Help

Moving DEP Macs to Jamf from another MDM

macservit
New Contributor III

Posted on ‎06-30-2021 01:21 PM

I'm attempting to document the process for moving from a competing MDM into Jamf on macOS. We will have to do this across most of our client base and I need to be able to give users clear instructions. I just went through my first test on my own machine...a DEP M1 MBP running Big Sur. I changed the MDM assignment for the machine in ABM and confirmed that it shows in our Jamf Cloud tenant. I then unenrolled the machine from within the old MDM. I understand that the profiles command no longer functions for this task in BS, so I went and did the enrollment through UIE (browser and admin-approved profile install). Since this is a DEP machine, I would have assumed that the primary MDM profile would become "non-removable" by any user on the machine. Apparently either I was flat out wrong, or I missed a setting somewhere in setup.

As an aside, a few weeks back I assisted another client who was moving from on-prem Jamf to Jamf Cloud and I personally used the profiles command on about 10 brand new DEP Big Sur (Intel) laptops and it worked every time. So maybe I'm not fully understanding the limitations of BS and the profiles command?

0 Kudos
5 REPLIES 5

Tribruin
Valued Contributor II

Posted on ‎06-30-2021 02:28 PM

UIE enrollment is not ADE/DEP enrollment so it will not pickup the non-removable MDM profile. Profiles still works in BS, but it can not be used to manually enroll via an MDM profile. However, it can still be used to pickup a ADE assignment.

If you have the computer assigned to ADE and a Prestage in your new MDM, just run this command sudo profiles renew type=enrollment. That will initiate and ADE enrollment on the existing computer. Obviously it will bypass any user creation, but it will download the MDM profile and make it non-removable, if you have marked it that way in the prestage.

macservit
New Contributor III

Posted on ‎06-30-2021 03:41 PM

I tried 'sudo profiles renew -type enrollment' before I wrote the post and got no action whatsoever. (The man page for profiles says my version is correct...yours throws an error when I run it). Either way, I'm prompted for my sudo password, it sits silently for a minute, and then returns to the prompt with no feedback whatsoever.

OH SURE, I just tried it again and it worked this time! SMH

Never mind, I guess something needed to cook in the background for a little longer and I just wasn't patient enough earlier. Thanks for your reply @RBlount

johnsz_tu
New Contributor III

Posted on ‎06-30-2021 05:15 PM

@macservit Same thing happened to me the other day, removed the MDM profiles from a BS machine, then went to re-enroll with 'sudo profiles renew -type enrollment' and was getting the same thing... silent for a min, then returned to the prompt with no feedback.

Tried the command every few mins for 30 mins and nothing. Walked away, walked around pulling my hair out trying to think why it was not working for a while, came back 10 mins later and it worked on the first attempt. Did not change anything, did not do anything different.

I really wish the command would give some output on wether is was successful or not.

0 Kudos

easyedc
Valued Contributor II

Posted on ‎07-02-2021 05:29 AM

FWIW I used the profiles command to move about 600 Macs from on-prem to cloud Jamf. It worked mostly well, but I did experience issues like you're describing. At the time, we were experiencing blocks from both network proxies and local DLP software. Do you have those within your environment?

0 Kudos

user-baiwIBodTA
New Contributor

Posted on ‎07-08-2021 02:59 PM

Apple Configurator or a device enrollment program (DEP) used with an MDM Moving a supervised device between MDM vendors means wiping the device.

0 Kudos