Recently I had the great opportunity to ramble away with the good folks on the MacAdmins Podcast and we covered all things Adobe (surprise surprise)!
It was a fun experience and an enjoyable chance to catch up with MacAdmins from other areas of the world.
Thanks again to the team for having me on and not cutting me off early 😊
So this is part 2 of my mini series on using ReEnroller. Part 1 can be found here and covers the initial setup. This part will look to cover the process and some basic troubleshooting, as well as some post migration tasks.
So if you followed my guide from last time, you should hopefully have a working migration process. With the configuration I’ve talked through, the process that the ReEnroller will carry out is:
If you’re seeing issues with the migration, there are a few things you can check:
As mentioned above, these MDM Profile enrolments are via the Jamf binary and so will result in a non-UAMDM enrolment. I’d suggest documenting the process to accept the MDM profile and sharing this out with your end users. For this same reason, you shouldn’t block the Profiles System Preference Pane on migrated devices.
Jamf has an option to nag users to accept this, but they’ll need the user to launch Self Service, or to allow Self Service notifications (something you can’t force-on until the device is UAMDM’d)!
What about the next macOS, Big Sur? I heard a rumour that it may add further obstacles to command line profile installation, and these would break the ReEnroller workflow above. At this stage, I can only suggest testing with Big Sur and filing feedback with Apple / Jamf / the ReEnroller project.
That should complete the ReEnroller mini-series! Hopefully it’ll help guide you through the process to a working solution, or a base to make your own tweaks and changes.
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
So over the last few weeks I’ve seen a few questions pop up around the usage of the Jamf ReEnroller solution, and using it to migrate macOS devices from one Jamf Pro instance to another. It just so happens I’ve had to do this for a few customers to onboard them into datajar.mobi, so I thought I’d share what I’ve learnt!
I’m planning on a two post mini-series with this part 1 covering some background information as well as suggested setup details. Part 2 will look to cover the process and some troubleshooting tips.
ReEnroller is a tool created by the folks at Jamf. It produces an installer package that deploys an application and settings to migrate a macOS device from one Jamf Pro system to a second one. Ideal if moving providers or changing the Jamf Management URL.
Using an API script, it can also remove an MDM Profile that is set to be “Unremovable” via a ADE (previously DEP) enrolment.
Don’t forget that the system you’re using to migrate is also running the migration, so this can be fragile. Also Apple doesn’t provide a supported way to migrate MDM solutions other than a full wipe and redeploy. It is fairly likely you’ll have a few devices (maybe more) which fail to migrate at all and will need a manual intervention, possibly even including a wipe to bring them back into service.
Also this won’t provide a User Approved MDM (UAMDM) enrolment, so your users will need to manually hit that “Approve” button post-migration. As a result, you’ll want to not block access to the “Profiles” System Preference Pane.
Lastly, in my experience, you need to have the destination Jamf Pro instance running the same or newer Jamf Pro version to minimise the risk of failed migrations.
Oh and depending how things end up, this process might not work on macOS Big Sur. More on this in part 2.
Jamf have some documentation on the use of ReEnroller on the GitHub README file, but this doesn’t provide detailed implementation instructions. It does mention this line: Be sure to view the help for detailed usage instructions.
To view the implementation instructions, grab a copy of the application from the releases page, launch it and click the “?” next to the “Build” button. This will provide some detailed documentation on usage and implementation of ReEnroller.
Oh and also this blog series might help 😉
For this walkthrough, I’ll be using the term “source” to mean the current or old Jamf Pro instance the device is currently enrolled in, and “destination” to mean the new Jamf Pro instance.
So in order to setup the Jamf ReEnroller we’ll need to:
Lets walk through each step in more detail
So first things first, we need to create an API enrolment account on the destination Jamf Pro instance. This will be used by the App to create an invitation enrolment and perform the enrolment.
If you’ve enrolled macOS devices into your source server with DEP and a non-removable MDM Profile (option shown below), you’ll need to setup an account on the source Jamf Pro instance in order to remove the profile.
Again, if you need to use the API to remove the MDM profile to migrate devices, we’ll need to add a script to the source Jamf Pro instance.
apiMDM_remove. 
