May it is a bit a weird question, but maybe someone know an answer for me.
I saw several informations here about blocking migration assistant etc. Have implemented the restricted software for the migration assistant as well. But what can I do, to disallow the migration assistant before DEP. We have some users, the just migrate everything before enrollment (cut the WLAN) and enroll then with dep. Please do not ask how the did, because I don't have an idea how this works with enrollment after migrating. At least it will be fine for me, when an extension attribute exist we can use to find out if the macbook was enrolled after migration assistant.
Someone a good idea?
@user-faWBxyKMJD What @snowfox posted is how to disable Migration Assistant when going through the Setup Assistant, but only if your users aren't disabling network access to bypass the Remote Management screen of Setup Assistant. If they do that they're probably using the command
sudo profiles renew -type enrollment to trigger enrollment after they finish migration. You might want to take an extreme approach like sending a Lock command (if you're not talking M1 Macs that is) with message that you're going to issue a Remote Wipe command every time the user tries to bypass your DEP process.
Thanks for the input!
@snowfox , yes this is checked as well, but how @sdagley says, when the users disables the wlan, they can migrate whatever they want. Yes, may they used the command for renew profile. Our MacBooks are enrolled with jamf connect, so may this enroll automatically after the migration and the next restart of the machine. Is there a possibility to track if the users use the sudo profiles renew -type enrollment command?