Hello, with Recon and User-Initiated enrollment, there's no way to automatically exempt it from all policies. If you enroll via Terminal, you can stop the binary from enforcing the management framework and checking for enrollment-triggered policies.
Usage: jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]
-prompt Prompts for JSS and SSH credentials.
-invitation Uses an invitation ID for credentials instead of a user name and password.
-noRecon Stops enroll from acquiring inventory.
-noManage Stops enroll from enforcing the management framework.
-noPolicy Stops enroll from checking for enrollment policies.
Having said that, you will still have to exempt machines in all of your policies going forward. We have asked Jamf for a read-only/inventory enrollment for a while now. I don't know if they'll implement it in Jamf Pro 10 or not. In the meantime, we created our own read-only QuickAdd that removes the launch daemons, preventing any policy from being pushed to the machine.
I've wondered basically the same thing, how to delay policies until I'm ready for them to run. I haven't done this yet but I don't see why it wouldn't work...
- During the imaging process, add a file/folder to the Mac
- Scope a smart group to look for the that file / folder, this is the exclude group
- Add the "exclude" smart group to the exclusion section of any policies you don't want to automatically run on Macs
Now that it's set up...
- Image / Deploy a Mac like normal
- When it enrolls it will run the inventory, find the exclusion file and add the Mac to the exclude group
- Do what needs to be done to finish setting up the Mac
- Remove the file when you're finished
- Now, the next time the Mac runs inventory it will remove itself from the exclude group and the policies will start to trigger
@The_Lapin In theory that should work and is a great idea. In all honesty, Jamf should just let us create an inventory-only binary on enrollment. I've asked for it for years. In our user base, there are a number of users that do not want to be "managed", but would not mind just having their systems inventoried on a regular cadence. That is fine with us. It will still be "managed" in the JSS, but nothing will ever get pushed and Self Service would not be installed.
@ryanstayloradobe I COMPLETELY agree, we just need this machine to be managed from an inventory standpoint, we don't want any policies triggered. I do agree JAMF should allow us to create a inventory-only enrollment.
And @The_Lapin I think your method would work, but I fear that, if said file were to be deleted on accident, then it would kick it out of the smart group and finally push the policies, which we want to avoid. Unless there's a way to lock down that file from a local admin.
Any managed Mac still counts towards your licenses though. So you may want to enroll it, recon it once to get that asset record and then un-manage it. Another alternative would be to not use Jamf for asset management but rather an asset system where you wouldn't have to pay for a jamf license at all.
@The_Lapin and @ccarcamo what if you added the device to a static group during enrollment? Then there would be no file to get "accidentally" removed and you wouldn't be using a smart group for a static set of devices. I currently do this for our staff devices.