In my presentation, I shared the experience of taking over an existing Jamf environment. Although I played a significant role in its initial setup and maintenance, others had also contributed over the years. There was even an 18-month period during which I was entirely disconnected from the system.
Coming back to it, I faced a mix of challenges: some areas I was confident in, others I knew required further investigation, and—perhaps most concerning—there were aspects I hadn't even realized needed attention. This "unknown unknowns" scenario often proved to be the trickiest part of the takeover.
Stream Here (with your JNUC credentials)
The Shoulders of Giants
The key to getting out of the hole I had fallen into was by leveraging the hard work of others in the Mac and Jamf community; including, but not limited to:
Erase-install by Graham Pugh (grahampugh)
macdvmtool by Hector Martin (marcan)
Mist by Nindi Gill (ninxsoft)
super by Kevin White (macjutsu)
Prune by Leslie Helou (BIG-RAT)
Additionally, Richard Purves (aka 'Franton' on MacAdmins Slack) spoke on the same idea from a different viewpoint. He provided two additional resources for my collection I wanted to share:
KMART - Kick Ass Mac Admin Reporting Tool by ninxsoft
Suspicious Package by JamiesWhiteShirt
My Scripts
Generally I advocate for using "proven technologies" like those above to solve problems. Having said that, my hubris often gets in the way.
So to help with inspecting the policies I had in place in a single view, I created a shell script called "Policy Map" to help.
It should go beyond saying that I am providing this script "as-is" with no guarantees it will keep working.
To use it, you can choose to hardcode the values in the "CONFIG" array towards the top. But it was designed to be used with command line arguments, like this:
./Policy\ Map.sh --jamfurl 'https://YOURINSTANCE.jamfcloud.com' --jamfuser=APIUSER --jamfpass='PASSWORD'DFU Refresh Workflow
For refreshing all the Apple Silicon machines, I found it significantly faster and hands-free to use DFU mode and Apple Configurator command line tools (cfgutil) over "Erase all Contents and Settings" or Recovery Mode.
The following are the resources I found to learn how to leverage this process:
The Mac Rack Project
Starting on day one I sought to identify the computers that were out there but not in use. As I located all the test machines, ones returned from former employees, and computers that had been forsaken when the team member received an upgrade; I needed a way to keep track of them physically and within Jamf.
And the Mac Rack was born!
We had a 3D printer and had tinkered with aluminum extrusion for re-mounting WiFi access points, so I decided to put those tools and experience to use.
Hardware
The physical build is pretty straight forward. There are two 1-meter lengths (though any length would work) of v-slot 20x20 linear rail as the frame. The 3D printed dividers are held in place (or at least every few of them) with M5 T-nuts and screws.
Linear Rail and Connectors
20x20 V-Slot Rail (Open Builds Parts Store)
T-Nuts - 150pcs (Amazon)
M5 Screws - 100pcs (Amazon)
3D Printed Files
Software
Early iterations used a couple of Extension Attributes within Jamf. But I soon found a need to be able to quickly check a machine in/out when I was sitting in front of it, and I didn't want to create yet another API script and policy to do so.
Jamf
But then I remembered that the recon verb of the Jamf binary included a number of fields from the User and Location section that I could use. So an easy way to check a machine in became:
sudo jamf recon -room 'Mac Rack' -position 'XX'Where 'XX' was the slot in the rack. And when an employee signed into the machine for the first time, Jamf Connect would pull their information from Google and override those fields, effectively checking the machine out. But if I (or someone else on the team) needed to pull a machine for testing, they could log in with the backdoor admin account and run:
sudo jamf recon -room 'Testing' -position '[REASON]'Side Note: For whatever reason, entering 'false' (0, empty, or zpace) values (e.g. -room '0') results in the input being tossed and the previous values retained.
Shortcuts
I created a series of Shortcuts to check machines in and out and to view what was there. There is also one that takes either the JamfID or Serial Number of a computer and pulls information about the computer to create a label to attach to the machine. Rather than duplicate the variables and token-fetching action between them, each runs one shortcut ("Config") that handles the overhead.
I've added some comments for readability and removed all the hardcoded values for security sake, but otherwise these are just as raw as they were back then. They should be considered as a starting point or for reference puposes only.
Please note: all files are hosted on the GitHub repo along with a copy of this write-up
Config - Open this first and fill in your details. This is used by all the others.
Show Mac Rack - Displays a web view of all the items in the Mac Rack. Click on column header to sort by that field.
Check In - Asks for a JamfID and removes the computer from the Mac Rack.
Check Out - Asks for a JamfID and a slot number and adds the computer to the Mac Rack in that space.
Get Computer Record for Label - Designed to be used by aiming an iPhone camera at the serial number of a computer and using LiveText to share the serial to this Shortcut. Absent that shared input it asks for a serial number or JamfID. It then looks up the computer and creates a block of text with the following information and puts it in the clipboard:
ID: 19
Serial Number:F2775742JR
Model: MacBook Air (M2, 2022)
Processor Type: Apple M2
OS Version: 14.2.0This could then be sent to a thermal label/receipt printer to attach to the computer for easy reference as seen in the last image above.