Posted on 03-26-2017 02:02 PM
Warning: I'm one of those people who drive true IT people nuts! I inherited a job I wasn't trained for and am still learning something new every day. So please forgive my ignorance.
When we implemented JAMF two years ago and went through the 3-Day JumpStart and for some reason (I'm sure there was a good reason at the time?!) our JSS server address was set to .local instead of .com
I'm only now realizing the limitations of this from a policy deployment standpoint now that I am delving more into what all I can do with this great tool. Our IT support company did get me set up so that I can use the .com address and access the JSS from off campus. But if I change the address to .com within the JSS, I'm going to hose a bunch of stuff, I assume, and will need to re-enroll all of my devices. So what exactly does that mean? Re-enrolling computers is as simple as creating a new QuickAdd package and pushing out via ARD, correct? But what about my iOS devices? Given that it was a bit more complicated to add them via pre-stage enrollments in the first place, I imagine this is not an easy fix. If it involves revoking apps, resetting devices manually, and having to start from scratch, this isn't something I'm going to think about doing until we are out for the summer.
Thanks in advance for any advice/anecdotal or otherwise.
Posted on 03-26-2017 07:49 PM
It's actually not a painful process on the user side.
If the machines are checking in to the JSS already and you've got the resources. Clone the JSS to a second server, update the DNS on the new server, certs & mdm certificates. Then create a quickadd using the recon app from the Casper Suite. Upload the quickadd you've just created to the old .local server and have it run on every machine on any event trigger you choose.
That way you'll preserve all records of the machines as they'll assume the record they already had.
Posted on 03-26-2017 09:21 PM
The above is correct for macOS machines but your suspicions about iOS are correct. You will need to re-enroll those devices.
Posted on 03-27-2017 04:21 AM
The iOS devices will definitely need to be enrolled, the migration plan above should work with Macs but much testing is in order.
As for the one that "drives the true IT people nuts"...according to our network guys, that's my job.....how did you get it? I laugh a bit about that remembering that I think all Apple IT does that what with clearing ports, entire slash-8s and special proxy arrangements.
Seriously though your challenge will be the iOS devices ...hopefully self re-enrollment Will work for you on those . In our case we use DEP based enrollment. Wiping user devices to do that is not fun.
Posted on 03-27-2017 07:32 AM
This is such a pain for us that I've spent years maintaining an old domain just to keep the JSS running smoothly hoping that JAMF and Apple will come out with a way to allow an MDM reenrollment command on the mobile side. So far....no luck....
Gabe Shackney
Princeton Public Schools
Posted on 03-27-2017 07:36 AM
We effectively had to create a grandfather policy for server names... three years ago we instituted a new server naming policy....for the JSS and 2 other servers...we grandfathered in the old names so we didn't have to deal with big changes like this.
Posted on 03-27-2017 08:40 AM
This is a summer project for me as well. I'd suggest investing in a handful of lightning keyboards and a few friends to knock them out as quickly as you can.
I'm considering blasting them all with a Wifi Config profile via Apple Configurator first to avoid that step. Either that or setting up a temporary guest network that only allows traffic from iOS devices. Haven't decided yet.