Many time it happened that users who have administrator access on their macOS systems remove MDM profile, due to which all other profiles remove from the system.
If you have worked on Profile Manager as well, JAMF MDM profile is same as Profile Manager Enrollment Profile. Once it is pushed to the macOS system, all other policies which are available for your system will be pushed.
Now, you know that why MDM profile is necessary. So, we have to find a way to either restrict it or create an ongoing policy to check the MDM profiles every time and enroll it if it is missing.
a. Login to JAMF Pro.
b. Computer Management > Scripts
c. Add new Script and copy the content of the script which I have attached below.
b. Computer Management > Scripts
c. Add new Script and copy the content of the script which I have attached below.
#!/bin/sh jamf mdm
Step 2: Create a Policy which will do "Recurring Check-In" ongoing and will be available on Self Service as well.
a. Click on "Computers".
b. Click on "Policies" from the left pane, then click on "New" to create a new policy.
c. Under Option Tab, in General Tab, mention the name of the policy like "Deploy Configuration Policies". In Category, select in which category you want to publish it. In Trigger, select "Recurring Check-In". In Execution Frequency, select "On-Going".
d. Click on Script tab from the left pane of the Options Tab, click "Configure". Select the script which you want to execute.
e. In Scope tab, define the scope to "All Computers" and "All Users".
f. in Self-Service Tab, Check "Make the policy available in Self-Service". Configure it as per your requirements, like tab name, icon, etc,.
g. Click Save.
b. Click on "Policies" from the left pane, then click on "New" to create a new policy.
c. Under Option Tab, in General Tab, mention the name of the policy like "Deploy Configuration Policies". In Category, select in which category you want to publish it. In Trigger, select "Recurring Check-In". In Execution Frequency, select "On-Going".
d. Click on Script tab from the left pane of the Options Tab, click "Configure". Select the script which you want to execute.
e. In Scope tab, define the scope to "All Computers" and "All Users".
f. in Self-Service Tab, Check "Make the policy available in Self-Service". Configure it as per your requirements, like tab name, icon, etc,.
g. Click Save.
It will show you like this in Self Service.
We have created a policy which will check for MDM profile every time and will push it again if it will not available. But we have to restrict it from removing as well. So, if you are not using DEP enrollments, then you can disable "Profiles" option under system preferences. If you do use DEP, then you can not disable "Profiles" option. In this case, you have to wait like me for a feature in upcoming releases of JAMF pro, in which they could possibly come with "Authorized Remove" to remove MDM profile after entering the security password.
Disable "Profiles" Under System Preferences.
Go to "Configuration Profiles" and click on "New".
Under Option Tab, Navigate to "Restrictions".
Check "Restrict Items in System Preferences", Select "Disable Selected Items", Then choose "Profiles" to disable.
Define the scope and push it on all macs.
Thank you for reading the blog.
Go to "Configuration Profiles" and click on "New".
Under Option Tab, Navigate to "Restrictions".
Check "Restrict Items in System Preferences", Select "Disable Selected Items", Then choose "Profiles" to disable.
Define the scope and push it on all macs.
Thank you for reading the blog.
0 comments:
Post a Comment