Enforce Mac Computer Name

Contributor III


For employee-assigned Macs, we manually name the computer via Self Service when setting it up.

/usr/sbin/scutil --set ComputerName "${computerName}" /usr/sbin/scutil --set LocalHostName "${computerName}" /usr/sbin/scutil --set HostName "${computerName}"

However, this does not stop the employee from going into System Preferences and changing the name. Is there a way to enforce Mac computer names like there is on iPads? A cursory search seems to indicate there is not, at least not as simply as you can on an iPad.


Valued Contributor

Remove admin rights. It's the only way

Contributor III

Maybe create a script that runs once per day/week/month and sets it. You would have to set that name somewhere else first unless you use the serial number. For example, you can create a file in somewhere like "/Library/Application Support/MyOrg/macName.txt" and put the name in there to read. Setting an Extension Attribute in Jamf would be better since someone could modify the file locally (accidentally or otherwise).

New Contributor II

I am using this script to verify if hostname is correct, if it's not - force change it.

# Get serial from ioreg and assign
serial=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}')
# Create temporary hostname/serial csv file. You can adjust/add/remove hostname/serials here.
/bin/cat << EOF > "$listlocation"
# Initialize macname to null
currenthostname=$(hostname -s)
# Loop through CSV looking for a match
while IFS=',' read loc ser; do
    if [ "$serial" == "$ser" ]; then
        echo "Serial matched with name: $macname"
done < $listlocation
echo $macname | od -c
#If macname is not null, use scutil to rename. Otherwise user must manually rename
if [[ -z $macname ]]; then
    echo "This computer was not found on the list, you must manually rename it."
elif [[ "$currenthostname" = "$macname" ]]; then
  echo "Hostname haven't changed, exitting script."
  exit 1
    echo "Setting Host Name to $macname"
    /usr/sbin/scutil --set HostName $macname
    echo "Setting Computer Name to $macname"
    /usr/sbin/scutil --set ComputerName $macname
    echo "Setting Local Host Name to $macname"
    /usr/sbin/scutil --set LocalHostName $macname
    # Flushing cache
    /usr/bin/dscacheutil -flushcache
jamf recon
rm $listlocation
exit 0

Contributor II

We use a maintenance policy to reset computer names (once a day):


Contributor III

Thanks for the responses everyone. Gives me a lot to chew on.

@chrisB, I've noticed recently that if some changes the name on their Mac, it pushes the change to Jamf Pro. I didn't think this was the case, but saw this in action yesterday. User with admin rights got his Mac, and the first thing he did was to go into System Preferences>Sharing and change it. And then that change showed up in Jamf Pro.

Do you notice this in your environment, if so wouldn't that Reset Computer Name policy not have the right name anymore to refresh?

New Contributor II

I have kept my Mac hostname script in ongoing state, where during every policy refresh(5 mins interval), it will check the name and rename it as per script. Even if user intentionally changes the name or software enforced the name change, it will revert it to as per the script. As per our script, hostname will be user's local initial-serial no. User location is being picked up through azure query and stored in jamf. Even you can local cache the script. This doesn't slowdown the mac at all.

Honored Contributor

I just put the reset computer names function in a daily compliance script I run on all endpoints. That way if the computer name is wrong, it just gets reset. They eventually give up

New Contributor II

We name our Macs based on the user they are registered to in Jamf. I wrote a script a while back that checks to see if the name of the Mac matches the name of the registered user. It uses an API call to request the device record and then parse out the needed data. You could pull the serial number or another piece of data that your naming convention relies on instead of the user name. This is the working version of the script that asks for the user's credentials. The version I deploy in Jamf has an account with limited permissions baked into the script so that it can be automated. I hope this is helpful.


server=[your Jamf Pro Server URL] #Server URL

res=$(sudo jamf recon) #Reads recon data into a variable

echo "User Name"

read user

echo "Password"

read -s password

#Finds the Device ID in the recon results and places it in a variable
computerID=$(echo $res | grep -o "<computer_id>.*</computer_id>" | sed 's/[^0-9]*//g' | xargs) 

echo $computerID

#Requests the device record and places the results into a variable
res2=$(curl -fku $user:$password -H "Accept: text/xml" "$server/JSSResource/computers/id/$computerID" -X GET)

#Finds the username of the persone assigned to the device and places it into a variable 
userName=$(echo $res2 | xmllint --format -  | awk -F' ' '{ print $0 }' | grep -o -m 1 "<username>.*</username>" | sed -e 's/<[^>]*>//g')

echo $userName

#Finds the current computer name and places it into a variable
currentName=$(echo $res2 | xmllint --format - | awk -F' ' '{ print $0 }' | grep -o -m 1 "<name>.*</name>" | sed -e 's/<[^>]*>//g')

echo $currentName

#Creates the correct computer name places it in a variable

echo $computerName

#compares the current computer name to the correct one and sets it to the correct one if they do not match
if [ "$currentName" != "$computerName" ]; then 

    sudo jamf setComputerName -name "$computerName"

    sudo jamf recon