Rolling out DEP/MDM to address SKEL

DEP wouldn't affect existing Macs unless you have them back-filled by your supplier, it would only affect newly-purchased machines purchased through your supplier. DEP enrollment happens mainly after initial installation of a machine - it kicks in right after first boot, before you create an account or set anything up - so you'd know whether it did that or not, otherwise you have to set up an account, log in, and run a QuickAdd.pkg manually. (If, for some reason, DEP fails initially and you do this with a DEP-enabled machine it will kick in after the fact.)

You will need to configure a basic DEP profile for DEP-enabled machines.

MDM, on the other hand, would roll out to your fleet. The computer records would remain - MDM isn't a replacement for the jamf binary, it's essentially an addition to the management capabilities.

You definitely want to get DEP and MDM set up if you can, because that's really the future of Macs at this point.

Say I set up DEP and MDM, how can I make sure the systems are enrolled in MDM from the DEP workflow and the binary doesn't do it? I really need to be able to control security-sensitive settings without user approval.

In my experience, the binary will automatically enroll the device in MDM, can that be turned off so DEP gets a chance to do it instead?

Hi @alexjdale

DEP enrolment will only trigger during the initial Setup Assistant, so unless you're willing to wipe and redeploy (not reimage) devices, this might not be an option for you. It'll still be worth configuring now so that you may benefit in the future.

There are hacky ways around getting a device to rerun DEP post-deployment, but it'd be best to avoid them unless absolutely necessary.

Hope that helps

Darren

So what I'm hearing is that I need to get MDM out ASAP to grandfather our existing fleet before 10.13.2, and then go DEP-only for every new or re-provisioned device after "Spring 2018" when DEP becomes a requirement for "security-sensitive" settings management.

Sigh.