Removing scopped policies?

Rayfield
New Contributor III

Here's our scenario, we map printers to individual laptops depending on the rooms they visit, sometimes those laptops get redeployed to a different staff member for various reasons. Some devices can have up to 10 printers installed on them via a policy which can be time consuming

We'd like the ability to either run a policy to remove these laptops from the scope or easily go into the device to remove the policy, is there any way we can do that besides going into the actual policy and removing the device from there?

We do wipe/enroll the devices whenever between employees, but since the policies are attached to the device it does not remove them. We'd prefer not to have to delete the devices from Jamf between enrollment if we don't have to, but so far that's the only way we've found to do this.

I'd be happy with a script, self service policy, something on enrollment, any suggestions out there?

4 REPLIES 4

JustDeWon
Contributor III

It's not tied to your old policy, it doesn't work that way. Your device gets a new computer id upon enrollment, so policies applied to that device will be based upon your Policy Trigger and Scope. Double check your printer policies, scope, and policy trigger

mm2270
Legendary Contributor III

@JustDeWon That's actually not correct, at least not based on what the OP has explained. If the device is physically the same machine, and the device record hasn't been removed from inside the JPS, then when it gets re-enrolled into Jamf, it adopts the same device record, because the UUID of the machine is the same and it matches up. This is by design, since you would not want Jamf Pro creating new records every time the same Mac is re-enrolled and cluttering up the inventory.

And since the policy/policies are using static computer assignments and not a Smart Group, the machine ends up landing into the same policies after being wiped (OS) and re-enrolled. I've seen this happen on many occasions myself in the past, which is why I tend to shy away from using static scope assignments in favor of Smart Computer Groups for policies.

@rleatherwood If possible, you might want to switch to using some kind of smart group assignment for the scope of those policies instead of static assignments, but if that's not an option, the API can be of some help.

According to the classic API documentation, the <computer_deletions> tag is available when updating policies using PUT, in addition to other more common objects, like computer groups. Most people use <computer_additions> and <computer_deletions> on groups, not on policies, but it does work on those as well. Only for static computer assignments of course.

Here's an example script that would remove the computer the script itself is running on against a known policy, by the policy ID. Although you could search for policies using their names as well, it's safer to use the id since it won't run afoul of special character encoding issues in the API. This script could be expanded a bit to work against a range of policies, by for example, adding in a bash array at the top containing all the policies you want the computers scope removed from, and looping against those IDs. But hopefully this can help you out a bit.

#!/bin/bash

## Jamf Pro username, password and the policy ID we want to edit
## These can be statically assigned in the script but should at least be passed as script parameters (i.e: $4, $5, $6)
API_USER="apiuser"    ## Change to the username, or use script parameters
API_PASS="apipass"    ## Change to the password, or use script parameters
POLICY_ID="10"        ## Change to the policy ID you want to update

## Get the Jamf Pro URL the machine is enrolled into from the Jamf plist file
JPS_URL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url)

## Get the machine's UUID/UDID from the system itself (using ioreg)
DEVICE_UDID=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}')

## Remove the device from the policy scope
curl -X PUT -H "Content-Type: application/xml" -u "${API_USER}:${API_PASS}" "${JPS_URL}JSSResource/policies/id/${POLICY_ID}" --data '<policy><scope><computer_deletions><computer><udid>'${DEVICE_UDID}'</udid></computer></computer_deletions></scope></policy>'

Rayfield
New Contributor III

Interesting, thanks I'll play around with that when I get some free time.

Thanks for the reply! But maybe we can figure out a way to make smart groups work, we have our desktops in smartgroups for printers, just not our laptops.

JustDeWon
Contributor III

@mm2270 .. My wipe/re-enroll mindset is running off our standard remove the device from the JSS.. If that's not happening, then yes your point is valid