Does anyone use a production environment with multiple sites and ADE/DEP? I'm trying to brainstorm a workflow where the different site administers in my environment (~20 different sites) can move devices from where they land from ADE/DEP into their own site, without needing to contact a person who is a full Jamf admin.
I've created a DEPNotify workflow that allows computers to be assigned to the correct site immediately after the enroll from ADE/DEP happens, and that works well. However, as far as I know, there's no similar product for mobile devices. So I think the only way to move mobile devices is manually essentially.
I reached out to Jamf, and was told there's no way for people with site admin permissions to switch devices between sites. I would need to create a separate group/user with full access to allow the site admins to be able to move the devices. This is less than ideal, because that would give the different site admins visibility into the other sites, and allow them to move devices to and from various sites, not just from the ADE/DEP landing site to their own (even with custom permissions).
Has anyone else figured out a workflow for a similar environment, or have general thoughts?
I assume you just have one Apple Business Manager instance where all devices are managed together?
We are supporting a customer with 5 different ABM’s and also 5 sites which works fine for auto assigning and enrolling the devices because they are separated in different locations.
Maybe it would help to create multiple prestage enrollment setups and assigning the correct devices to them?
Of course you have to assign them manually but just injtially. For every future enrollment it will pick up the correct prestage setup which will assign the correct site - so no need for additional full access admins for managing anything there and still no possibility for them to move the devices between sites.
.. just brainstorming!
We do that. We automated the move to the appropriate site by tying into our ServiceNow system, which is the source of all information about everything, everywhere, forever... heh. They come into a DEP-Imaging site, where global things are done, and they they are shuttled off to their assigned site to get the area specific stuff done.
We did a JNUC 2020 presentation on the workflow that we came up with to address this same problem: https://youtu.be/JkFej42ueNk.
We have over 130 sites (one for each school) with one ADE instance. The high-level overview of the workflow is:
1. Apple assigns devices to our iPad MDM (auto assign set for iPads, iPhones, and iPods)
2. That ADE instance is linked to a site that we call "00 - Onboarding", where all mobile devices are enrolled.
3. Inside this site is the iPad prestage enrollment.
4. Schools enroll devices with the naming convention of "XXXX-Whatever", where xxxx is the school's four-digit location number.
5. Once the iPads are enrolled into the Onboarding site, we have a cron job script on a remote server iterate through devices and physically moves them to the correct site (again, based off device name).
This workflow has been working super well for over 2 years. Right now the cron job just runs every 5 minutes, which is admittedly, not optimal. I am looking to make this more efficient this summer by implementing a webhook server that can handle the script on a per-device instance, instead of constantly polling the server for newly enrolled devices.
Hopefully this helps!