Hello @OF-Jamf here at our college, the name is everything for us. Our entire workflow is now based on the name we provide to our computers.
In our case, an example of our name would be MB2277-12345MS-Design.
The MB2277 means Main building in the B section. The room is 2277.
The asset tag we assign to the device is 12345.
Next, we use MS to identify this devices a student Mac. The AD admins run scripts against the devices in AD and anything after the M they don't look at in their scripts so we use; MS - Student Mac, ME - Employee Mac, MI - Instructor Mac. The instructor Mac is a presentation station in a classroom or lab.
Finally, the word Design. This designates the Graphic Design deployments of apps, policies and configuration profiles. We have many more like Library, Photo, Chemistry, Physics and more.
With all of this in the name, I can now create smart groups to determine the computers needing to get what policies and profiles.
Hopefully @OF-Jamf this will spark some new ideas for you.
@mconners Thank you so much for your detail answers : )
But here is my question. If I decommission our existing old macs and buy new ones in the future, which DEP is enabled, but how can you bind them through the script or Jamf Pro? I am wondering how we can do this DEP process nicely under this situation.
Hello @OF-Jamf we use DEP here as well. Once the Mac is brought into Jamf, it usually has a very generic name like MacBook or iMac. We have a smart group look for any computer with a name like those. We exclude this smart group from any of our policies and profiles meaning, they won't get bound to AD or receive any settings until named.
We then have a policy for binding to AD. This policy runs on check in, which in our case is every 30 minutes.
The other missing piece I should have mentioned earlier, we take the asset tag field and enter in the correct name, yes, we do this for all of our new Macs we have to touch. I haven't found an easy way to get these names populated and even have a feature request asking for a change or addition to naming for DEP.
Anyhow, we have a script that runs immediately when the name is changed. It will pull the asset tag field's name and move it to the computer name's field. This is done as step 1 of our workflow (literally the policy is named 01 Rename Computer), the third step is to bind to AD with the computer name field. This binding policy has an exclusion for any misnamed Macs, mentioned in the smart group earlier so we don't accidentally bind using the incorrect name.
So in summary, we find the serial number of the new Macs, locate the computer in the JSS, enter in the correct name and save it. The policies will begin to run as soon as the Mac checks in.
If you can make them work in your environment anything is better than binding...
EC from Apple
Local passwords enforced by MDM/config profiles or scripts...
Local passwords are worth effort...
IMO it's not a question of why not but why would you not follow one the largest modern Apple install base IBM? Apple won't say it publicly but local password Config profiles are their recommendation. I think they even moved the AD binding to the last option on their public support docs.
AD password issues were about 20% of our Helpdesk tickets.
PS My Fav argument I used when my org was pushing back was .. it's how we manage iPhones so why manage macOS differently?