Re-enrolling for Catalina

lockwojo
New Contributor III

We have been using Jamf for some time and have all our current computers successfully enrolled. At this point the overwhelming majority of Macs are running Mojave. The Macs have all been enrolled used a QuickAdd package.

We are now preparing to allow Catalina. Some of these Macs have T2 chips and with Catalina will therefore be able to support the new Activation Lock feature. (Which sadly Jamf have yet to support themselves.)

The only method to escrow recovery keys for Activation Lock requires the Macs be enrolled via DEP rather than any other method. I therefore wish to re-enrol the T2 Macs via DEP.

Obviously this means removing the enrolment profile on the Mac itself and re-enrolling via DEP. What I would like clarifying is the best way to handle the following.

The Macs being already enrolled already have a jamfmanager account both on the Mac and in their Jamf computer record with the password synced between them. If I simply remove the enrolment profile the record remains in Jamf. Furthermore there is also already a FileVault recovery key escrowed to the Jamf record and there is also a local admin account with its password stored as an encrypted extension attribute. Therefore merely deleting the computer record to start completely from scratch would definitely not be desirable.

I also want to avoid wiping the Mac, building it encrypting it etc. etc. all again, this approach would obviously work and ensure all the above is correctly re-recorded in Jamf.

So what is the most effective way to re-enrol without losing all that information?

For what its worth we have not used DEP to start with because -
1. When I joined DEP was not setup with Apple due to a registration problem which I have since solved
2. As a result of the original registration problem some computers have been bought before DEP was setup and cannot ever be DEP enrolled

Fortunately as I did sort out DEP registration when I joined, even though it has not so far been used all the T2 equipped Macs are registered to Apple for DEP so we can now do so.

4 REPLIES 4

KrisMallory
New Contributor III

Hmm this one does not sound like an easy task to complete without hands on.

It might be possible to re-enroll using dep without any major changes. If you don't get the answer, I'd run through a few tests.

If you have to remove the agent. I imagine part of it could be deploying a temp local admin account (as a break glass if anything goes wrong), a script which would do some checks to verify the system is enrolled in dep and in a state to continue with the migration (active network connection, logged in user, etc), then remove the agent, service account(s), and any other items needed to get the system back to an unmanaged state.

Near the end of the script you could run the command "profiles renew -type enrollment" which would display the dep enrollment prompt. But I believe this would require a logged in user to click the accept button (the only other way I am aware of would be deleting the applesetupdone file and clicking through the dep screen after a reboot) Assuming you would be prompting a user click, to ensure that happens you could add a timed loop looking for confirmation that the mdm profile exists and if it doesn't either continue to nag the user or maybe even force a logout.

The other part of of the package would be a launch daemon and a command to run the script on load.

lockwojo
New Contributor III

@KrisMallory Thanks for the response. I am not concerned over the user seeing the standard DEP enrolment invite and having to accept it. I am more concerned over whether it will 'inherit' the jamfmanager and local admin and FileVault details I mentioned already stored in Jamf.

I am willing to have to involve my IT team in assisting the process, once we have migrated eligible computers to DEP we will in future be able to use DEP for initial enrolments.

By the way, this raises another question. Is there a way to tell via a script if an individual Mac is registered with Apple as being DEP enabled? Apart from anything else this would make it much easier to identify eligible machines. Of course another approach will be to look in the business.apple.com portal but a script would make it possible to create a smart group in Jamf.

KrisMallory
New Contributor III

If the machine name doesn't change and there's an existing record, It should maintain details on Filevault (In some cases that is. There's a lot of different workflows and methods). The jamf user account may not which which why i suggested trying to remove the jamf binary plus accounts and allow them to be recreated when triggering the Dep reenrollment.

As for the second question on finding DEP vs non-dep macs.

'profiles status -type enrollment' will return the info you're looking for.

Derflounder has a good write up on it and there's links to scripts and extension attributes.

https://derflounder.wordpress.com/2018/03/30/detecting-user-approved-mdm-using-the-profiles-command-...

Cheers

yuenhongtang
New Contributor III

Hi, Anyone encountered that after the re-enroller runs. everything migrated to new JAMF server but somehow users lost permissions on their local folders?