Jamf Nation Community

pty10 · ‎01-20-2015

I was wondering if there's a way to re-enroll multiple computers at once? I'm using casper 9.6, created a few new policies, configuration profiles, manage preferences, etc and I find that the only way I can get all the changes I made to deploy to the computers is if have re enroll them.

I can re-enroll them one by one via teminal on the computer by using the command: sudo jamf enroll -prompt

or I can use recon in casper suite to re-enroll but can't see an option to mass enroll.

Is it possible to mass re-enroll?

Cheers,

Henry

jbmiller · ‎01-20-2015

We use a quickadd package bundled with Apple Remote Desktop to target the machines we want individually or in mass without using recon on the whole network.

pty10 · ‎01-20-2015

Could you tell me a bit more? Do you have to use a policy to deploy the quick add package to all computers before you can use remote desktop?

jbmiller · ‎01-20-2015

You can create the quickadd package with the Recon Application then in Apple Remote Desktop, select the computers you want to enroll and click the install package icon. Drag your quickadd package into the window and click install. Now the computers will enroll themselves in your JSS and be ready for policy deployment.

thoule · ‎01-20-2015

You can do it command line like this:
Create an Enrollment Invitation. Don't worry about the email information (to/from stuff). Set the expiration date pretty far out as well. And be sure to check 'Allow Multiple Uses'.

Once you've created it, click on it in the JSS to look at it and you'll see Invitation ID- a very long string. Then you can use the following command to re-enroll them machines.

/usr/sbin/jamf createConf -k -url JSS.company.com;/usr/sbin/jamf enroll -invitation INVITEKEYHERE

That createConf part (before the ; symbol) may be unnecessary if these machines were already enrolled in the same JSS. You can push that out to machines however you'd like.

Of course, that being said, I'd look into why you need to reenroll these machines at all. Are the policies set to "once per computer" or something? Give us some log files and lets address that!

thanzig · ‎01-20-2015

To piggy back of this question....... If a push cert has expired and machines had to be re-enrolled...... would re-enrolling them fix that or do you have to actually un-enroll a machine first? In my brief testing, re-enrolling doesn't seem to replace an older MDM profile.

I'm not worried about the enrollment options because we can remote enroll them, offer an invitation or push a quickadd package through ARD but I just want to make sure that re-enrolling actually fixes the problem and we don't need to un-enroll the machine or remove the JAMF framework first.

pty10 · ‎01-23-2015

@jbmiller

Your solution works, thanks. Just have to make sure that the computer(s) you looking to enroll are connected to the network and have a valid IP address

pty10 · ‎01-24-2015

@thoule

I will try your suggestion. Reason why I need to re-enroll the machines is that some kids here at the school have found out what the local admin password is, students shouldn't have admin rights to their computers.

with admin rights they can deleted the JAMF folder on their computers and that way they can bypass the policies setup in casper. I have setup a new local admin account in casper, deleted the old one but the issue is that even after the computers check-in, inventory updated and new local admin account policy is applied, you are still able to login to some of the computers using the old local admin account and password.

To get around that problem I used the CreateUserPKG app using the same old admin username with a new password, created a policy for it and works great as long the computers are re-enrolled. it should be a one off mass re-enrollment but will give your suggestion a try as well.

Jamf Nation Community

re-enrollment of multiple computers at once