Again-again, if you need to use the API to remove the MDM profile to migrate devices, we’ll need to add a policy to the source Jamf Pro instance.
apiMDM_remove. apiMDM_remove)ReEnrollerAPIMDMRemoval)
We now need to create a ‘completed’ policy in the destination Jamf Pro server. The ReEnroller workflow will trigger this policy to confirm the migration has been successful.
jpsmigrationcheck.touch /Library/Application\ Support/JAMF/ReEnroller/Complete
Now we have some decisions to make. We need to use the ReEnroller Application to generate a package that will do the actual work. Below I’ll cover each option and offer my opinion on what to use. Feel free to experiment as long as you do plenty of testing afterwards!
First things first, download the latest copy of ReEnroller from the GitHub releases. Once obtained, launch the application.
Lets go through each box and option:
ReEnrollerAPIEnrolment)
Almost there! We now need to create a policy on the source Jamf Pro instance to run the ReEnroller package. This will be a fair bit of personal choice but generally speaking I’d suggest:
And lastly, test. Test, test, test and test some more. Then test again for good luck. the process can be fragile in the best of cases but you can at least test it enough to be confident of the best possible outcome.
Phew that was a long one. In part 2 I’ll look to cover the process, and any troubleshooting advise I can provide.
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
Indeed it’s another Adobe post! How to remove Adobe software is a question that often comes up in the #adobe channel and, as with most things, there’s a number of ways to achieve this.
The simplest method, but the one with the most collateral damage. Simple erase and reinstall the macOS onto the device to remove the Adobe software.
This can be done through the GUI, the command line, or external installation media. I’m planning to cover these options in a little more detail soon over on the dataJAR blog.
If you’ve ever created an Adobe deployment package within the Creative Cloud Packager (CCP) or the admin console (https://adminconsole.adobe.com/) your finished project will contain two packages:
You can upload this uninstaller package into your Mac software deployment tool of choice (Munki has an ‘uninstallpkg‘ flag to pass when uploading both packages) and “install” this to remove the corresponding software. Now it’s not as precise and will remove any matches for the major version (e.g. any “Animate 2020” uninstaller will remove any version of “Animate 2020” but won’t remove “Animate CC 2019”).
More information: Adobe | Uninstall Creative Cloud products
If you still have access to the older Creative Cloud Packager (CCP), it’s possible to generate an “uninstall all the things” package. I’ve detailed this in a previous post here – Using Adobe Creative Cloud Packager to create an uninstaller in preparation for Adobe Creative Cloud 2019 Shared Device License deployment.
Note: CCP wasn’t designed to be used on macOS Catalina (10.15) or newer and has had some reliance on 32-bit processes. This will probably also be the case for the uninstaller packages it generates. This may limit the usefulness to you.
More information: Adobe | Uninstall Creative Cloud products (different to the above article!)
Lastly, there is indeed the command line option. All “Hyper Drive” Adobe installers (which is almost all, if not all of them for the last few years) will also deploy the means to run a command line uninstall of the software.
The syntax for this on Mac is as follows (that’s all on one line):
"/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup" --uninstall=1 --sapCode=PHSP --baseVersion=17.0 --platform=osx10-64 --deleteUserPreferences=true
This is broken down into the below:
"/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup"--uninstall=1--sapCode=PHSP--baseVersion=17.0--platform=osx10-64--deleteUserPreferences=truefalse‘ unless you have a specific reason to remove those settings--removeAll=All--eulaAccepted=1As you can imagine, this command will need to be ran as root, however your software deployment / script running solution can achieve this. This will also probably need some trial and error to properly get right so ensure to always test!
More information: Adobe | Deploy packages
Note: This section has been removed from the non-localised version of the page above (link here) and may be deprecated. I’m awaiting clarification on this.
Adobe provide a cleaner tool that can remove installations back to CS3. It has both a GUI application and a command line binary, but the binary will require you to create your own XML file to feed into it.
More information: Adobe | Use the Creative Cloud Cleaner Tool to solve installation issues
That’s it, 5 different(-ish) ways to remove Adobe software should you need to. Thanks to Foigus on the MacAdmin Slack for at least half of these suggestions!
