Auto Re-Enroll MDM Policy

qhle373
Contributor

I just pieced a workflow together to make our Macs enroll in MDM if the profile was deleted. Wanted to get your thoughts on it or provide a solution for your setup if it works out. So far its running successfully for us.

1) Create Shell Script:

#!/bin/sh

sudo jamf manage

(May need to cd in Terminal to the location of where your script is saved)

2) Give root ownership of script (Terminal):

sudo chown root <scriptname>

3) Give permission for script to be run w/out password requirement (Terminal):

sudo chmod 4755 <scriptname>

4) Upload Shell Script to Casper Admin

5) Create Policy that deploys script. (We have set this Policy to occur on logout instead of typical login to make up for a lag in joining the network upon startup which causes the policy to fail)

2 REPLIES 2

adamcodega
Valued Contributor

Interesting idea, your script can indeed be that short if there is something else checking for the profile, in this case the policy is applied if an MDM profile is not on the computer. It's always good to check for certain conditions before running commands.

You don't need to do anything to scripts (permissions or owners) after writing them. Casper Admin takes care of that, at least with scripts.

Keep an mind if someone has removed their MDM profile it's also possible they removed the JAMF framework. In that case you could look at having CasperCheck deployed on your computers.

rtrouton
Release Candidate Programs Tester

For MDM repair, I've got a policy-driven process that fixes MDM on an as-needed basis. I've got a couple of posts on it available from the links below:

https://derflounder.wordpress.com/2014/06/15/automatically-fixing-mdm-certificate-enrollment-with-ca...

https://derflounder.wordpress.com/2013/08/31/automatically-fixing-casper-mac-mdm-enrollment/