Help

Smart Group to search for non-DEP enrolled devices both 10.12 and 10.13+

jbellez
New Contributor III

Posted on ‎11-07-2018 07:03 PM

Hello, I'm trying to figure out what criteria to search for to determine which computers were enrolled via DEP and those who register via self-enrollment.

In 10.13, seems pretty straight forward, as there's flags set for this. However, what about the 10.12 computers? I can't seem to figure out a specific app or field to follow. I've tried a couple of the recommendations of what I've found by searching, but they don't appear to do what I want

The use case is this: I have certain policies and config profiles that auto-deploy if you enroll by DEP. This would constitute a "clean" image. However, I do not want certain policies to apply if they are self enrolled, as they may wipe out certain user preferences, or the applications may have already been installed by another method (imaging, etc.).

0 Kudos
8 REPLIES 8

a_simmons
Contributor II

Posted on ‎11-07-2018 07:42 PM

Try to make a smart with the following settings:
Criteria: Enrolled via DEP
Operator: is
Value: Yes

0 Kudos

jbellez
New Contributor III

Posted on ‎11-08-2018 11:08 AM

b63886aeceb64d80a10619950eea7f48

I think this only works if you are 10.13. It doesn't populate if you are 10.12.

All of my machines appeared in the list after using this only...

0 Kudos

jbellez
New Contributor III

Posted on ‎11-08-2018 01:21 PM

I think I may have figured it out.

I have smart groups detecting OS versions. It was just a matter of figuring out what gets set on a user enrolled computer vs not. Are there any other use cases for com.jamfsoftware.osxenrollment that get called for a DEP enrollment?

b4f5db60322746f381cc5ec3dbb6023f

0 Kudos

jbellez
New Contributor III

Posted on ‎11-08-2018 04:32 PM

Slight error in the screen shot. It should be does not have com.jamfsoftware.osxenrollment

0 Kudos

jbellez
New Contributor III

Posted on ‎11-08-2018 07:25 PM

doh, this only works up until the popup to allow Jamf to manage your computer appears and the user clicks yes.

Then the installer app deploys the necessary enrollment package and my check fails.

10.13 detection works fine.

any other ideas?

0 Kudos

timlarsen
Contributor

Posted on ‎03-12-2019 05:17 PM

@jbellez I'm trying to work up something very similar to you. Did you ever come up with a solution? I've tried working with "Enrollment Method: Assigned to prestage" is not/not like [my prestage name A] or [my prestage name B] but have not had any luck or get results that I know are incorrect.

Thanks!
Tim

0 Kudos

timlarsen
Contributor

Posted on ‎03-12-2019 05:31 PM

Well, here's an idea: if you are using prestage enrollment profiles, would that be enough to signify a Mac was enrolled via DEP? If you create a smart group of computers that ARE assigned to one more more prestages, then create another smart group of computers that ARE NOT a member of the former group, would that only leave your machines that were self enrolled? Or do you have other scenarios like imaged machines to take into account?

0 Kudos

jbellez
New Contributor III

Posted on ‎03-19-2019 11:57 AM

@timlarsen You can't use assigned to prestage, as a machine can be assigned to a prestage, but also be provisioned before DEP was enabled. Upon next reformat, it will use DEP to enroll, but that doesn't mean it was DEP enrolled to begin with. It may also be the case that the machine doesn't even have Jamf installed at this point, as the machine will just sit in the prestage waiting to check in and enroll itself.

Also, no, we never found a way to do what we wanted this way. We ended up scoping it differently.

0 Kudos