Exclude computers provisioned with DEPNotify from certain triggers during provisioning

sintichn
New Contributor III

Hi Everyone, I'm having an issue, I know that I can always exclude computers that are provisioned with depnotify to not run these policies in jamf... but I would have to exclude on every policy that runs at the networkstatechange trigger. Just wondering if this is a possibility... while depnotify is going through my installation workflow the networkstatechange trigger happens for some reason (not sure why, i'm connected via Ethernet (wifi is also on but Ethernet should take priority)) Is there a way to ignore the networkstatechange trigger while the dep user is logged in? Also another piece of info... the dep user is not an AD user.

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

How many policies are you using the NetworkStateChange trigger on? Unless it's a huge amount, I would think the easiest way would be to add a Smart Group for your provisioned enrolled Macs to exclude from any policies that you don't want it to run on, until they are complete with the setup.

As for why the NetworkStateChange trigger is being called, well, sadly that's normal, at least in terms of how it works. The files/locations that the Jamf process monitors for network state change gets touched nearly constantly. Even when the IP doesn't refresh or change unfortunately. Even installations or a device being plugged into the machine can cause it to be modified. For this reason, I advise caution on using it on too many policies. You may be running a lot of policies on your Macs frequently and unnecessarily.

View solution in original post

m_donovan
Contributor III

I set the room to KISD DEP in the prestage and use this to create a smart group that I can exclude or target with policies. At the end of the Depnotify script I run a recon and set the room to DEP Complete. The computers are then removed from the smart group and can continue on as normal.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

How many policies are you using the NetworkStateChange trigger on? Unless it's a huge amount, I would think the easiest way would be to add a Smart Group for your provisioned enrolled Macs to exclude from any policies that you don't want it to run on, until they are complete with the setup.

As for why the NetworkStateChange trigger is being called, well, sadly that's normal, at least in terms of how it works. The files/locations that the Jamf process monitors for network state change gets touched nearly constantly. Even when the IP doesn't refresh or change unfortunately. Even installations or a device being plugged into the machine can cause it to be modified. For this reason, I advise caution on using it on too many policies. You may be running a lot of policies on your Macs frequently and unnecessarily.

donmontalvo
Esteemed Contributor II

Might want to vote this up...

Postpone all policies until "Enrollment Complete" policy finishes

It mostly aligns with what you're thinking...

--
https://donmontalvo.com

m_donovan
Contributor III

I set the room to KISD DEP in the prestage and use this to create a smart group that I can exclude or target with policies. At the end of the Depnotify script I run a recon and set the room to DEP Complete. The computers are then removed from the smart group and can continue on as normal.

mm2270
Legendary Contributor III

@m.donovan Nice! I like that method, and may shamelessly steal appropriate it ๐Ÿ˜

sintichn
New Contributor III

@m.donovan I'm just starting with scripting... do you have an example of what setting the room to DEP Complete would look like?

mm2270
Legendary Contributor III

@sintichn Take a look at the help page for the Jamf binary - jamf help. The recon verb has options to update various User & Location fields in the computer record. For example:

/usr/local/bin/jamf recon -room "DEP Complete"