Posted on 02-27-2018 08:41 AM
We are current running Version 9.101.4.
We are getting close to rolling out Jamf to our faculty and staff desktops that are already in the field. I would like to send an enrollment invitation out to specific users, and have them enroll their desktop with the email link. In many cases I will not know what Building, Department, Room, they are in.
I would like to create a Smart Group to be used as the Scope for the Self Service Policies for this subset of desktops that:
• are already in the field
• have never been managed before
• would only have the user's email address as the identifier
My goal is:
• Send email invitation to user for enrollment into Jamf.
• Have user enroll their desktop with the Quick Add package that is downloaded
• Have the desktop enroll in a Smart Group that would be used as the Scope for my Self Service Policies.
• On the initial launch of Self Service all of the Scoped Policies would be presented.
The only enrollment criteria I see that comes close to this is 'Enrollment Method: PreStage enrollment'. Many of these desktops will not be available via DEP because of their age and how they were purchased, so that won't work for me. I did notice that the criteria I am looking for is available for Mobile Devices, but not Desktops.
I tried with a Criteria of 'Applications Title' is not 'Self Service.app, (since Self Service would not be installed at this point) which worked great until an Inventory Check was done and the desktop was removed from the Smart Group. That resulted in all of my Self Service policies to be removed.
How can this be accomplished? Can I create a customzied QuickAdd Package that would be pushed via the enrollment email invitation that would put these desktops into a specific Smart Group? Is there a simpler way? Is my approach for this completely off base?
Cheryl Tarbox
Binghamton University
Posted on 02-27-2018 11:17 AM
@ctarbox Cheryl, I think you can use the following for Smart Group criteria:
Packages Installed By Installer.app/SWU | has | com.jamfsoftware.osxenrollment
This works because the enrollment URL generated QuickAdd uses a "com.jamfsoftware.osxenrollment" identifier, and since it gets installed using the regular Installer.app, using that information should gather machines that get enrolled that way, as opposed to any Macs that might be imaged for example, or who get enrolled with a Recon.app generated QuickAdd.pkg. You could always make sure the Recon QuickAdd has it's own unique identifier and build a different Smart Group of those machines. Nvm that last part. The Recon generated QuickAdd already adds it's own identifier in the form of "QuickAdd<JamfProVersion>"
I would probably add to that Smart Group with some Extension Attributes or other built in criteria to make sure any machines that get the policies presented really haven't run those policies in the past, like making sure any apps you are presenting aren't already on the device. The reason is, someone could always "re-enroll" if they get the enrollment URL and when they do, that package receipt will then be present on their Mac and they will land in that Smart Group. So, best to add additional criteria items in to make sure the policies are being presented to the right group.
Posted on 02-27-2018 11:21 AM
I have opted to go with a Criteria based on the desktop's S/N, which will need to be gathered and input in the Smart Group's Criteria before the email enrollment invitation is sent out. Was looking more for a 'Zero-Touch' solution, but this will work. Plus, by having the S/N, I can run it through our DEP to see if it may exist there and opt to go with a PreStage Enrollment for the particular desktop.
If anyone does have any other suggestions on how to accomplish my original post, I'm open to hearing them.
Cheryl