Keep computer in JAMF MDM but removed from all groups

JTP
New Contributor II

We have a Mac that will be used in a production environment (Live TV). I would like to keep it in JAMF but essentially just for record keeping, loss prevention and for our security software. A broadcast engineer will be responsible to keep it running. 

We tend to have a bunch of updates triggered by smart groups, basically if it has this software then do the update or action.

Without excluding this computer from every single smart groups one-by-one, is there a way to single out a computer so any action to the computer is explicitly and only when it's named? Perhaps just a way to exclude it from all smart groups/groups.

2 REPLIES 2

AJPinto
Honored Contributor III

I recommend against treating any device differently than the rest of your environment as a one off. However, the only way to do what you want is to create an exemption. I would not do that in the smart groups themselves. I would make a static group, and add that group to the exemption to all of the workflows you don't want to happen. Then add the device to that static group.

 

You could make a smart group that is looking for a network segment, department, or an EA that you create. Set up the smart group in a way that it catches this computer, and use that to exclude if you would rather go with a smart group over a static group.

PaulHazelden
Valued Contributor

I agree, create a group with that one device in it and then set that group in the exemptions for the policies.
If you go through all your policies and configs and add the computer by name, and then at some point in the future you delete the computer from the database, maybe because you are wiping it for some reason. Every reference in the policies to that computer will be lost, and you will have to add it all back in again. 

I have a couple of devices set up differently to the majority, and I use a smart group looking for the device serial number. Makes life easy that way, you just have to change the smart group if you re-provision the device.
My general preference is to use groups to assign or exempt policies and configs. I would rather spend the time creating a group that may only have one device in it, than all the time fixing a problem later because I deleted the device.