Restrict all policies from a computer

Ricky
Contributor

Hello everyone,

We have a couple computers that are enrolled in JAMF, but we want to make sure they never get any packages or certificates pushed to them. We like the reporting that JSS gives us, especially with the inventory / IP for remote services; but we don't want to risk pushing out a policy to the computer.

Is this possible? I know for each policy we can exclude it. Not only is this a lot of work to do, but we also run the risk of an accidental deployment if someone isn't paying attention.

1 ACCEPTED SOLUTION

stevevalle
Contributor III

@Ricky Have you thought about using sites to do this.

You can create two sites. A "Main" site and a "No Policy" site (or whatever you want to call them!). If you add these computers to the "No Policy" site, then it's a matter of adding all policies to the "Main" site.

As long as all policies are in the "Main" site, policies won't deploy to the "No Policy" site machines.

It's a bit of work to edit all current policies, but it will do the job. It Also saves excluding machines from every policy!

View solution in original post

4 REPLIES 4

bentoms
Release Candidate Programs Tester

@Ricky this might be accomplished by unmanaging them in the JSS.. Although I think that breaks recon.

Another thing you can do is add them to a Static Group, & then add that group as an exclusion for each policy & profile.

dpertschi
Valued Contributor

@Ricky

I know for each policy we can exclude it. Not only is this a lot of work to do, but we also run the risk of an accidental deployment if someone isn't paying attention.

Yep, this actually jogs my memory about a feature request I've been meaning to submit- we need the simple ability to create templates. Templates for policies, smart groups, advanced searches. I can't tell you how many sets of screenshots and lists I have to remember to setup for certain situations.

But yeah, create a exemption static group and always add that.

stevevalle
Contributor III

@Ricky Have you thought about using sites to do this.

You can create two sites. A "Main" site and a "No Policy" site (or whatever you want to call them!). If you add these computers to the "No Policy" site, then it's a matter of adding all policies to the "Main" site.

As long as all policies are in the "Main" site, policies won't deploy to the "No Policy" site machines.

It's a bit of work to edit all current policies, but it will do the job. It Also saves excluding machines from every policy!

dmw3
Contributor III

We actually do the reverse that @stevevalle does in that no policies are applied to computers unless they belong to a group, we are using AD security groups for this.