re-enroll an existing system that is already in jamf

ostrowsp
Contributor

We have a few systems that are no longer communicating with Jamf pro. We are at the point were we need to re-enroll these systems. These are live systems that we do not want to wipe. What is the best way to re-enroll?

Running: profiles renew -type enrollment locally on the systems? Does the MDM profile have to be removed before this command is run? Is there a need to delete the computer out of Jamf first? Most systems are 11 or higher though a few are on 10.15.

 

5 REPLIES 5

andrew_nicholas
Valued Contributor

If the MDM actions are still working you can probably just either re-run the enrollment from the command line using jamf enroll command line object or leverage the the API to reissue the management framework. Here is a good primer. I used this method to fix a number of remote devices, though several of the devices did have to be restarted in order to begin checking in again. You can either ask the users kindly to do this, or leverage the API to issue restart commands/softwareupdates. 

ostrowsp
Contributor

Thanks, but still on Jamf 10.32.2

profiles renew -type enrollment a good way to re-enroll?

You can use that but if the device has been online for a while ( a year or more) I believe there was a particular keychain item that needed to be removed before that would work. So long as the MDM connectivity is still working, just using the jamf framework to reenroll the device either with a input from the command line or using invitation ID.

Thanks, do know  needs to be deleted from the keychain, or Jamf documentation/post on this?

I have not tested this fully, but pulled from a similar VMware article about this, but I believe these are the necessary items that need to be removed:

rm /var/db/.AppleSetupDone

rm -rf /var/db/ConfigurationProfiles/

rm /Library/Keychains/apsd.keychain