Posted on 10-04-2019 07:13 AM
Hi Guys,
So we were in the process of migrating our on prem JAMF Instance to the cloud yesterday.
To make a long story short we cannot use our current URL (Due to internal domain issues and self signed certs) This is set in stone and cannot be changed.
So what we have to do is have a new JAMF instance created in the cloud with our DB and re-enroll our machines.
I'm looking to see if anyone has any info on how they have done this previously. I tried to test running the quick-add today(we have a 2nd cloud instance currently) through our on prem JAMF and the machine successfully went into the cloud instance however as profiles is blocked on both instances I couldn't accept the MDM profile (Can work around this) but when I tried to change the policy it didn't apply to the machine it was oike it was stuck in both instances so old polices were there and new polices applied but we couldn't remove old policies.
Manually running sudo JAMF removeFramework and then enrolling on the new one worked but we don't want users to have to do that. Bad enough they will have to accept MDM as we are on Mojave
Posted on 10-04-2019 07:38 AM
I don't have any experience with this, but can you just write a script to use the Jamf binary to re-enroll with the new instance?
Something along the lines of :
#!/bin/sh
#remove current Profiles JIC?
jamf removeMdmProfile
#create the conf file wotj the new URL
jamf createConf -url "https://you.url.here:8443" #-verifySSLCert (?)
#download the cert to trust
jamf trustJSS
#make sure to enroll with a static invitation ID
jamf enroll -invitation "[your_super_long_invitation_id_goes_here]"
#force the profiles to download again, but users will still need to accept
jamf manage
I've not tested this and you might need to play with some of these flags plus the user still needs to click approve to get most of the profiles but it might be worth a shot.
[Edit]: As a thought you could also add a line to make them open Profiles and click approve:
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
sudo -h $currentUser open /System/Library/PreferencePanes/Profiles.prefPane
Posted on 10-04-2019 02:33 PM
@taz231190 Ask your Jamf Buddy about the ReEnroller tool which was built to migrate Macs from one JSS to another. It may only be available to customers with support contracts though. And it still requires uses to approve the MDM Profile when the configuration for the new JSS is installed.
Posted on 10-04-2019 03:03 PM
+1 for ReEnroller. I've migrated well over 2500 machines from different Jamf instance to a central Jamf instance (two internal instances) and it works wonderfully.
Posted on 10-05-2019 05:47 AM
Another +1 for ReEnroller.
Note it does need a script to call the API on the JSS you are leaving to hit the UnmanageDevice
endpoint before the ReEnroller package is run. This is in the docs and the script included, I just figured I would add in that we found it was required.
We silently rolled out umad a few weeks before we started migrating computers. This didn't do any until right after the ReEnroller did it's job and UAMDM became broken and the MDM profile needed approval. Umad then brought up a nice screen explaining what has happened and what the user next needed to do including a button to press to open directly into the Profiles section of Preferences.
Another option might be to send out an email with a link to a Self Service item. Self service will direct people to click on Approve too if they haven't already done so.
Good luck with your migration.