- Jamf Nation Community
- Products
- Jamf Pro
- Moving machine from one Prestage to another
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2023 10:46 PM
Hey all!
What are the implications, if any, of moving an imaged and in-use machine from one Prestage Enrollment to another?
Our scenario:
We have ~900 laptops all built with one of three prestage enrollments. Each new PE was setup over time with slightly more settings for our environment and only net-new machines were ever enrolled in the latest PE, so we have have a large mixture of each in our company. We have now built a 4th and if we reimage a machine the biggest pain is going into the PE scopes, unchecking it's old PE, then rechecking it in the new PE. We reimage 4-5 laptops per day so searching for the serial and doing this for each one would get tedious.
Our hope is that we could uncheck all machines from the scopes in the three old PE's and just check all machines in the new one. That way they whenever we reimage them (either tomorrow or two years from now) they will image with the newest PE.
Will unchecking those machines and rechecking them in the new one do anything? Does anything look at what PE it already went through? (we have a few smartgroups that do this on purpose but those don't push out policies - just keep count)
I know that when you move PEs you can run sudo profiles renew -type enrollment but in this case my goal is to avoid anything like that happening automatically.
Thank you!
Solved! Go to Solution.
3 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 04:05 AM
This is actually one of the main use cases of prestage enrollment. It basically acts as a tag that you can build a smart group against. That tag does not change until a device is reenrolled. That basically means wipe and refresh or the profiles command you mentioned above. In short, nothing should happen on the device unless you reenroll it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 04:28 AM
Simply unchecking a machine in any pre-stage enrollment does nothing. but when you mark it for another pre-stage deployment, it still needs to be imaged in order to get to that actual deployment. Assuming worst case scenario, an end user somehow wipes the device, or an evil mastermind with very bad intentions, keeping them all checked in 1 deployment or another, makes sure that access remains safe.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 05:06 AM
The only check for prestage is when a device is enrolled, its never looked at again until the device goes back through Automated Device Enrollment. You can swap devices between prestages without worrying about effecting existing devices.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 04:05 AM
This is actually one of the main use cases of prestage enrollment. It basically acts as a tag that you can build a smart group against. That tag does not change until a device is reenrolled. That basically means wipe and refresh or the profiles command you mentioned above. In short, nothing should happen on the device unless you reenroll it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 04:28 AM
Simply unchecking a machine in any pre-stage enrollment does nothing. but when you mark it for another pre-stage deployment, it still needs to be imaged in order to get to that actual deployment. Assuming worst case scenario, an end user somehow wipes the device, or an evil mastermind with very bad intentions, keeping them all checked in 1 deployment or another, makes sure that access remains safe.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 05:06 AM
The only check for prestage is when a device is enrolled, its never looked at again until the device goes back through Automated Device Enrollment. You can swap devices between prestages without worrying about effecting existing devices.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-28-2023 09:22 AM
Thanks for the triple confirmation everyone!
