Remote MDM removal and replacement

RC408
New Contributor II

HI, I had a question regarding removing our current JAMF mdm profile and replacing it with a new one from new company taking us over. 

I'm trying to do this with as little user input as possible. I've tried creating a policy to drop off the new mdm profile then running the "remove framework" command to remove the current profile. I also had a script in the policy to run afterwards to install the new mdm profile. 

So far the only thing working with this process is the delivery of new package(mdm profile) and removal of current one. 

New profile isn't getting installed. Anyone try something like this before successfully?

 

4 REPLIES 4

jcarr
Release Candidate Programs Tester

In the macOS High Sierra timeframe, Apple introduced the concept of "user approved" enrollment.  This essentially precludes the ability to enroll a device without user accepting the enrollment (either by entering credentials when installing the profile, or proceeding through setup assistant in the case of automated device enrollment).

You could unmanage the existing devices and then send user initiated enrollment invitations via email or direct users to the enrollment URL, but the simplest solution may be to just maintain the existing MDM until such time as those devices are replaced.

AJPinto
Honored Contributor III

Apple only allows for the automated removal of a MDM Profile. To install a MDM Profile you either need user interaction, or to use Automated Device Enrollment. Unlike with Windows device management, you cannot simply move "tenants" with macOS and MDM.

 

Really you need to reprovision your fleet if you want to keep full management/supervision over your devices. Assuming you are already using Automated Device Enrollment. 

mm2270
Legendary Contributor III

I hear you on this. I'm working on migrating a small group of Macs into a Jamf cloud server that we recently migrated to. Unfortunately, you will have to remove the old MDM profile, which can be done with an API command sent from the old server (if we're talking about a Jamf to Jamf migration), and then you will need to issue a command to direct the Mac to enroll into the new server. The user will have to do some work, such as allowing the new MDM profile to be installed, and entering an admin account name and password.

One thing I can't stress enough. If you don't already have those Macs synced in Apple Business Manager to the new Jamf server, make that happen. By doing so, you can add those devices into a PreStage Enrollment and when you run a sudo jamf profiles renew -type enrollment command on the Mac, it will prompt to enroll into the new Jamf server and become supervised. If you don't do that, the users will need to go through the User Initiated Enrollment steps, which is more manual and extra steps for them to follow. While it's not possible to do what you're after seamlessly, it can at least be minimized if you have them in a PreStage enrollment on your new server.

mickl089
Contributor III

If my units have already been transferred to the new ABM, how can I make it so that these units are in the new prestage? How do I add them?