I just wanted to see if anyone had a "best method" for doing a staged rollout of a policy.
Example: I need to push a certificate to all machines. However, we don't want to push it to everyone all at once. We want to stage it out; in a 1,000 machine environment, maybe something like 50, 100, 150, 300, 400.
The only way I know of how to do this is to create a series of Smart Groups and different policies all doing the same push that are scheduled to go live at different times. For the Smart Groups, you can use the JSS ID range as the criteria.
For ex, say you have 500 Macs, and want to deploy it in groups starting at 50 Macs at a time, but maybe increase the amount with each push.
For SG 1, use the following criteria:
JSS Computer ID | less than 51
which would gather approx. 50 Macs
For SG 2, use the following criteria:
JSS Computer ID | more than 50 and JSS Computer ID | less than 151
which would gather approx. 100 Macs
..and so on, which will group your Macs by their IDs in groups that should not be more than the range you specified.
Then use those groups for the Scope for different policies that all do the same thing, but get enabled on different days/times.
Yes, understood. Our setup is the same. Its been in place for years now. Some IDs are essentially dead here with machines records assigned to them that are either non existent or not checking in, etc, but I don't know if there's any other logical way to do it. You could use some other criteria, like partial Computer names, but you'll never be able to restrict it to only a max number of Macs that way. Using the JSS Computer ID is the only way I know of to ensure the number of systems it gets deployed to at each stage doesn't exceed a certain amount. It will likely be below the amount you're looking to hit, but in my experience from using this method in the past, its usually only the early ID number groups that this happens with. As you climb into the higher ID numbers, these tend to be systems that are still active and checking in, so your hit ratio goes up.