.

Reply

TrentO
Contributor II

Posted on ‎08-22-2023 03:45 AM

That is the expected behavior. Because of that, I would not recommend deleting stale records unless you're sure the device is no longer in use.  Our workaround to accomplish something similar to what your doing is to have an "active computers smart group" based on last activity which we use for most things. 

Reply

BCPeteo
Contributor III
In response to TrentO

Posted on ‎08-22-2023 06:27 AM

Yeah. Our Windows MDM does not work this way. If you delete a computer from that system and it checks back in it will become enrolled again. I am kind if surprised Jamf works this way, especially with the MDM profile still being on the computer.

Reply

jtrant
Valued Contributor
In response to BCPeteo

Posted on ‎08-22-2023 06:59 AM

Better to set computers to 'Unmanaged' instead of deleting for this reason.

Reply

Eltord
Contributor
In response to jtrant

Posted on ‎08-22-2023 08:02 AM

This is what we do, and then create a report for devices that are unmanaged and checked in within last x amount of days so they can be put back into management properly if they do show up again. It does feel like something that should be automated in some capacity though, and I've brought this up with our jamf reps in regards to license management.

I have a feature request that fits into this a bit, can be found here, take a look and vote if you feel this needs to be added to a future version of Jamf.

Reply

BCPeteo
Contributor III
In response to Eltord

‎08-22-2023 10:58 AM - edited ‎08-22-2023 10:59 AM

yeah, seems if we had a stored or quite mode it would be great. There is no point in unmanaging these systems as they will never get the command until they are active again and at that point if they are activate I would want them to be managed and talking to Jamf. 


Deleting is more for clean up in reports and not having config profiles showing pending forever. But at the same time If the computer comes back online (not wiped) we would want to know about it and have it be managed (at least have a tech know the computer is active and get it back into jamf)

0 Kudos
Reply

jtrant
Valued Contributor
In response to BCPeteo

‎08-22-2023 12:18 PM - edited ‎08-22-2023 12:21 PM

Unmanaged Macs still communicate with Jamf, it just won't attempt to enforce policies or push MDM commands. This is why I suggested setting up a smart group for unmanaged, active Macs and taking action when needed. iOS devices are another story.

I agree that deleting is cleaner but this is not how Jamf Pro (currently) works. If you delete a device, it's gone until you re-enroll it.

0 Kudos
Reply

Yebubbleman
New Contributor III

Posted on ‎08-23-2023 02:17 AM

It's expected behavior.  Once the Macs are removed from JAMF Pro, they are effectively stuck with what they have in terms of policies and profiles.  You'd need to re-enroll in order to regain control from JAMF Pro again.  If the Mac was enrolled through Automatic Device Enrollment (formerly DEP), then you'll need to completely wipe the Mac and redeploy it.  If the Mac was enrolled via user initiated enrollment, then you can just remove the profiles and JAMF binary and then re-enroll the Mac all over again.

0 Kudos
Reply