Posted on 09-13-2016 08:22 AM
Hello,
I think I already know the answer to this, but wanted to see if I'm missing something. I manage a mixed byod/school-owner Macbook program. Currently, the BYOD machines are not managed with casper. Is there any way to manage those machines without having the ability to remotely lock or wipe a computer? There is a concern that parents may not like the fact that we have those abilities on a machine that they personally own. At the same time, we want to give them the ability to access self service.
Thanks for any input!
Posted on 09-16-2016 11:55 AM
No. As I'm sure you suspect. (very few things can be so clearly stated)
There are several ways to enroll a computer without wiping it, yet all of those ways provide you (the school) the power to do just about anything to that unit. This is the way it really has to be. If a service can install applications and manage settings via SSH, then it can do practically anything on the end user device. You could disable MDM capabilities to make it look like you couldn't easily wipe or lock a device (using Apple approved methods), yet once you have SSH access you can't say that you "can't". Perhaps you could make a School Policy that says you won't, but it will be a "policy".
Here are some methods that will allow you to enroll machines without wiping anything at all. Though, I suspect that you already know these so I won't elaborate too much.
• Use "Recon" to remotely manage computers that you have 1: Network Access to AND 2: a SSH/admin password to
• Use "Recon" to create a "QuickAdd" package that you can give to users who have their own admin credentials. Once they install this they are enrolled and manageable.
• You could enable "User Initiated Enrollment" which gives the users a URL to visit and then set up their own machines.
• You could also send email invitations via the JSS that send them the URL mentioned above.
I'd be happy to share how we (Brewster Academy) unenroll (off-board, De-Brewsterize, whatever) our student units if you're interested.
FYI, at the start of our school year, we do wipe the students BYOD machines. It's the only truly reliable way (IMO) to start a school year the day after computer prep, without having a ton of random issues due to the student's prior use. I can imagine that it wouldn't be popular with parents in an environment where they didn't have to do that before.
That said, you could always make it optional (to start). If the parent wants to make their kids lives easy, then they can enroll. Otherwise, they can go through the steps to manually add printers, apps, configs etc. Very few folks really wnat to do that on their own. Use the biggest carrot you can!