Recon Removal - JAMF Continue to remove useful components from products

wolfhead
New Contributor III

Following on from the removal of Remote which was unbelievably useful and has no replacement, Recon has been removed and with it my ability to create a QuickAdd package to add a system into JAMF which is already set up and in operation.

How are people dealing with this now if you did use QuickAdd now and then?

9 REPLIES 9

sdagley
Esteemed Contributor II

@wolfhead This is my personal opinion, and I'm not speaking for Jamf or Apple here, but it's been pretty clear for a while that we're moving towards a future where fully managing a Mac is going to require it be enrolled in an MDM via ADE/DEP, and there's no place for using QuickAdd in that world.

I realize not everyone is using ABM/ASM which is a required component of the ADE/DEP process, and it isn't available everywhere, but if it is available in your country you should look at it sooner rather than later.

wolfhead
New Contributor III

All of the computers I'm talking about are in ASM, and they are now assigned to JAMF the point being, however, that they were not set up that way originally. There was previously no need for them to be in an MDM due to their environment and use, but now there is, however, short of erasing them, quickadd would have allowed us to add them in and gain MDM management. 

It is not a case of not having or not using DEP/ASM etc etc it is a case of having options that do not involve having to erase a perfectly functioning system.  Yes, quickadd was not perfect but it was a fix to this sort of situation.

sdagley
Esteemed Contributor II

Enrolling via QuickAdd does not convey the full management capabilities that an ADE/DEP enrollment does. Yes, erasing a functioning system to enroll it is less than ideal, but it's not something you'd be doing to the same machine over and over. You do it once and carry on. The world of setting up Macs changes. I have fond memories of building Macs via NetRestore, and really fond memories of imaging MacBook Airs via Thunderbolt 2 with DeployStudio, but those things are gone now.

I'm confused. Can you not enroll them using user initiated web enrollment? I've used that in the past for BYOD. 

mm2270
Legendary Contributor III

The QuickAdd method of enrollment has been, if not dead, certainly only on life support for some time now. The handwriting was on the wall from Jamf for a long time that this was going to go away, so it should come as no real surprise.

The main purpose of the Recon.app was to enroll Macs that the app was running on, or to build out a QuickAdd.pkg from an admin machine. It had a couple of other functions, but they were minor in comparison to the enrollment stuff, so I guess Jamf didn't think it was worth keeping it around for just doing an inventory update direct on a machine or whatever. I don't blame them. The app would have been (and probably was already) dead weight that they don't need to keep supporting.

As @sdagley has already stated, you should be moving on to an MDM enrollment method. If you're not using ADE/DEP, then a manual enrollment using User Initiated Enrollment still works (assuming you or a tech are doing the enrolling with admin rights), and pulls down the MDM profile to install, and everything else just flows into place.

Honestly the only reason to use a QuickAdd pkg anymore would be if you had some really ancient Macs that could not run an OS from Apple made within the last 4-5 years. If you still have Macs that old, I hope they are being considered for replacement soon, since they would represent a significant security risk these days.

wolfhead
New Contributor III
I can only assume you do not work in public education. If you believe that
4-5 years old for a Mac is so old that they should be considered for a
placement :-)--
————-
Matthew Young

Network and Computer Systems Administrator
Cape Elizabeth School Department
Maine USA

--
*----------------------------------------------------

**Under
Maine's
Freedom of Access law, documents - including e-mail - about
school
district business are classified as public records and may be
subject to
disclosure.*

<>
*Open Minds and Open Doors
<>*

mm2270
Legendary Contributor III

Ah, but you misunderstand. I never said 4-5 year old Macs, I said Macs that can't run an OS from Apple released in the last 4-5 years, which would put those Macs probably at close to 8 years old in most cases. 

I have Macs I manage from 2018, so going on 5 years old now, BUT, they can run the current version of macOS Ventura, or at the very least the last release of Monterey.

Granted, yes, in edu I can see 8 year old Macs still being in use, but it's a sketchy practice. As Apple only releases security updates in an N-2 model, that would mean that at the least your Macs should be able to run macOS Big Sur to stay abreast of security updates (and even on Big Sur it's iffy since Apple doesn't always follow their own model).

Following this, IF the Macs can run Big Sur (or greater), then they can be enrolled using the UIE (User Initiated Enrollment) method, which does not require a QuickAdd.pkg. A QuickAdd would only be needed for very old OS versions that didn't support that method of MDM enrollment. I honestly can't recall now where the cut-off was, (maybe it was High Sierra?) but I'm sure it can be found with a quick Google search.

_gsm
New Contributor III

sudo profiles renew -type enrollment

AJPinto
Honored Contributor III

The removal of Quick Add Packages has nothing to do with JAMF. Apple "broke" that work flow, it would not matter if JAMF still had a Quick Add Package as it would not work. Pretty much anything else the Recon.app did you can still do with the Recon Binary or there are better tools out there for that function. 

 

As for what are we doing.

  • Device Enrollment: The only way I allow devices to enroll in the environment I manage is with Automated Device Enrollment. Which apple has been very clear on being the way they want organization owned devices enrolled. 
  • Device Assignment: I have a script that runs for new users, it reads who the user is (or prompts if necessary) and takes that information and runs the Recon Binary to assign the Mac to the user.
  • Management Account: Handled with Device enrollment.
  • Network Scanner: There are better tools out there, that and I am a MDM Engineer, not a Network Engineer so I really don't care what is on the network most of the time.
  • Asset Tags: We have not used asset tags in years, but this can be set with CLI
  • Bar Codes: We have never used bar codes, the Mac's SN is sufficient. That and this can also be done with CLI.