My organization is working on moving to a DEP based workflow, but in the meantime we are getting computers that have 10.13.4 preinstalled on them. We use JAMF Imaging along with the Apple provided OS to put our software on the Mac and enroll it into our JAMF JSS. After the build process the user can log in, but in 10.13.4 they are shown unapproved kernel extension warnings because our MDM Profile is not yet approved. Once they approve the MDM Profile, our KEXT Whitelist still needs to be pushed again. I can manually do this from the JAMF console by choosing to edit the profile, then save it immediately. When prompted, I have it push to newly assigned clients only and it doesn’t bother the several hundred that already have it. I recently figured out how to prompt for this from the client end with the JAMF API.
Each JAMF configuration profile (osxconfigurationprofiles in API terms) has a redploy_on_update key that can take a value of Newly Assigned. Using the API to PUT this value seems to trigger the same behaviour as the edit/save/assign to new devices process. So now from the client (or Self Service) I can trigger the KEXT profile repush as needed while still not touching all the devices that are already happy.
The API call looks like:
curl -sku "$apiUser":"$apiPass" -H "Content-Type: application/xml" -d "<os_x_configuration_profile><general><redeploy_on_update>Newly Assigned</redeploy_on_update></general></os_x_configuration_profile>" https://jss.company.com:8443/JSSResource/osxconfigurationprofiles/id/"$id" -X PUT
For the API user, I created a new local JSS account that has Update privileges for macOS Configuration Profiles (note the difference between the API and the GUI). See https://www.rderewianko.com/hardcoding_is_bad/ for some good ideas on passing the username/password/JSS name in a script.
Lastly we need the id of the configuration profile we want to repush. This can found in the URL of the profile in the web GUI or via the API.
curl -sku "$apiUser":"$apiPass" https://jss.company.com:8443/JSSResource/osxconfigurationprofiles -X GET
I’m still thinking on how to deploy this. We haven’t really bought into the Self Service model at my org (I’m working on it), so I likely will wrap this in an Automator application.