Computer name naming schemes - What do you use?

neilrooney_old
New Contributor II

Hi everyone, hope you're all well!

I'm hoping you can help give me a better idea of the naming schemes you use for managing your macOS devices and why you chose that scheme.

Right now we are using firstname.lastname for all laptops. This allows us to easily find devices on our internal network but our concern here is that it may needlessly share information to attackers when employees are working outside of our internal LAN.

Anyway, what schemes do you use?

16 REPLIES 16

AVmcclint
Honored Contributor

We use the computer's serial number for the name. This works because all computers are required to join Active Directory, and AD has a limitation on the length of the computer name. If we were to use firstname.lastname as you do, this would fail. As for easily identifying the computers, I add the user's name into the User & Location part of the computer's JSS record and I have it displayed in all searches and groups. We also have a few users who have multiple computers assigned to them for various purposes. There's also the issue of the loaners and tester Macs I have on the shelf... using user names in the computer name would be impractical and impossible if those computers were to be deployed. When I use ARD, I have the Current User column displayed so there is never any question as to whose computer it is. The naming scheme that works for you will depend on the size of your organization.

dsavageED
Contributor III

We use an organisational code pulled from ldap (based on the username) along with the last 8 characters of the machine serial number, so the name looks something like AB3-HGBDG7D1 this makes it easier to scope particular policies to particular departments since the machine names have a common start for each given department.

I think it is fairly common practice to use an element of the serial number when naming, here is the variable we use:

serial_no=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' | tail -c 9)

easyedc
Valued Contributor II

We're slowly adding Macs to a large windows organization and our naming scheme follows a legacy pattern. Back in the day, someone decided that we would differentiate computers from servers in naming by putting a "WK" (short for workstation) prefix plus serial number to come up with the name. Fast forward many years and we start to introduce Macs, and the first group to use them were creatives, who did our marketing, and we started using the prefix "MK" (which at the time was short for "marketing") plus serial number for Macs.

When asked, I don't explain it that way, but say that "WK" is for Windows workstations, and "MK" is for Mac workstations. Just easier that way. And +1 for not using the names as well, since it would interfere with AD's limitations (15 or 16 character limit I believe?). Also we have some dev's that co-code on a single workstation. If you have it "named" for one user, that would make it harder to find. I also grab the last user logged in with the below EA.

#!/bin/sh
lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`

if [ $lastUser == "" ]; then
    echo "<result>No logins</result>"
else
    echo "<result>$lastUser</result>"
fi

mark_mahabir
Valued Contributor

We use a two letter departmental code, followed by a 4 or 5 digit sequential number that is issued by our homegrown Network Device Registration system.....for example:

EE-09865

boberito
Valued Contributor

At my last job we had an inventory tag. This told us the year we purchased the machine.

So BA1234 was like a 2015, CA1234 was like a 2016 purchase. That way we'd know when AppleCare expired easily by looking at the list. Since it was a school that was 1-to-1, we'd add S on as a prefix if it was in the hands of a student. SBA1234. It made it easy to get an inventory of everything quickly.

jefff
Contributor II

First character or two represents the building, followed by the 3-digit room number, followed by as much of the serial number as we can fit into the 15-character limit imposed by Active Directory on computer names.

jconte
Contributor II

We use serial numbers as well.

############## Set Computer Name ##############
# Get device serial number
SERIAL=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')

# Get device model name
MODEL=$(sysctl hw.model)

# Set prefix based upon model
if [[ $MODEL == *"Book"* ]]
then
    PREFIX="L-A"
else
    PREFIX="W-A"
fi

# Build Computer Name
COMPUTERNAME="$PREFIX$SERIAL"

# Set computername
/usr/bin/sudo /usr/sbin/scutil --set ComputerName $COMPUTERNAME

# Set hostname
/usr/bin/sudo /usr/sbin/scutil --set HostName $COMPUTERNAME

nvandam
Contributor II

We use

Mac-Asset Tag-First Initial Last Name

We had some users requesting to have their names included so when they AirDrop they actually know who they are looking at. Using just an Asset Tag or Serial they would have to double check they are dropping it to the right person.

obi-k
Valued Contributor II

Department code, then the serial number. Example: ITS-C012345678.

11d93d6415374a5493a49d65ecc09cd9

zachary_fisher
New Contributor III

We use Building-firstinitialLastName

I use a script such as this below, redacted a bunch but you should get the idea.

When a computer is set up, they have to log into LDAP which points to our Okta instance. From there all the other values are set based on bindings.

