Enrolling a Mac in Casper WITHOUT Policy triggers

ccarcamo
New Contributor II

Is there a way to enroll a Mac in Casper and having it EXEMPT of ALL policies?? I just want the thing enrolled, no policies run whatsoever lol

Thanks in advance!!

9 REPLIES 9

ryanstayloradob
Contributor

Hello, with Recon and User-Initiated enrollment, there's no way to automatically exempt it from all policies. If you enroll via Terminal, you can stop the binary from enforcing the management framework and checking for enrollment-triggered policies.

Usage: jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]

-prompt Prompts for JSS and SSH credentials.

-invitation Uses an invitation ID for credentials instead of a user name and password.

-noRecon Stops enroll from acquiring inventory.

-noManage Stops enroll from enforcing the management framework.

-noPolicy Stops enroll from checking for enrollment policies.

Having said that, you will still have to exempt machines in all of your policies going forward. We have asked Jamf for a read-only/inventory enrollment for a while now. I don't know if they'll implement it in Jamf Pro 10 or not. In the meantime, we created our own read-only QuickAdd that removes the launch daemons, preventing any policy from being pushed to the machine.

The_Lapin
New Contributor III

I've wondered basically the same thing, how to delay policies until I'm ready for them to run. I haven't done this yet but I don't see why it wouldn't work...
- During the imaging process, add a file/folder to the Mac
- Scope a smart group to look for the that file / folder, this is the exclude group
- Add the "exclude" smart group to the exclusion section of any policies you don't want to automatically run on Macs

Now that it's set up...
- Image / Deploy a Mac like normal
- When it enrolls it will run the inventory, find the exclusion file and add the Mac to the exclude group
- Do what needs to be done to finish setting up the Mac
- Remove the file when you're finished
- Now, the next time the Mac runs inventory it will remove itself from the exclude group and the policies will start to trigger

ryanstayloradob
Contributor

@The_Lapin In theory that should work and is a great idea. In all honesty, Jamf should just let us create an inventory-only binary on enrollment. I've asked for it for years. In our user base, there are a number of users that do not want to be "managed", but would not mind just having their systems inventoried on a regular cadence. That is fine with us. It will still be "managed" in the JSS, but nothing will ever get pushed and Self Service would not be installed.

ccarcamo
New Contributor II

@The_Lapin @ryanstayloradobe Thank you so much for your input, you both make really good points. I'm actually going to try this now and I'll update you guys with my results.

Thanks!!!

ccarcamo
New Contributor II

@ryanstayloradobe I COMPLETELY agree, we just need this machine to be managed from an inventory standpoint, we don't want any policies triggered. I do agree JAMF should allow us to create a inventory-only enrollment.

And @The_Lapin I think your method would work, but I fear that, if said file were to be deleted on accident, then it would kick it out of the smart group and finally push the policies, which we want to avoid. Unless there's a way to lock down that file from a local admin.

tlarkin
Honored Contributor

Any managed Mac still counts towards your licenses though. So you may want to enroll it, recon it once to get that asset record and then un-manage it. Another alternative would be to not use Jamf for asset management but rather an asset system where you wouldn't have to pay for a jamf license at all.

PeterClarke
Contributor II

Yes, I can see some use cases for this too..

  • Pity this has not been added as a 'Feature Request' that people can vote for !

m_donovan
Contributor III

@The_Lapin and @ccarcamo what if you added the device to a static group during enrollment? Then there would be no file to get "accidentally" removed and you wouldn't be using a smart group for a static set of devices. I currently do this for our staff devices.

hinrichd
New Contributor III