Wipe and Re-Enroll into Jamf (NOT Dep)

AlexSchajer
New Contributor

Can anyone share what is the best practise with remote wiping Macs that are NOT on pre-stage enrollment because they were not bought through Apple directly?

 

I fear that by wiping them you are removing Jamf from them as well, so when they are rebuilt they are 'off the grid'm so to speak, so you can't re-install Jamf and associated policies/configs.

thanks

6 REPLIES 6

sayr01
Contributor

can I just ask why you want to wipe/reimage macs.   We have stopped doing this since Mojave.  

AlexSchajer
New Contributor

This what we do when someone leaves our organisation, especially when they are remote and unable to return the machine to us in a timely fashion.

What do you do when you have a leaver?

sayr01
Contributor

all our macs are within our campus.  we only need to delete the user account for staff if they leave the organisation.  

we then simple create another account for new user.  

jcaleshire
New Contributor III

In my experience, if the Mac is not in automated enrollment, then erasing it should be the last thing you would want to do. By erasing it entirely, you are effectively breaking the link between that Mac and Jamf. Without automated enrollment, the Mac has no way to automatically reconnect with your Jamf instance when it is set back up.

Were I in this situation, I would look at remote locking the Mac instead of erasing it. This would allow you to secure the data on the Mac while also preventing further use, all while maintaining MDM authority over it. Once it returns to your central location, you can unlock it and restore it from there.

dlondon
Valued Contributor

I don't get the rebuilt part of your question.  Once you wipe for removal, why would you install Jamf and other software?  Surely if you are gifting or selling the machine you aren't giving them software as well.  I suppose you could install the unlicensed office 365.

I would have someone wipe it and install the latest OS and be done with it.  You can remove the machine then from Jamf to save a license.  The user can then have pretty much a clean machine (minus numbers, pages and keynote)

jcaleshire
New Contributor III

Security reasons. Let's say a user leaves a company without returning an asset; you want to be able to both destroy the data remotely and also maintain control over the asset itself after the data has been purged. In most situations, this is where DEP would be the ideal solution, since it would allow you to erase the machine remotely and still have it bound to your organization.