Jamf Nation Community

I'll 2nd @jamf-42 comment on enrollment (there can be use cases for Static Groups :-) ) and add that it is by design that you cannot script the installation of the CA and enrollment Configuration Profile because Apple considers both of those to be user privacy issues.

Actually my idea is (also what am trying to do is) a script which downloads the CA certificate and MDM certificate, our team will install it and then the computers get enrolled to MAC and added to a static group which will be mentioned in the script. 

Below is the script am working on.. Your help is fixing this script is highly appreciated.. 

#################################################################################

#!/bin/bash

# Jamf Pro Server details
JAMF_URL="https://JSS-URL"
API_USER="USERNAME"
API_PASS="PASSWORD"

# Define Static Groups and their IDs
declare -A STATIC_GROUPS
STATIC_GROUPS=(
["macOS Update test group 1"]="233" # Replace with actual Group ID
["macOS Update test group 2"]="239" # Replace with actual Group ID
["Test"]="228" # Replace with actual Group ID
)

# Prompt user to select a Static Group
echo "Select a Static Group to add the computer:"
select GROUP_NAME in "${!STATIC_GROUPS[@]}"; do
if [[ -n "$GROUP_NAME" ]]; then
STATIC_GROUP_ID="${STATIC_GROUPS[$GROUP_NAME]}"
echo "Selected Group: $GROUP_NAME (ID: $STATIC_GROUP_ID)"
break
else
echo "Invalid selection. Please choose a valid group."
fi
done

# Get the serial number of the Mac
SERIAL_NUMBER=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')

# Enroll the Mac (Using MDM profile download & install)
echo "Downloading MDM profile for enrollment..."
curl -k -o /tmp/MDMProfile.mobileconfig "$JAMF_URL/mdm/EnrollmentProfile.mobileconfig"

echo "Installing MDM Profile..."
profiles install -path /tmp/MDMProfile.mobileconfig

# Wait for the computer to appear in Jamf Pro
echo "Waiting for computer to register in Jamf Pro..."
sleep 60 # Adjust if needed

# Get the Computer ID from Jamf API
COMPUTER_ID=$(curl -s -u "$API_USER:$API_PASS" -X GET "$JAMF_URL/JSSResource/computers/serialnumber/$SERIAL_NUMBER" -H "Accept: application/xml" | xmllint --xpath "//computer/general/id/text()" -)

# Add Computer to Selected Static Group
if [[ -z "$COMPUTER_ID" ]]; then
echo "Error: Could not retrieve Computer ID. Ensure the device is enrolled."
exit 1
fi

echo "Adding computer to Static Group: $GROUP_NAME..."
XML_DATA="<computer_group><computer_additions><computer><id>$COMPUTER_ID</id></computer></computer_additions></computer_group>"

curl -s -u "$API_USER:$API_PASS" -X PUT "$JAMF_URL/JSSResource/computergroups/id/$STATIC_GROUP_ID" \
-H "Content-Type: application/xml" \
-d "$XML_DATA"

echo "Computer successfully added to $GROUP_NAME!"

#################################################################################

Thanks a lot! 

@sdagley and @jamf-42 Appreciate your replies. I wish I could change this. I recently joined a new workplace (school) and this is the procedure they follow, manual enrollment to Jamf and AD binding. We have Jamfpro on-prem and not cloud. We don't have ABM/ASM in place because when they purchase an app with one appleID they can push it to multiple devices, I think with ABM/ASM it wont be possible.

I don't see a point binding to AD neither, I had a chat with my teammate and he said they do it because when students print they can release it with their ID card because the printer recognizes their AD name. I just wanted to do this to reduce the workflow for the team. If AD binding is not needed then whats the best way for the students to print and release their prints with their ID? Their ID got the 4 digit code to unlock the printer and release the print. 

Thank you everyone for your inputs, I will discuss this internally and will try to change the workflow here. Have a good one...