jamf pro migration

sebastian_santo
New Contributor III

Hello.

When I attempt to migrate around 100 machines from one jamf cloud instance to another the computers are move from the old jamf to the new one but the MDM profile for the new jamf pro is not being installed and when I open Self Service I'm prompted to approve the MDM but once I click the button there is no profile to be approved

1 ACCEPTED SOLUTION

junjishimazaki
Valued Contributor
#!/bin/bash

# pass user creds from policy
jamfUser=$4
jamfPass=$5
jssUrl=""

# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"

# Curl to get Mac Jamf ID. Adding text()' will just return the Jamf ID without bracked info.
jamf_id=$(curl -sku "${jamfUser}:${jamfPass}" "${jssUrl}/JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "Jamf ID: $jamf_id"

#Just opens the Jamf user-initiated enrollment site
#open https://jamfcloudinstance/enroll

# Curl to send command to remove MDM profile from the Mac
curl -sku "${jamfUser}:${jamfPass}" "${jssUrl}/JSSResource/computercommands/command/UnmanageDevice/id/${jamf_id}" -X POST

echo "Removing jamf binary and framework from Mac..."
# Removing Jamf binary and framework after the MDM has been removed
#jamf removeframework

sudo profiles renew -type enrollment

exit 0

View solution in original post

16 REPLIES 16

junjishimazaki
Valued Contributor

Hi, can you please provide more details on what process you are doing to remove the old MDM from the mac and enroll to the new Jamf instance?

@junjishimazaki I'm using the ReEnroller package, also I have tried just installing the signed quick add package

junjishimazaki
Valued Contributor

Ah ok, I know this script from github. This script relies on the quickadd package to enroll. So, as you may or may not know, the QuickAdd package will not work on any OS Big Sur and above. It will not install the new MDM profile. Does this script indeed remove the old Jamf MDM profile? Also, is your MDM locked/non-removable?

Thank you the quick response, not the MDM can be removed as the machine is not DEP enrolled do you mind pointing me to the script you are talking about thanks

junjishimazaki
Valued Contributor

I thought you were talking about this script. https://github.com/jamf/ReEnroller

sebastian_santo
New Contributor III

Oh yes, sorry, that is what I'm using

sebastian_santo
New Contributor III

Also yes I'm trying to find another solution as I was reading what you said about Big Sur and newer and all the machine being migrated are either on Monterey or Big Sur.

junjishimazaki
Valued Contributor

It doesn't work well because of the QuickAdd, so I created my own script to do this. I usually don't like using someone elses script unless it's something I can't do myself. In preparing for the migration, I logged into the Apple Business Manager and created a new MDM to re-assign all the macs to the new Jamf instance. Then in the new Jamf instance, I added the new ADE. Then I assigned the macs to the new Jamf instance Prestage so I don't have to rely on the user-initiated enrollment process. 

So, I created a script similar to ReEnroller to use the curl command to send the command from the old jamf instance to remove the MDM to the mac and then use the command: sudo profiles renew -type enrollment to Prestage enroll.  This will install the MDM of the new instance and update the Jamf binary.

junjishimazaki
Valued Contributor

In the old jamf instance, the MDM was locked so I created another script to remove the locked MDM just in case the MDM couldn't be removed. This requires the SIP to be disabled first.

But I thought if the machines were never added to DEP, they cannot be added later

junjishimazaki
Valued Contributor

As long as the macs are in ABM, you can add any MDM instance and assign those macs to that MDM. Then in that Jamf instance, you add to the Automated Device Enrollment. Which is exactly what I did. 

sebastian_santo
New Contributor III

Last thing if is not too much asking, do you mind sharing your script

junjishimazaki
Valued Contributor

I'll see if I can find it since it was about a year ago that I did this migration. 

Thank you either way, I really appreciate your help

junjishimazaki
Valued Contributor
#!/bin/bash

# pass user creds from policy
jamfUser=$4
jamfPass=$5
jssUrl=""

# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"

# Curl to get Mac Jamf ID. Adding text()' will just return the Jamf ID without bracked info.
jamf_id=$(curl -sku "${jamfUser}:${jamfPass}" "${jssUrl}/JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "Jamf ID: $jamf_id"

#Just opens the Jamf user-initiated enrollment site
#open https://jamfcloudinstance/enroll

# Curl to send command to remove MDM profile from the Mac
curl -sku "${jamfUser}:${jamfPass}" "${jssUrl}/JSSResource/computercommands/command/UnmanageDevice/id/${jamf_id}" -X POST

echo "Removing jamf binary and framework from Mac..."
# Removing Jamf binary and framework after the MDM has been removed
#jamf removeframework

sudo profiles renew -type enrollment

exit 0

junjishimazaki
Valued Contributor

You can test out some of the commands that I commented. I don't remember if the running sudo jamf removeframework to remove the jamf binary worked