Help

Staged Policy Push

tthurman
Contributor III

Posted on ‎04-14-2015 07:50 AM

Hey all,

I just wanted to see if anyone had a "best method" for doing a staged rollout of a policy.

Example: I need to push a certificate to all machines. However, we don't want to push it to everyone all at once. We want to stage it out; in a 1,000 machine environment, maybe something like 50, 100, 150, 300, 400.

Thoughts?

Thanks,
TJ

0 Kudos
8 REPLIES 8

rderewianko
Valued Contributor II

Posted on ‎04-14-2015 07:57 AM

From what I understand, reoccurring checkin is staged. Not all machines check into the JSS at the exact same time. You can change it from 30 mins -> 1 hour. If you want your policy to be a bit more lightweight, turn off inventory update.

0 Kudos

tthurman
Contributor III

Posted on ‎04-14-2015 08:01 AM

What I'm hoping is that I can say: I pushed to these 50 people. Okay it succeeded. Continue.

Make sense?

0 Kudos

tthurman
Contributor III

Posted on ‎04-14-2015 08:03 AM

Or even. Okay. I'm pushing to 50 people on Monday. 100 More people on Wednesday. Then 250 people on Friday.

Regards,
TJ

0 Kudos

pblake
Contributor III

Posted on ‎04-14-2015 08:24 AM

Why not simply break your machines into smart groups based on name or something to break them into groups. Then add the groups to the scope one by one.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎04-14-2015 08:28 AM

The only way I know of how to do this is to create a series of Smart Groups and different policies all doing the same push that are scheduled to go live at different times. For the Smart Groups, you can use the JSS ID range as the criteria.
For ex, say you have 500 Macs, and want to deploy it in groups starting at 50 Macs at a time, but maybe increase the amount with each push.

For SG 1, use the following criteria:

JSS Computer ID   |  less than   51

which would gather approx. 50 Macs

For SG 2, use the following criteria:

JSS Computer ID   |  more than 50
and
JSS Computer ID   |  less than 151

which would gather approx. 100 Macs

..and so on, which will group your Macs by their IDs in groups that should not be more than the range you specified.
Then use those groups for the Scope for different policies that all do the same thing, but get enabled on different days/times.

0 Kudos

tthurman
Contributor III

Posted on ‎04-14-2015 08:32 AM

@mm2270

This is rather tricky because we've had our JSS in place for quite some time and have over 1400 macs. So the JSS IDs vary quite a bit.

Regards,
TJ

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎04-14-2015 08:39 AM

Yes, understood. Our setup is the same. Its been in place for years now. Some IDs are essentially dead here with machines records assigned to them that are either non existent or not checking in, etc, but I don't know if there's any other logical way to do it. You could use some other criteria, like partial Computer names, but you'll never be able to restrict it to only a max number of Macs that way. Using the JSS Computer ID is the only way I know of to ensure the number of systems it gets deployed to at each stage doesn't exceed a certain amount. It will likely be below the amount you're looking to hit, but in my experience from using this method in the past, its usually only the early ID number groups that this happens with. As you climb into the higher ID numbers, these tend to be systems that are still active and checking in, so your hit ratio goes up.

0 Kudos

mikeh
Contributor II

Posted on ‎04-14-2015 08:56 AM

I've done something similar as @mm2270, but instead of focusing on the JSS Computer ID, I created smart groups based on department, distributing the departments between groups to get a target smart group size around 200 machines.

0 Kudos