Thoughts on how to quick Re-Enroll

boberito
Valued Contributor

I've been toying around this thought for a bit. I was wondering if anyone else had any ideas how to do it. Sometimes machines tend to forget their connection to casper, sometimes machines come back from the Apple store and need to be re-enrolled. These machines already have the packages we want on them so I don't need everything re-installed or scripts ran that are set for Post-Enrollment, I just need it rehooked to the JSS.

Is there a way to re-enroll without doing that in a sense? I want to re-enroll the machine, but not full blown enroll the machine, since it really already once was.

11 REPLIES 11

chriscollins
Valued Contributor

@boberito https://github.com/rtrouton/CasperCheck

boberito
Valued Contributor

@chriscollins how does this caspercheck differ from self heal? https://github.com/jamf/JSSBinarySelfHeal because I've had self heal in place and it seems to wipe out username and department regularly.

jared_f
Valued Contributor

@boberito We made a package (pkg) and used a post install script to install the MDM profile using Composer. If we ever need to re-enroll quickly, that is the way we do it. I just placed the MDM Profile in /tmp and used the following for the post install script:

profiles -I -F INSERT PATH TO PROFILE HERE

*You do need to have a wireless connection unless, the profile with fail to install.

el2493
Contributor II

@boberito , did you find a solution for this? We have lab computers that are supposed to login with a lab account and prevent any other users from logging in with AD accounts, but I've noticed that it's not working consistently and some computers have as many as 20-30 MDM Capable Users (when they should only have 1: the lab account). From all I've read the only way to clear out the MDM users is to re-enroll, but it would be nice if that was an easy process and didn't try to re-install all the PKGs that are already installed.

Look
Valued Contributor III

With later versions of the JSS you can choose whether a re-enrol wipes policy logs, if this is set to no then once per machine policies will not re-apply.

https://MY_JSS.COM:8443/reenrollmentSettings.html

The disadvantage to doing it this way is that if you wipe and re-enrol you need to use the following to clear the policy logs and I am not certain if that would cause "On enrollment" policies to run as enrollment would have already occurred at that point (I tend to use once only on startup policies instead).

jamf flushPolicyHistory

It is actually possible to seperate out DEP enrollments from manual enrollments by smart group so if you use DEP in general to initially enroll devices you can scope your initial enrollment policies to only apply to DEP enrollment and then they won't run on a manual re-enroll anyway.

el2493
Contributor II

Thanks for that information, but all our enrollment policies are ongoing (not once per computer) specifically for the reason that we would normally want them to reapply in case of a reimage. The link you provided also doesn't work for me, I think based on what I found online it's for versions 9.100 and more recent (and ours is 9.97)

cscsit
New Contributor III

I have 2 packages created (1 for each individual site) and I just use Apple Remote Desktop to push the package to the Mac and re-enroll it that way. As long as there's an entry in for it in Jamf Pro (Casper), it should just take it over and keep applying the existing policies.

iOS devices are a little more complicated since there aren't really many (if any) remote tools such as Apple Remote Desktop. I always have to physically visit the device to re-enroll it. To do that I just go to https://mycasperserveraddress.com:8443/enroll and enroll it that way. Just as with the Mac side, as long as there's already an existing entry for it in Jamf Pro (Casper), then it should just take over and apply the existing config profiles, policies, apps, etc.

You can create the enrollment package in the Recon app.

If I happen to be imaging a Mac, I just have that enrollment package as part of the imaging process. I'm still using Deploy Studio to image my Macs at the moment so I have to include the enrollment package as part of the imaging sequence, after it gets imaged and named.

Look
Valued Contributor III

@el2493
Ah yes I think it's 9.100 plus.

boberito
Valued Contributor

Bringing this back from the dead slightly...this solved the problem when say the logic board is replaced, it won't re-run all the enrollment policies.

jamf enroll -prompt -nopolicy

steve_summers
Contributor II

I use jamf reenroll -prompt. When prompted (at the Terminal) for JSS Username, I enter my user ID, then my password and just hit enter twice on the SSH Username and password. Goes right through. If I'm performing these steps AT the users machine, I do a good'ole sudo jamf recon and make it check in.

stevewood
Honored Contributor II

You could also create an enrollment invitation that never expires, then copy and paste the ID. That's easier than the -prompt method.

So: jamf enroll -invitation <invite ID> -nopolicy