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
It’s another Adobe Blog! One thing I covered in my recent talk at PSU’s MacAdmins Campfire Sessions (Link: What’s new with Adobe 2020 in Education – Content) was what happens when you deploy Adobe SDL 2020 over the top of older Creative Cloud deployments. I’ve decided to use this post to expand upon this further.
Licensing aside, Adobe normally has allowed (and worked ok) with mixes of versions of the same software installed at the same time. I’ve often seen Macs running multiple copies of Photoshop, InDesign or Illustrator from various suite versions together.
The main reasons for this tend to revolve around compatibility:
Whatever the reason, it is indeed possible to deploy SDL packages over the top of older packages and still be able to use them.
This scenario should work fine with no changes to the behaviour on devices. The newer 2020 applications will be deployed as SDL, and with the CC 2019 applications already being SDL, you shouldn’t see any changes.
This scenario should also work fine, with no changes to the behaviour on devices. The newer 2020 applications will be deployed as SDL, and as the CC 2018 or older applications don’t understand SDL, they’ll continue to use NULs whilst they are valid.
Note: macOS Catalina requires Adobe CC 2019 or newer to be fully supported so this may rule out your use of this scenario!
This scenario should also work fine, with no changes to the behaviour on devices. The newer 2020 applications will be deployed as SDL, and as the CC 2018 or older applications don’t understand SDL, they’ll continue to use SNLs, whilst they are valid.
Note: There have been some reports where the SDL deployment somehow removes the SNL. If you hit this, feel free to raise a ticket with Adobe.
Source: https://helpx.adobe.com/uk/enterprise/using/sdl-deployment-guide.html
So this scenario should work fine, however in most cases you’ll be migrating from DL to SDL. 30-days after you click the “Migrate” button, those DLs will deactivate and stop working. To be honest, I don’t see the value in this and I wouldn’t recommend it.
Source: https://helpx.adobe.com/uk/enterprise/using/sdl-faq.html
Another Adobe post and another Adobe Licensing post! Hopefully this will prove useful to someone 😊
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
Hey folks, this question came up a while ago in the MacAdmins #adobe Slack channel, and recently reappeared so I thought I’d document it!
In some cases you may need to convert an already deployed Mac away from Adobe’s Shared Device Licensing (SDL) and change it to unlicensed or Named User Licensing (NUL). This is indeed possible but there are a few hoops to jump through.
Well, yes and no.
It is indeed possible to deactivate an SDL using either the portal or the Adobe Licensing Toolkit (Deactivating Adobe Shared Device Licenses). However, as soon as an Adobe ID is used to log into the Adobe Apps, the SDL is re-activated.
“However, as soon as a users sign into Adobes app on each of these machines, the machines are immediately licensed again.” – Source
So before you go ahead with the second part, I’d still strongly recommend you deactivate the license either via the Admin Console or using the Adobe Licensing Toolkit. If not, you may be stuck with a ‘used’ SDL in your portal that it won’t be easy to flush out.
So the next step came from an older discussion in the #adobe channel
This directory lives at /Library/Application Support/Adobe/OperatingConfigs
Once you’ve de-activated the license, removing this directory and restart the Mac. This can either be manually, or via a script.
The next time you launch an Adobe App, you’ll be asked to login with an Adobe ID account with a license, or to start an Adobe trial! Removing this directory actually permanently removes the SDL from this Mac.
Another Adobe post 😉 I hope it makes things a little easier for someone out there!
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
Hey folks, this post documents the two methods to deactivate Adobe Shared Device Licenses (SDL).
Some of you may be lucky enough to have unlimited SDLs to deploy out (I believe it’s those with ETLA agreements), but that does leave others who have to keep track of where they are in use.
Log into the Adobe Console at https://adminconsole.adobe.com with one of the your deployment administration accounts. On the main overview page, lookout for an item called “Creative Cloud All Apps for XXXX – Shared Device” (e.g. “Creative Cloud All Apps for K-12 – Shared Device”). This will then show you how many licenses you have, and how many have been deployed and activated. In the example below, we have 350 licenses paid for, and 24 used.
