Moving machine from one Prestage to another

Nate1
New Contributor III

Hey all!

What are the implications, if any, of moving an imaged and in-use machine from one Prestage Enrollment to another?

 

Our scenario:

We have ~900 laptops all built with one of three prestage enrollments. Each new PE was setup over time with slightly more settings for our environment and only net-new machines were ever enrolled in the latest PE, so we have have a large mixture of each in our company. We have now built a 4th and if we reimage a machine the biggest pain is going into the PE scopes, unchecking it's old PE, then rechecking it in the new PE. We reimage 4-5 laptops per day so searching for the serial and doing this for each one would get tedious.

Our hope is that we could uncheck all machines from the scopes in the three old PE's and just check all machines in the new one. That way they whenever we reimage them (either tomorrow or two years from now) they will image with the newest PE.

 

Will unchecking those machines and rechecking them in the new one do anything? Does anything look at what PE it already went through? (we have a few smartgroups that do this on purpose but those don't push out policies - just keep count)

 

I know that when you move PEs you can run sudo profiles renew -type enrollment but in this case my goal is to avoid anything like that happening automatically.

 

Thank you!

3 ACCEPTED SOLUTIONS

TrentO
Contributor II

This is actually one of the main use cases of prestage enrollment. It basically acts as a tag that you can build a smart group against. That tag does not change until a device is reenrolled. That basically means wipe and refresh or the profiles command you mentioned above. In short, nothing should happen on the device unless you reenroll it. 

View solution in original post

danlaw777
Contributor III

Simply unchecking a machine in any pre-stage enrollment does nothing. but when you mark it for another pre-stage deployment, it still needs to be imaged in order to get to that actual deployment. Assuming worst case scenario, an end user somehow wipes the device, or an evil mastermind with very bad intentions, keeping them all checked in 1 deployment or another, makes sure that access remains safe. 

View solution in original post

AJPinto
Honored Contributor III

The only check for prestage is when a device is enrolled, its never looked at again until the device goes back through Automated Device Enrollment. You can swap devices between prestages without worrying about effecting existing devices.

View solution in original post

4 REPLIES 4

TrentO
Contributor II

This is actually one of the main use cases of prestage enrollment. It basically acts as a tag that you can build a smart group against. That tag does not change until a device is reenrolled. That basically means wipe and refresh or the profiles command you mentioned above. In short, nothing should happen on the device unless you reenroll it. 

danlaw777
Contributor III

Simply unchecking a machine in any pre-stage enrollment does nothing. but when you mark it for another pre-stage deployment, it still needs to be imaged in order to get to that actual deployment. Assuming worst case scenario, an end user somehow wipes the device, or an evil mastermind with very bad intentions, keeping them all checked in 1 deployment or another, makes sure that access remains safe. 

AJPinto
Honored Contributor III

The only check for prestage is when a device is enrolled, its never looked at again until the device goes back through Automated Device Enrollment. You can swap devices between prestages without worrying about effecting existing devices.

Nate1
New Contributor III

Thanks for the triple confirmation everyone!