Jamf Nation Community

paczo · yesterday

Hi everyone,

In a nutshell, here’s how device enrollment is done at my company:

In Apple Business Manager, the computer is assigned to Jamf's MDM.
Jamf is set with a prestage enrollment named "Google" (because we use Google Workspace to enroll devices).
During the first enrollment, Macs recognize that they belong to our company and open a Google login window to initiate the enrollment process.
Afterward, the devices appear in Jamf, and I can manage them.

Just after the 3rd step, many configuration profiles are applied, such as FileVault and Preferences Restrictions. There’s also a policy that runs—let’s call it "Enrollment Company."

"Enrollment Company" is triggered by the enrollment and executes a script that configures system settings and manages user accounts during device setup. This includes functions to ensure network availability, verify the type of enrollment, manage user creation and login, and handle system configurations through launchd tasks to ensure devices are correctly set up according to organizational policies.

When it's completed, the script initiates the next policy, triggered by "launch-EnrollmentPolicies." This policy includes a script that sets up system preferences, installs essential applications like Google Chrome and Zoom, and configures device security features such as FileVault and EFI passwords. It ensures network connectivity, notifies the user of the ongoing processes via notifications, and ultimately reboots the system to complete the setup.

After that, the enrollment is complete, and the user can start using the computer.

I was attempting to configure DEP Notify on my test device, and this is what I have done so far:

I cloned the first policy "Enrollment Company" where I excluded every device except for one smart group that includes my test device.
Inside the original "Enrollment Company" policy, I added an exclusion for my test device.
I added a package with DEP Notify to my "Enrollment Company - Clone," but when I tried to enroll the device, nothing happened.

The enrollment doesn’t even start to run my "Enrollment Company - Clone" policy.

Please bear with me, as I’m relatively new to this environment. Could I get any tips on what might be going wrong?

Shyamsundar · yesterday

What trigger and Frequency you using for this policy, Did you test devices is scoped this policy correctly, if you open the clone policy and click on logs did your able to see your test device.

karthikeyan_mac · yesterday

Hi @paczo,

Please check your trigger and frequency of the cloned policy scoped to test machine.

You can also trigger the policy by running "sudo jamf policy -verbose " and check if it executes.

You can also check jamf.log from /private/var/log/jamf.log.

Thanks.

kinteng · yesterday

@paczo check those policy for it's Execution Frequency. If it is set to once, then you need to flush the log for your test Mac.

paczo · 3 hours ago

Thank you everyone for your responses. However, I need help understanding how to implement this in Jamf.

Our Apple Business Manager (ABM) adds every computer during purchase. In Jamf, we have a Prestage Enrollment named 'Google,' as all devices are enrolled using Google Workspace.

This Prestage Enrollment only sets the local admin password and includes four configuration policies for installation—nothing more.

When I check the policy logs on a recently enrolled device, the first policy that executes is 'Enrollment - Company,' which runs the 'ENROLLMENT Bulletproof Enrollment' script.

My question is: where is it defined when and to which devices this policy should apply?

The scope of 'Enrollment - Company' includes every computer, with the trigger set to:

Enrollment Complete: Immediately after a computer completes the enrollment process.

The Execution Frequency is set as Ongoing.

Jamf Nation Community

Configuring Enrollment from the scratch