Smart Groups from Enrolled Macbooks

New Contributor

Looking to see if there's a way to create a Smart Group for Macbooks already enrolled in the Jamf database. These Macbooks need to be unenrolled from Jamf on-prem server and reenrolled to the Jamf cloud. My hope is that when we move these Macbooks over without Jamf cloud seeing them as fresh out-of-the-box Macbooks and push out the zero-touch enrollment for these devices which adds all our company apps to the process. Adding 10-20 minutes of downloads and installs unnecessarily.

Can there be a Smart Group that can differentiate these devices from Macbooks that never enrolled?



Are you working with Jamf to do your migration to Jamf Cloud? There are ways to migrate from the on-prem instance to  Jamf Cloud that would not require re-enroll. 

New Contributor
We are not working with Jamf services. We have scripts available in
Self-Service to do the unenroll and reenroll. But our Jamf Cloud sees the
Macbook as a new device to enroll and pushes out our zero-touch
policies and packages.

These Macbooks need to be enrolled unless I suppress the new hire
enrollment policy; I am having a hard time setting up an attribute
extension that can read the device-assigned date in Pre-Stage enrollment as
an option to differentiate the out-of-the-box Macbooks with the Macbooks
that need to be enrolled to the Jamf Cloud from on-prem. If that makes

*Best regards,*

* David Larsen*

Sr. Systems Analyst

1330 O’Brien Drive

Menlo Park, CA 94025

*T: ‪(650) 229-8216‬ | M: (510) 316-0419*

* *


This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
This message may contain privileged and / or confidential  information. If
you are NOT the intended recipient of this message, copying, printing,
disseminating, forwarding or any other use or action derived from its
content is strictly prohibited. Please notify the sender immediately by
e-mail if you have received this e-mail by error and delete this e-mail
from your system. If you received the email by error and this message
contains patient information, please report the error by contacting the
Personalis Clinical Laboratory at

Valued Contributor II

You woudl have to be something on your existing devices that you could write an extension attribute against. For example, we have a BOM fail that we write at the end of enrollment that indicates enrollment is complete, That way, if we have to re-enroll a computer, the main enrollment script does not run. 

You could also do a Smart Group that looks for an application to be installed, maybe a security product that your computers already have installed?


I agree with this approach. I might make it even easier: create a policy that drops some dummy file in like /Users/Shared/ or some other more hidden path like /private/var/tmp/.enrolled.mac & set the permissions to 1644 or whatever so that the automations that clean up don't remove that file. You can then make an EA that  detects the presence of that file.