Rolling out DEP/MDM to address SKEL

Valued Contributor III

We aren't currently using MDM at all (no APNs access from our JSS), but I'm looking at rolling out DEP with JAMF MDM to our existing Mac population just so we can manage SKEL.

My question is this: if we roll out DEP and MDM to our already-managed Macs, would that be seamless? If we aren't configuring any enrollment/pre-stage actions, will the systems just quietly enroll in JAMF MDM into their existing computer records without anything weird happening?

Further, how can I make sure they are enrolling from DEP, since if JAMF enrolls them from the binary, it won't do what we need?


Contributor III

DEP wouldn't affect existing Macs unless you have them back-filled by your supplier, it would only affect newly-purchased machines purchased through your supplier. DEP enrollment happens mainly after initial installation of a machine - it kicks in right after first boot, before you create an account or set anything up - so you'd know whether it did that or not, otherwise you have to set up an account, log in, and run a QuickAdd.pkg manually. (If, for some reason, DEP fails initially and you do this with a DEP-enabled machine it will kick in after the fact.)

You will need to configure a basic DEP profile for DEP-enabled machines.

MDM, on the other hand, would roll out to your fleet. The computer records would remain - MDM isn't a replacement for the jamf binary, it's essentially an addition to the management capabilities.

You definitely want to get DEP and MDM set up if you can, because that's really the future of Macs at this point.

Valued Contributor III

Say I set up DEP and MDM, how can I make sure the systems are enrolled in MDM from the DEP workflow and the binary doesn't do it? I really need to be able to control security-sensitive settings without user approval.

In my experience, the binary will automatically enroll the device in MDM, can that be turned off so DEP gets a chance to do it instead?

Contributor III

Hi @alexjdale

DEP enrolment will only trigger during the initial Setup Assistant, so unless you're willing to wipe and redeploy (not reimage) devices, this might not be an option for you. It'll still be worth configuring now so that you may benefit in the future.

There are hacky ways around getting a device to rerun DEP post-deployment, but it'd be best to avoid them unless absolutely necessary.

Hope that helps


Valued Contributor III

So what I'm hearing is that I need to get MDM out ASAP to grandfather our existing fleet before 10.13.2, and then go DEP-only for every new or re-provisioned device after "Spring 2018" when DEP becomes a requirement for "security-sensitive" settings management.