Deleting Macs from Jamf

Utilizator
Contributor

We have 6 Macs running High Sierra that are either broken, lost/stolen or in an office that is currently locked due to COVID.

If we delete these Macs from Jamf Pro, will they re-enrol if they are ever powered back on? We don't want them using up a license as we know they are unusable, but wondered how they will behave if they are ever powered on.

Any other advice about managing stolen/lost/broken devices would be greatly appreciated.

8 REPLIES 8

mm2270
Legendary Contributor III

@jay-kay They will not auto re-enroll when they come back online. You'd need to have the user self re-enroll with user initiated enrollment, or use some other method, like a tech touching the device. While the jamf framework will remain on the Macs, when it attempts to connect back to the Jamf server, it'll fail since there is no corresponding record in the database for it to connect to.

You can set these Macs to "unmanaged" in Jamf by going into their records and clicking Edit on the General tab, then uncheck the box that says "Allow Jamf Pro to perform management tasks". This removes the management account information. Click Save and the device should then show up as an Unmanaged computer.
Generally speaking, these unmanaged computers don't tend to count toward your license usage, but you should check in with your Jamf buddy/account manager to be certain on that. If you explain to them what you're trying to do, they should be able to advise if this is an acceptable method for your environment.

cwaldrip
Valued Contributor

For lost/stolen devices, assuming they're enrolled in DEP, then you can add them to a separate prestage enrollment just for such devices. Then if the new 'owner' wipes the machine and tries to set it up they'll get reenrolled and you can lock them out of the machine by not allowing a local account to be created, enabling firmware password, etc.

Utilizator
Contributor

That is brilliant, I am setting that up right now. Thanks for this, very very useful.

robmorton
Contributor

Along with the suggestions for the DEP options, also make sure to put contact information in the system enrollment. As odd as it sounds, there is a chance that someone will try to reset the device and realize it was stolen and then just walk away from it. Someone else may find it and return it if they see how to contact you.

MatG
Contributor III

We seem to spend an age chasing users about devices not checking-in to find its, lost, stolen, broken or they have decided not to use the $3k Mac and its in a drawer.

Pre-covid we had a strict 90 day rule if the device did not check-in it was deleted from Jamf to free up a licence, we have to be a bit more flexible with users on this now as some left their Mac's onsite and are still not allowed to go get them, no idea how they are managing to work.

Issue is if you delete from Jamf the device can still be used by the owner, they will not notice much difference and we won't know its back in use and if its macOS release time obviously any restrictions you add in Jamf won't be adhered to so you suddenly find a user on macOS whatever calling the helpdesk.

robmorton
Contributor

We have been discussing an option where we push a script to the devices that will see if jamf is installed on a regular basis and if not redirect to the enrollment page. Possible having a phase 2 portion that gets called after so many fails that deletes office or chrome or something like that. Heck, rename all of the user's folders username.FollowDirections. Then when they log in and all data is "gone" they will call. Of course this would all have to be done ahead of time, but would be a possibility going forward.

To be clear, the only thing Jamf would have to do with this is pushing the script out initially.

reidg
New Contributor III

I wish Jamf would build in some sort of notification that the Mac is trying to communicate with Jamf but the computer object has been deleted. We are hesitant to delete computers because if they come back online we will never see them in Jamf. I guess is a way for Jamf to keep license counts up.

A couple options for notifications would be to pop up on the user's computer whenever a check-in failed because the Mac isn't in Jamf and add a failed communication report in Jamf Pro console.

In the Windows world, if a PC is deleted in SCCM and comes back online, it will be re-added in SCCM as managed.

reidg
New Contributor III

Looks like this has been a feature request under review since 2013. Vote it up: https://www.jamf.com/jamf-nation/feature-requests/1072/self-re-enroll-a-mac-in-the-jss-after-it-s-be...