Wipe and Re-Enroll into Jamf

fviola
New Contributor II

My company provided me a couple of Apple Mac Laptop(s) for testing purpose. I am 99% sure they are all enrolled in DEP.

I would like to:

(1) completely wipe these Apple Mac laptop(s)
(2) re-install the Apple macOS Operatying System
(3) re-enroll them in Jamf using the PreStage Enrollments.

Before I completely wipe them, should I do anything with my Jamf Pro Admin Server?

Example, should I clear any logs file or any records inventory for these Apple Mac Laptop(s) before I wipe them?

I just want to be sure to do the correct process (best practice ) and avoid any complications such as duplicate records inventory etc.

Side Note: (I am not sure if this is relevant to you) I found a section on my Jamf Pro Admin Server under Settings > Global Management > Re-enrollment and all the options are NOT SELECTED and under the option CLEAR MANAGEMENT HISTORY ON MOBILE DEVICES AND COMPUTERS is set to Clear pending and failed commands.

Thank you in advance for your help and have a nice day.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

Since it looks like no-one has answered your question yet, I'll take a shot at it.

First off, you should enable all or most of the options you referenced in the Re-enrollment section of your Jamf Pro server. Without those enabled, when a device gets wiped/reinstalled and re-enrolled, some of your policies may not re-run on the device. This is dependent on how the Jamf policy/policies are set up of course. For example, any policies using a "Once per computer" frequency, no matter how anything else in the policy is set up, will NOT run again on the device if it ran previously, unless you enable the option to clear all policy logs (or you manually clear them beforehand) If OTOH, a policy is set to use a Smart Group looking for the absence of something (like an application) and the policy is set to Ongoing, then it should run again after being wiped, since the device will by default land in the Smart Group scoped to the policy.

Personally, I think its best to set all those options to clear on re-enrollment. But keep in mind there is a pitfall to that approach as well. If you manually re-enroll a device, like thru the User Initiated Enrollment page, those policies will end up running again on the Mac, even if it hasn't been wiped. So they could cause some issues. These problems can be avoided with the proper Smart Groups set up for them, but it's extra up front work, so just some things to keep in mind.

As for other things to look at, I would double check that all or any Macs you are looking at wiping and resetting up are scoped to a Prestage Enrollment of your choosing. Without them being assigned to a Prestage, they won't get picked up after enrollment for getting various profiles and other options applied to them. I'd say one of the most common issues I've seen people have where devices don't get enrolled or don't get the settings they expect, is because they forgot to scope them to a Prestage Enrollment. But it sounds like you're already aware of and on top of that piece.

In my experience, it's usually not necessary to delete the computer record from Jamf before wiping/re-enrolling. I've seen some people here swear by that process, but I've never run into an issue where I needed to do that. Usually making sure those Re-enrollment settings are all enabled and having properly scoped profiles and policies in place, re-enrollment (thru DEP) works just fine. YMMV of course.

Lastly, are you up to speed on the easiest method for wiping and reinstalling the OS on these Macs? It's a pretty simple process when using the Install macOS <name>.app from the App Store and typically a one line shell command. Post back if you need pointers to the discussions that cover this process. It should be easy to actually find it in searches though.

View solution in original post

1 REPLY 1

mm2270
Legendary Contributor II

Since it looks like no-one has answered your question yet, I'll take a shot at it.

First off, you should enable all or most of the options you referenced in the Re-enrollment section of your Jamf Pro server. Without those enabled, when a device gets wiped/reinstalled and re-enrolled, some of your policies may not re-run on the device. This is dependent on how the Jamf policy/policies are set up of course. For example, any policies using a "Once per computer" frequency, no matter how anything else in the policy is set up, will NOT run again on the device if it ran previously, unless you enable the option to clear all policy logs (or you manually clear them beforehand) If OTOH, a policy is set to use a Smart Group looking for the absence of something (like an application) and the policy is set to Ongoing, then it should run again after being wiped, since the device will by default land in the Smart Group scoped to the policy.

Personally, I think its best to set all those options to clear on re-enrollment. But keep in mind there is a pitfall to that approach as well. If you manually re-enroll a device, like thru the User Initiated Enrollment page, those policies will end up running again on the Mac, even if it hasn't been wiped. So they could cause some issues. These problems can be avoided with the proper Smart Groups set up for them, but it's extra up front work, so just some things to keep in mind.

As for other things to look at, I would double check that all or any Macs you are looking at wiping and resetting up are scoped to a Prestage Enrollment of your choosing. Without them being assigned to a Prestage, they won't get picked up after enrollment for getting various profiles and other options applied to them. I'd say one of the most common issues I've seen people have where devices don't get enrolled or don't get the settings they expect, is because they forgot to scope them to a Prestage Enrollment. But it sounds like you're already aware of and on top of that piece.

In my experience, it's usually not necessary to delete the computer record from Jamf before wiping/re-enrolling. I've seen some people here swear by that process, but I've never run into an issue where I needed to do that. Usually making sure those Re-enrollment settings are all enabled and having properly scoped profiles and policies in place, re-enrollment (thru DEP) works just fine. YMMV of course.

Lastly, are you up to speed on the easiest method for wiping and reinstalling the OS on these Macs? It's a pretty simple process when using the Install macOS <name>.app from the App Store and typically a one line shell command. Post back if you need pointers to the discussions that cover this process. It should be easy to actually find it in searches though.

View solution in original post