Retry a failed Profile from a client

My organization is working on moving to a DEP based workflow, but in the meantime we are getting computers that have 10.13.4 preinstalled on them. We use JAMF Imaging along with the Apple provided OS to put our software on the Mac and enroll it into our JAMF JSS. After the build process the user can log in, but in 10.13.4 they are shown unapproved kernel extension warnings because our MDM Profile is not yet approved. Once they approve the MDM Profile, our KEXT Whitelist still needs to be pushed again. I can manually do this from the JAMF console by choosing to edit the profile, then save it immediately. When prompted, I have it push to newly assigned clients only and it doesn’t bother the several hundred that already have it. I recently figured out how to prompt for this from the client end with the JAMF API.

Each JAMF configuration profile (osxconfigurationprofiles in API terms) has a redploy_on_update key that can take a value of Newly Assigned. Using the API to PUT this value seems to trigger the same behaviour as the edit/save/assign to new devices process. So now from the client (or Self Service) I can trigger the KEXT profile repush as needed while still not touching all the devices that are already happy.

The API call looks like:

curl -sku "$apiUser":"$apiPass" -H "Content-Type: application/xml" -d "<os_x_configuration_profile><general><redeploy_on_update>Newly Assigned</redeploy_on_update></general></os_x_configuration_profile>" https://jss.company.com:8443/JSSResource/osxconfigurationprofiles/id/"$id" -X PUT

For the API user, I created a new local JSS account that has Update privileges for macOS Configuration Profiles (note the difference between the API and the GUI). See https://www.rderewianko.com/hardcoding_is_bad/ for some good ideas on passing the username/password/JSS name in a script.

Lastly we need the id of the configuration profile we want to repush. This can found in the URL of the profile in the web GUI or via the API.

Screen Shot 2018-05-21 at 3.28.16 PM.png

or

Screen Shot 2018-05-21 at 3.28.52 PM.png

or

curl -sku "$apiUser":"$apiPass" https://jss.company.com:8443/JSSResource/osxconfigurationprofiles -X GET

I’m still thinking on how to deploy this. We haven’t really bought into the Self Service model at my org (I’m working on it), so I likely will wrap this in an Automator application.

Advertisements

One thought on “Retry a failed Profile from a client

  1. Pingback: Approve UAMDM and repush KEXT Profile | My Thoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s