Jamf Nation Community

rward · ‎04-13-2016

Hi,

We have recently implemented DEP in our company.

The plan is for us to ship our machines directly to our different offices around the world (rather than us having to image them first and ship them out).

What I would like is for the end user to switch on the machine, go through the initial OS X set up, then once they are at their desktop, the policy kicks in and installs/configures/runs all the company software/scripts etc automatically.

I've set up the required pre-stage, smart groups, and everything is scoped correctly etc.

The policy itself works fine (when triggered through Self Service or manually triggering using a sudo jamf policy), but I can't get it to auto run after first login. I've tried setting the trigger to run at enrollment complete, and login (login hooks are enabled), but it just seem to doesn't run.

I can set it to recurring check-in, but as our check-in frequency is set at 30 mins, I don't want the user to have to wait 30 mins before it runs.

I've tried experimenting with custom triggers but haven't had any luck.

Probably a simple way/workaround but I'm drawing a blank.

Any ideas?

stevewood · ‎04-13-2016

@rward in my testing with this, the problem I normally come across is that the machine is not falling into the proper SmartGroup to get noticed by the Policy.

So, I have a policy that is set to trigger on "Enrollment Complete" and is scoped to a SmartGroup named "DEP Computers". This works as long as the machine falls into that SmartGroup. I've had better luck in scoping the policy to "All Managed Computers".

The only problem with scoping to All Managed Computers is that if someone re-enrolls a computer (jamf enroll for example) that initial policy could run again.

I would verify that the computer is falling into the scope, AND that the machine hasn't already run that Policy and so not able to run again (Policy set to "once Per Computer" for example).

rward · ‎04-13-2016

Yeah I did double check all the scoping. Similar to your set up it goes to a smart group that looks for computers enrolled through my DEP.

I can see the correct computers in the policy logs, but they just stay on "Pending", so it seems the trigger isn't working in the first place. As I said I've tried using enrollment complete and login triggers but it doesn't seem to work

skoonin · ‎05-13-2016

Hey Guys,

Any chance you'd be able to let me know how you created a smart group that included all your DEP computers? In JSS, I only see a criteria for "Enrollment Method: PreStage enrollment" currently and it's functionality is dubious.

I am looking for a way to scope things to only computers enrolled in our DEP instance.

Thanks! skoonin

bentoms · ‎05-15-2016

@skoonin the prestage is the criteria.

Why dubious?

skoonin · ‎05-16-2016

@bentoms Thanks for the response. It's dubious as in the Smart Group isn't populated at all. I put in all of our PreStages in the smart group (using OR statements) and manually enrolled a computer and it won't populate. In the computers inventory it does list the correct PreStage as the enrollment method, but the Smart Group is empty.

We are on 9.82 here. Maybe it's a bug in 9.82? But nothing in the release notes about it.

thanks!

bentoms · ‎05-17-2016

@skoonin might be worth asking your JAMF support team if this is a 9.82 issue, not seeing it on our JSS & we're now on 9.92

skoonin · ‎05-18-2016

@bentoms

yea I need to update at some point here soon. But, I will say that creating separate Smart Groups for each PreStage DID work. However, combining them into one big Smart Group did not work. Strange.

Jamf Nation Community

Build after DEP Enrollment