#!/bin/bash

Function

function DecryptString() { # Usage: ~$ DecryptString "Encrypted String" local SALT="SALT" local K="KEY" echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$SALT" -k "$K" } function assignComputerAndHostName() { local LOCATION_ALIAS=$1; local FIRST_INITIAL=$2; local LAST_NAME=$3; echo "Building is $LOCATION_ALIAS, naming computer $LOCATION_ALIAS-$FIRST_INITIAL$LAST_NAME"; sudo scutil --set ComputerName $LOCATION_ALIAS-$FIRST_INITIAL$LAST_NAME; sudo scutil --set HostName $LOCATION_ALIAS-$FIRST_INITIAL$LAST_NAME; sudo scutil --set LocalHostName $LOCATION_ALIAS-$FIRST_INITIAL$LAST_NAME; }

Variables

username=$(stat -f %Su /dev/console) realname="$(dscl . -read /Users/$username RealName | cut -d: -f2 | sed -e 's/^[ ]//' | grep -v "^$")" firstInitial="$(echo $realname | head -c 1)" lastName="$(echo $realname | awk '{print $2}')" apiUser=apiuser apiPass=$(DecryptString "ENCRYPTED STRING") jssURL="URL" serialNumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}') building=$(curl -sku "$apiUser":"$apiPass" -H "Accept: text/xml" "$jssURL/JSSResource/computers/serialnumber/${serialNumber}/subset/location" | xmllint --format - 2>/dev/null |awk -F'>|<' '/<building/{print $3}') echo $building case $building in "New York" ) assignComputerAndHostName NY $firstInitial $lastName ;; "Seattle" ) assignComputerAndHostName SEA $firstInitial $lastName ;; "Chicago" ) assignComputerAndHostName CHI $firstInitial $lastName ;; "Dallas" ) assignComputerAndHostName DAL $firstInitial $lastName ;; "Los Angeles" ) assignComputerAndHostName LA $firstInitial $lastName ;; "Minneapolis" ) assignComputerAndHostName MIN $firstInitial $lastName ;; "Secaucus" ) assignComputerAndHostName NJ $firstInitial $lastName ;; "Philadelphia" ) assignComputerAndHostName PHI $firstInitial $lastName ;; "San Francisco" ) assignComputerAndHostName SF $firstInitial $lastName ;; ) echo "No Building assigned" ;; esac

Works great only downside is if an IT person sets up a computer we get computers like NY-A or some single letter depending on the administrator account. Usually, I just have a computer rename check done once a week to catch rogue ones like this.

Look
Valued Contributor III

Our machines are in labs so the location is key.
We then include a random number to minimise the chances of AD clashes (even though we check first as well).
Then we have a short alpha code for what the device is used for.

Maximum length was determined by AD limitations, otherwise I probably would have opted for the serial number in the middle, although straight numbers make parsing it easier.

{Room}-{Random Number}{Device Type}

rhooper
Contributor III

This is an excellent thread: We do not use LDAP or AD. Our naming convention in the past has been school Initial_grad yearFILN. Ex: H_22JDoe. Sometimes we have issues though with twins in the same grade and we have to use FNLI as a naming convention.
This year we are up for debate, mostly because we realized that the shared computer name is what is visible to anyone on the WiFi: Private or Public. We need to abide by the CIPA, FERPA and HIPPA guidelines, which is not easy in some instances.
We also need to think of ease of use, both for students and staff using AirDrop, file sharing, etc.

I would love to hear about more schools and how they are doing it. The SN sounds great until the boss needs to find out who owns unit xyz and is watching tons of YouTube videos and robbing bandwidth. Sounds to me like there is no cut and dry pat answer, but many answers and methods. I am very interested in this as I will be tasked with using JAMF MUT in the very near future.

Thanks all

rhooper
Contributor III

@nvandam does this pose an issue when there may be multiple asset number changes?

nvandam
Contributor II

@rhooper , If an asset tag needed to change on a Mac, I have a Self Service policy available that requires a tech log in with their credentials. The policy prompts for the asset tag, the tech types it in, then that gets sent to the JPS and the naming script runs again at that time using the new asset tag stored in the JPS to name the Mac.

bofh
New Contributor III

Generally we have one scheme for all participating ActiveDirectory "Section"-Admins.
As we are hosting an ActiveDirectory for Multiple Universities around Munich we had to develop a Naming System.
There are two parts, the first 7 characters describe the "institution" the computer belongs to.
A sample of Part 1:
MNFKLS1
MN = University abbreviation
FK = Faculty
LS1 = Chair/Institution

A sample of Part 2:
CM12345
CM = Client Mac
12345 = Inventory Number

Part1 and Part2 are seperated by a minus, which gives MNFKLS1-CM12345.
Part2 is free to choose by our "section"-admins.

"section"-admins aren't real Domain-Admins; we delegated those rights into their Organisational Units.
Aswell we have some visibility stuff set up, so Users of University1 can't see Users (or Computers) of University2.

As an fallback we configured for part2 (if the computer can't find his name in the CMDB) we are setting the last 7 characters of it's Serialnumber as they are unique (regarding mac-computers)
Windows Machines have to be named in SCCM before anyway.

bmarks
Contributor II

If you ever plan to use the DEP provisioning process AND you want to bind using the PreStage configuration, settling on serial number or MAC address might be a good idea. The variables $SERIALNUMBER and $MACADDRESS for the "Client ID" field can be used when binding via the PreStage configuration. Other variables like $COMPUTERNAME won't work since there is no computer name that early in the process. Otherwise, you'd need to re-bind. Again, this recommendation is only if you want to provision this way.