Help

Easy enroll method with Sequoia and ABM

PPAict
New Contributor III

2 weeks ago

Good morning.
This is my situation:
I have about 60 macs already in use by my colleagues, but they have recently been added to ABM from the our reseller.
I would like to enroll them and I know that with sequoia the need of admin rights to perform "profiles renew -type enrollment" has been removed.
However, to be able to send an email containing a "one click" process for the end user, there is still a problem: Gatekeeper.
I tried to create shell script with Automator, a .command script or an app with AppleScript.
Nothing, Gatekeeper intervenes anyway.
Any alternative method?
...other than having to sign the script with a developer account?

Thanks

0 Kudos
Reply
6 REPLIES 6

jamf-42
Valued Contributor II

2 weeks ago

are these devices already in JAMF? if so you can create a policy for Self Service with 'profiles renew -type enrollment' 

0 Kudos
Reply

PPAict
New Contributor III
In response to jamf-42

2 weeks ago

no they aren't, that's the problem :)

they are active and only recently added in abm, so they need to reinitialize or to run that command, i'm only trying to create the smoothest possible process

0 Kudos
Reply

jamf-42
Valued Contributor II
In response to PPAict

2 weeks ago

its a bitter pill, but really.. to 'do things properly' they should be wiped and enrolled.. that way you know exactly the state of the device and what is installed (as its all deployed / configured from JAMF).

If they already have FileVault / local admins / iCloud setup.. along with who knows what apps installed, you are inheriting a mess.. 

your other option, if you want the mess, is to send out an invite via JAMF and get them to enrol manually.

Then once enrolled, you can then get them to run a re-enrollment via a Self Service policy, moving them from self enrolled to ABM / Supervised. 

 

0 Kudos
Reply

AJPinto
Esteemed Contributor

2 weeks ago

You will need to use the local admin account on the device, enroll the devices in to Jamf and run the profile command and follow the prompts in system settings. Depending on how things are configured just running the profiles command may be sufficent, but I prefer to manually enroll so the device are at least managed if something goes wrong.

 

If you want to do this hands off you will need to reinstall macOS.

Reply

Lasse
Contributor II

2 weeks ago

I was in the end user position of this case with a previous employer. Local admin was required to install of the MDM script, which in hindsight seems to have been an Automator script. It is heaps better than the alternative, to wait for reinstall is required for other issues/changing old for a new computer.

Just make sure to inform the end users well, so they understand what it implies and what they can expect afterwards(auto updates, apps served based on role, easier rollouts of new functionality).

0 Kudos
Reply

snowfox
Contributor III

Saturday

What version of macOS are these devices running?  Someone correct me here if this info is wrong.  I was under the impression that from macOS 14 onwards, devices that are setup offline but are registered in ASM/ABM will receive an 8 hour grace period before being presented with a full screen setup assistant for mandatory MDM enrolment (internet connection required).

I've had members of staff who setup their Mac offline as they didn't want it managed and then came to us asking how do they get out of this full screen setup assistant that has suddenly appeared (after they upgraded from 13 to 14).  We told them, you can't.  Enroll your 'company owned' device.

I would advise you to get management behind you and create a corporate policy that all devices must be enrolled in MDM to be compliant for cybersecurity purposes.  Pulling the cybersecurity card usually leaves people with nowhere to go in terms of arguing because they are now putting the company at risk.

0 Kudos
Reply