Apply new policy only to new machines?

gwjc
New Contributor

I'm looking to create a new policy, specifically one to add/remove dock items, to an existing Jamf environment with a few hundred enrolled devices. I'm trying to roll out cleaner docks & the self service app for a cleaner on-boarding.

I'd like this to apply once to new machines, for a one-time initial cleanup. I don't want this to retroactively go and affect people's docks who have been up and running with their machines for years.

What's the best way of scoping a policy to "only new machines"? Enrollment complete? Creating a massive ugly group of every currently-enrolled machine, and excluding that? Something better and cleaner?

Thanks!

5 REPLIES 5

jtrant
Contributor III

"Last enrollment" after whatever date/time you specify? It would run on a Mac that was re-enrolled after this date, though.

mm2270
Legendary Contributor II

This is a good question.

One way you could try doing this is by creating a Smart Computer Group for the policy scope that uses the Last Enrollment date criteria and enter a date from the time you expect to enable this new policy, and use the after (yyyy-mm-dd) modifier. That should only collect Macs that have been enrolled on or after that specific date.
The only problem I see with this is that if you ever have need to re-enroll a Mac for any reason, I believe that Enrollment Date value gets updated and the Mac will land into the Smart Group, and trigger the policy on it.

Another method, which takes a little more work but might be safer, is to deploy some kind of flag or file to all your existing Macs, like a simple file inside /private/var/ for example. From there, you can have an Extension Attribute that looks for this file and reports yes or no, and use that as the basis of a Smart Group to use as an exclusion to the policy, meaning all Macs that report "Yes" the file exists. So the policy would run on all Macs, then you'd have to disable the policy, and then enable your Dock policy. From that point, only new Macs being enrolled would get it since all the existing ones would be excluded.

There may be some other methods that would work better. I'm be curious to see if anyone has a good method for doing something like this.


@mm2270 wrote:

This is a good question.

One way you could try doing this is by creating a Smart Computer Group for the policy scope that uses the Last Enrollment date criteria and enter a date from the time you expect to enable this new policy, and use the after (yyyy-mm-dd) modifier. That should only collect Macs that have been enrolled on or after that specific date.
The only problem I see with this is that if you ever have need to re-enroll a Mac for any reason, I believe that Enrollment Date value gets updated and the Mac will land into the Smart Group, and trigger the policy on it.

Another method, which takes a little more work but might be safer, is to deploy some kind of flag or file to all your existing Macs, like a simple file inside /private/var/ for example. From there, you can have an Extension Attribute that looks for this file and reports yes or no, and use that as the basis of a Smart Group to use as an exclusion to the policy, meaning all Macs that report "Yes" the file exists. So the policy would run on all Macs, then you'd have to disable the policy, and then enable your Dock policy. From that point, only new Macs being enrolled would get it since all the existing ones would be excluded.

There may be some other methods that would work better. I'm be curious to see if anyone has a good method for doing something like this.


In the Smart Group, besides the Last Enrollment date criteria, you can add an "AND Enrollment Method PreStage enrollment is _____" criteria.  Then, the Smart Group will contains only the new enrollment devices using the prestage enrollment, which goes through reformatting the disk and reinstalling the macOS.  

easyedc
Valued Contributor II

What's your build workflow - set it and forget it and check it later? Or does a tech sit and baby it along? Do you run any custom scripts during the build workflow or self service jobs? you could create a policy that's assigned to ALL and just give it a custom trigger (KISS - "dock") and add that line to your new enrollment tasks or run via self service. If you do any scripts during your build - throw a line in there to run the dock policy

/usr/local/bin/jamf policy -event dock

Depends on how creative you want to get and your comfort with Jamf. The simpler route is what everyone above mentioned - smart group based on last enrollment date after XX/XX/XX.

gwjc
New Contributor

Yeah I think the big ugly group exclusion is the easiest way to go. Basing the smart group off enrollment date is clean enough and I'm not concerned about re-enrollments triggering it, and I'll probably need to exclude based that group for a few other policies I end up building as well. Thanks all!