Posted on 04-08-2019 01:52 AM
Hi=)
According to the rules of the organization in which I work, the user can not work on a personal / home device. During operation, the user can only use the corporate device.
In my country, it is not possible to use DEP and PreStage Enrollment.
I have a list of all the serial numbers of corporate apple devices. Can I limit the registration of the device in Jamf by serial number?
#without DEP #noDEPnoLife?
Posted on 04-08-2019 07:42 AM
I would suggest something like a Personal or Corporate prompt during enrollment. And if Personal is selected, they get placed in a group/site, that doesn't get needed applications for work.. Something like the below script, however, if a user selects corporate on their personal machine, then it doesn't stop it.
#!/bin/bash
button=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Computer Ownership" -description "Please define if this computer is a personal device or company owned." -button1 "Personal" -button2 "Company")
if [ $button -eq 2 ]; then
echo "Enterprise" > "/private/var/systemtype"
echo "This is a company owned mac"
elif [ $button -eq 0 ]; then
echo "private" > "/private/var/systemtype"
echo "this is a private Mac"
fi
jamf recon
Or
you can turn off User-Initiated Enrollment
Posted on 04-08-2019 11:06 AM
One clunky option would be to put that serial number list into an extension attribute script and flag any that are not matches. If they do not match, you can take action like delete those records periodically and/or exclude those systems from any policy scopes.
I can't think of any method that wouldn't require manually maintaining a list, unless you have a separate asset management DB you can query for lookups.
Posted on 04-08-2019 12:49 PM
As the product exist today, there isn't a straightforward way to "limit" enrollment based off of a serial number.
However, a possible solution would be to restrict Enrollment or User Initiated Enrollment to a specific set of Technicians via an LDAP group. Then only allow devices to be enrolled by Technicians that can assure it is a company owned machined.
Hope that helps - Nick
Posted on 04-08-2019 11:27 PM
Thank you all for your help.
Posted on 04-09-2019 02:08 AM
There could be another way.
Using the API, you can create computers in the JSS with the serial number as identifier.
From the top of my head, I can't remember if you can limit enrollment to just re-enrollments, but perhaps that can be done?
If so, only computers you've already created in the JSS can be re-enrolled and no new computers not already present will be allowed. The computers you create using the API will be sort of "stubs" just with a name and a serial (or whatever info you decide to input) and it won't be fully populated until the computer is "re-enrolled".