If you’re one of the luck ones with unlimited licenses, you’ll see your used license count on the left, and “1” on the right, as shown below
This one has a few more steps, log into the Adobe Console at https://adminconsole.adobe.com with one of the your deployment administration accounts. Navigate to “Products” in the top menubar, then select your SDL in the left hand side. Once here, click on the profile you are using (most folks will just be using one single profile).
Almost there! Once viewing the profile, click the ellipsis (“…”) in the upper right corner, and select “Create Report”. This will create and download a CSV report.
This method is recommended if the activated devices have been wiped, or no longer bootable. It’s also useful if you’re feeling lazy, but this will deactivate licenses for all devices under that profile.
First navigate to the same area you produced your report above. In the same ellipsis menu, you’ll see an option to “Recover Licenses”. Click this and confirm.
This will deactivate the license for any devices under this profile, which could be all of your devices. There is a possibility that this can cause issues if you have rendering jobs in progress, or users logged in and using the Adobe Apps, so please ensure to minimise this risk. Maybe only run this out of hours?
For devices that are in use, they will automatically re-activate the next time a user logs in with an Adobe ID:
“However, as soon as a users sign into Adobes app on each of these machines, the machines are immediately licensed again.” – Source
If the device/s in question are still operational, you can deactivate the SDL on the device by using the Adobe Licensing Toolkit. More details on using this tool can be found here, but we’ll summarise the steps below:
--deactivate with admin rightse.g. sudo ./adobe-licensing-toolkit --deactivate
Again, if someone logs in with an Adobe ID on that device after running the deactivate command, the device will automatically reactivate its SDL:
“However, as soon as a users sign into Adobes app on each of these machines, the machines are immediately licensed again.” – Source
I’ll discuss how to permanently remove the SDL from a device in a future post!
Another Adobe post 😉 I hope it makes things a little easier for someone out there!
As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
Hi folks,
The amazing team at PSU have been working hard releasing session videos within days of them being delivered. You can find the entire playlist on YouTube here.
Once again I delivered another Adobe talk! You can find a direct link to the video here, as well as an updated resources post here.
Again, I’d like to take the time to thank the great crew at PSU who made (and continue to make) a remotely delivered awesome conference a success. Fingers crossed that I’ll be able to make next years one!
And if you’re around for the next two Thursdays from 6PM BST, they’re still going. Details here.
Hi all,
If I time this right, this post should be going live about halfway through my talk at the PSU Campfire Sessions on Adobe 2020 and Shared Device Licenses in Education.
This talk is a update of my previous talk Adobe CC2019 in Education – PSU 2019
As promised, heres a list of URLs from the presentation, as well as some further reading suggestions:
Thanks again to everyone who could attend!
Last year I had the privilege of speaking at MacAdmins at PSU around Adobe 2019 and it’s use in education. You can find more on that here.
This year, I’m lucky enough to have another session, which I’ll be using to present on Adobe again, including some changes from 2019 to 2020.
With the current pandemic still affect most of the world, this year the folks at PSU elected to switch out the usual on-site deliver of the conference, in favour of a 2-session per week, remote delivery, over 9 weeks.
These are completely free and run 6PM to 8PM BST (local time for me). Ideal if you’re stuck at home after work! Once you’re signed up and registered for each session, you’ll be emailed joining links the day before each session. You can also join everyone on Slack in the #psumac channel.
As mentioned, sign up is free and can be done here.
As if my Adobe drum has been sitting ideal too long, I’ll be delivering an updated and refined version of the talk I gave last year, including any new things with 2020 from CC2019.
Over a year has passed since Adobe announced the new Shared Device Licenses. What’s changed? What hasn’t? How many bottles of [beverage] will you need to get you through it?
In this session we’ll look to cover the changes since that first release of CC 2019, SDL and now 2020. We’ll revisit the various deployment workflows and suggestions for taming this beast. Based on experiences from the front line and real world examples.
My talk will be on Thursday 16th July at 6:00PM BST (UK) time, and you can register for it here.
The session is being recorded and I’ll add links to that and resources as soon as they’re available.
I hope to see you there!
