Jamf Nation Community

_aDiedericks · ‎11-18-2022

Hi there,

I'd like to know if it's possible to configure smart groups in a way to apply a specific smart group ONLY when a device has just been enrolled. The issue we're having is Sophos Endpoint has 2 custom mobileconfig policies. 1 for MacOS Monterey and 1 for MacOS Ventura.

I have a simple smart group setup that separates Monterey and Ventura devices

Problem is, if someone were to upgrade their OS, their current Sophos installation will still be installed but the configurations for Sophos mobileconfig for Monterey will be removed and replaced with the Ventura mobileconfig. Since the configs are applying AFTER Sophos has already been installed this would undoubtedly break Sophos' permissions on the machine.

Is there any way to have a smart group only apply immediately after enrolment and no other time? This is to make sure that when devices with Ventura installed have been freshly installed that they get the Ventura configuration only and not devices that upgrade from Monterey to Ventura.

_aDiedericks · ‎11-20-2022

Managed to get this working applying logic from a different angle.

- I created a scope looking for devices that are Ventura but do not have the Sophos Monterey profile already installed.

- The scope for the Sophos Monterey config, I applied to all devices but excluding the scope I create in the above.

- and the scope for Sophos Ventura config, I applied the first scope I mentioned here.

The logic here is that if a device is upgrading from Monterey to Ventura it will still have the Sophos Monterey config installed so therefore the Sophos Ventura config should not be applied and the Sophos Monterey config should stay.

But if a device has Ventura installed but doesn't already have the Sophos Monterey config, then install Sophos Ventura config.

I will be testing this by downgrading to macOS Monterey and then upgrading to macOS Ventura to see if the Sophos Monterey config stays persistent across upgrades. I've already tested fresh installs of Ventura, the correct configuration profile is applied which is Sophos Ventura config as it should.

[UPDATE]
I've tested this upgrading from macOS Monterey to Ventura. Sophos Monterey profile is still persistent across upgrades.

View solution in original post

karthikeyan_mac · ‎11-19-2022

@_aDiedericks How about a smart group with criteria for macOS Ventura and Last Enrollment less than 1 days.

Thanks.

_aDiedericks · ‎11-20-2022

I didn't even know that was a thing. I actually did a workaround that I just deleted this morning.

It involved a policy that applies during the enrolment process to use the touch command to download a placeholder file to /Users/Shared/. Then a custom attribute to check for the status of that file's existence to behave much like a flag. This applied through a policy during enrolment only and macOS Ventura devices only.

A smart group was also create with the criteria to check for the existence of said flag, that if it saw the flag and the machine was also in MacOS Ventura then the assumption would be that this device was enrolled on macOS Ventura and not upgraded, then apply the config.

Though this worked a few times it seems that because config files load first whether or not the policy runs to create the flag file in the first place is RNG. Sometimes it would just deploy the Monterey and Ventura config together because the configs apply first before the policy to create the flag in the first place.

Your method seems way more reasonable 🤣 I'll give it a go, thanks.

_aDiedericks · ‎11-20-2022

@karthikeyan_mac Just checking the logic of this criteria. If a device passes 2 days after enrolment would it then not fall out of this scope therefore losing the configuration assigned based on that scope?

_aDiedericks · ‎11-20-2022

What if the criteria specified was to look for "Enrolment method - Prestaged" and "macOS Ventura devices".
This would work based on the assumption that Prestaging only takes place during device setup i.e fresh install/reset of OS.

_aDiedericks · ‎11-20-2022

Managed to get this working applying logic from a different angle.

- I created a scope looking for devices that are Ventura but do not have the Sophos Monterey profile already installed.

- The scope for the Sophos Monterey config, I applied to all devices but excluding the scope I create in the above.

- and the scope for Sophos Ventura config, I applied the first scope I mentioned here.

The logic here is that if a device is upgrading from Monterey to Ventura it will still have the Sophos Monterey config installed so therefore the Sophos Ventura config should not be applied and the Sophos Monterey config should stay.

But if a device has Ventura installed but doesn't already have the Sophos Monterey config, then install Sophos Ventura config.

I will be testing this by downgrading to macOS Monterey and then upgrading to macOS Ventura to see if the Sophos Monterey config stays persistent across upgrades. I've already tested fresh installs of Ventura, the correct configuration profile is applied which is Sophos Ventura config as it should.

[UPDATE]
I've tested this upgrading from macOS Monterey to Ventura. Sophos Monterey profile is still persistent across upgrades.

Jamf Nation Community

Apply Smart Group based on enrolment state