Enrollment by serial number without DEP

OZON
New Contributor II

Hi=) According to the rules of the organization in which I work, the user can not work on a personal / home device. During operation, the user can only use the corporate device.
In my country, it is not possible to use DEP and PreStage Enrollment.
I have a list of all the serial numbers of corporate apple devices. Can I limit the registration of the device in Jamf by serial number? #without DEP #noDEPnoLife?

5 REPLIES 5

JustDeWon
Contributor III

I would suggest something like a Personal or Corporate prompt during enrollment. And if Personal is selected, they get placed in a group/site, that doesn't get needed applications for work.. Something like the below script, however, if a user selects corporate on their personal machine, then it doesn't stop it.

#!/bin/bash                                                                                                                                                     

button=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Computer Ownership"  -description "Please define if this computer is a personal device or company owned." -button1 "Personal" -button2 "Company")

if [ $button -eq 2 ]; then
    echo "Enterprise" > "/private/var/systemtype"
    echo "This is a company owned mac"
elif [ $button -eq 0 ]; then
    echo "private" > "/private/var/systemtype"
    echo "this is a private Mac"
fi

jamf recon

Or

you can turn off User-Initiated Enrollment

alexjdale
Valued Contributor III

One clunky option would be to put that serial number list into an extension attribute script and flag any that are not matches. If they do not match, you can take action like delete those records periodically and/or exclude those systems from any policy scopes.

I can't think of any method that wouldn't require manually maintaining a list, unless you have a separate asset management DB you can query for lookups.

nicholasmcdonal
New Contributor III

As the product exist today, there isn't a straightforward way to "limit" enrollment based off of a serial number.

However, a possible solution would be to restrict Enrollment or User Initiated Enrollment to a specific set of Technicians via an LDAP group. Then only allow devices to be enrolled by Technicians that can assure it is a company owned machined.

Hope that helps - Nick

OZON
New Contributor II

Thank you all for your help.

bollman
Contributor II

There could be another way.
Using the API, you can create computers in the JSS with the serial number as identifier.
From the top of my head, I can't remember if you can limit enrollment to just re-enrollments, but perhaps that can be done?
If so, only computers you've already created in the JSS can be re-enrolled and no new computers not already present will be allowed. The computers you create using the API will be sort of "stubs" just with a name and a serial (or whatever info you decide to input) and it won't be fully populated until the computer is "re-enrolled".