Jamf Nation Community

@rderewianko, actually re-enrolling Macs can in fact make certain policies run again, but it depends on the type of policies.

Personally I wouldn't be too concerned about policies running again. In the cases where we've seen it its usually only for ones that are set to Ongoing.

That said, this can be done without re-enrollment, I believe, though I've never actually tried it this way.

Pre create the management account on your Macs via a policy. This can be done a few different ways. There's the built in Create Account section under "Accounts", or you can script it using decl or other tools. You can also look at some package installer tools like CreateUserPkg: https://github.com/MagerValp/CreateUserPkg

However you do it, you'll need some way to identify the Macs that have run that policy for the next step. Maybe drop a file on the system for an EA, or use a package receipt if you decide to do it with CreateUserPkg for example.
Once you know which have run it and you can group them together in a search, pull them up in Inventory and in the take Action on results menu, choose "Edit Management Account" The wording for these things may be different under version 9. The above is from 8.71, but the basic idea is the same. It will ask you for existing account info and the new account you want to use. Just enter the credentials for whatever new account you created and let the JSS update its records for those Macs. If there are some Macs left to run the policy you'll need to do this process a few times. There's no way I know of to automate the above step. It needs to be done from a search in the JSS web app.

Lastly, you may want to create an Extension Attribute like one that I posted here to help determine what account they're actually using. (Note this is no longer needed in version 9):
https://jamfnation.jamfsoftware.com/discussion.html?id=7575

Hope that helps get you started in the right direction.

@mm2270, Thanks for the tips. I downloaded the CreateUserPkg app, and am trying that now.

We have had policies removed in the past; primarily due to our novice status as Casper users. The ones that are most disruptive to us at the moment, are the removal of wifi network profiles that provide teachers with their only way to access the Internet without the normal student filters. It's a very disruptive event for them when it occurs, and it has happened a few times too many already this semester.

Mike

I've been able to create a hidden account using the CreateUserPkg app, but see no way to assign that user as the management account.

I have also tried creating a special quickadd package that does it, but, as I mentioned initially, the first thing it does is rip out all profiles - including the wireless network profile that we use. That won't work for us.

Any help that anyone can provide would really be appreciated.

Thanks

Mike

Unless you're moving clients over to the new account at the time that something like a new QuickAdd pkg is being installed, your only option is to use the "Action" button to change the management account on Macs that you pull up from an Inventory search, as I mentioned above. I don't think there's any other way to effectively do this other than QuickAdd or re-enrollment, which you're saying isn't an option for you.

So try soemthing like this-
1 - Using the account you set up within the CreateUserPkg package, create an Extension Attribute that will detect if the account exists on the Mac or not and report that. For ex, if the account name is, 'hiddenadmin' use something along these lines-

#!/bin/sh

hiddenadmin=$( dscl . list /Users | grep "^hiddenadmin$" )

if [ "$hiddenadmin" ]; then
    result="Yes"
else
    result="No"
fi

echo "<result>$result</result>"

2- Using a policy, deploy the CreateUserPkg you created to all managed clients. Over time, as Macs run the policy successfully, they will start reporting as "Yes" in the above Extension Attribute, since the account will now exist on them.

3 - If this is JSS version 8.x we're talking about, use the link above in my previous post on how to create another Extension Attribute that reports the management account used on your Macs. The EA isn't necessary anymore with version 9 since the Management Account used is a built in criteria item.

4- Using the main Inventory, use the above 2 Extension Attributes to pull up any Macs where the "hiddenadmin" account exists, but is NOT the management account in use. So criteria like-

New Management Acct Exists  |  is  |  "Yes"
and
Management Account   |  is not   |  "hiddenadmin"

5 - Once you have a search done to pull up Macs with the account present but not using it as the Management Account, use the "Take Action on Results" or just "Action" button (depending on JSS version) and choose to update the management account on all them in one shot on the next screen.

You'll need to repeat that last step until you've got them all taken care of. Initially you'll probably have a large number show up and each search will pull up less and less machines, until eventually it'll just be stragglers. Make sure to give some time between the searches since you'll want the Mac to report in with new inventory to update the above Extension Attributes.
You could also consider making a Smart Group to alert you to any Macs reporting in with the new account on them but still using your old management account.

There is one caveat (that I know of) to the above approach, which is that it appears you'll need to know the old username and password for the management account, as well as the new one. It looks like it will fail to switch the account over without that. If you have a static name/password, no problem, but if you were doing something like randomizing the account password on your Macs, this would cause an issue.

@mm2270, this is great! I actually misread your initial comment, and wasn't looking at the Actions on the search results screen. I was trying to find it on the policy and/or device pages themselves. :-)

This makes things much simpler.

Thank you!

Mike