Best way to add a new corporate entity without f***ing up their Macs

stevenjklein
Contributor II

Company A (my employer) recently bought company B. A is in Detroit, B is in LA.

B has no Mac management in place, and I've been asked to enroll them in Jamf.

At this point I just want to enroll them and get inventory, but I don't want any of my existing policies or configuration profiles to be applied to them.

A has about 100 Macs (all in Jamf); B has 15-20 Macs.

Here's the plan I've come up with to accomplish this task:
1. Create 2 Buildings in Jamf: Detroit and LA
2. Assign all existing Macs to Detroit Building. (Using mass edit)
3. Edit the scope of all existing policies to exclude LA Macs
4. Edit the scope of all configuration profiles to exclude LA Macs
5. Create a QuickAdd package for the LA site
6. Test enroll a Mac, assign it to LA, and verify that no policies or configuration profiles get applied.

Does this seem like a reasonable plan of attack?

5 REPLIES 5

Wakko
Release Candidate Programs Tester

A suggestion would be to also create a site called "LA". Have your quick add enroll machines to that site, which has no enrollment complete policies. Also, create a site called Detroit, and move all existing machines to that site as well. Then you can adjust policies, profile to be part of the site as well. Yes I would follow those same steps as well to ensure your sanity as well. Nothing wrong with being sure.

stevenjklein
Contributor II

@Echevarria : I appreciate the feedback. I have policies that run on check-in, and I don't want those policies running on the LA Macs. (For example, one of those policies installs our AV software; Since they already have a different AV app, I don't want my installer running on those Macs.

Until we can assimilate them as standard corporate Macs, I think my best bet is to not touch them at all. I can coordinate with the help desk team in LA when we start applying policies to those Macs.

The reason I used Buildings instead of Sites is that I can set a policy scope to exclude buildings, but I don't think I can exclude sites.

tuinte
Contributor III

Instead of EXCLUDING LA Macs you could also change the scope of these policies from ALL to Detroit Macs. That way anything that doesn't get the LA Mac Building for whatever reason when they enroll still won't have these policies run on them. As-is, it doesn't look like you have anything assigning the LA Mac building to these LA machines, so excluding that Building won't actually exclude these machines.

stevenjklein
Contributor II

@tuinte : "you could also change the scope of these policies from ALL to Detroit Macs"

But the scope isn't "all," for many of the policies. For example, I have a static user group called "Firefox users," and the policy to install Firefox is scoped to that user group.

I could create a static group called "Firefox Users in Detroit."

I have to think about this a bit more.

easyedc
Valued Contributor II

so we addressed this a few years ago by coming up with a naming convention that worked for us (this was before Sites). When we enrolled the newly acquired company, we renamed their workstations to follow a similar naming convention to our current model, but we added prefix (to them) so that any computer name that started with the prefix was instantly known to be part of the acquisition (or vice versa)

ACQ...

automatically was guided to include or exclude polices as needed. The naming was handled by providing a quick add package, and then forcing self service to launch upon completion, and then a simple rename script was presented. After that, it cleaned itself up by applying policies against a smart group (or excluding) when computer name > Like > unique prefix

#!/bin/bash

base="Put your Prefix Here"
serial=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Serial Number (system)/ {print $NF}')
/usr/sbin/scutil --set ComputerName "${base}${serial}"
/usr/sbin/scutil --set LocalHostName "${base}${serial}"
/usr/sbin/scutil --set HostName "${base}${serial}"

APFS=$(/usr/sbin/diskutil list | grep "APFS")
Apple_HFS=$(/usr/sbin/diskutil list | grep "Apple_HFS")
Fusion=$(/usr/sbin/diskutil list | grep "virtual")

if [ "$APFS" != "" ]; then
diskutil rename disk1s1 "${base}${serial}"
elif [ "$Apple_HFS" != "" ]; then
diskutil rename disk0s2 "${base}${serial}"
elif [ "$Fusion" != "" ]; then
diskutil rename disk2 "${base}${serial}"
fi