I recently came across a way to have our JAMF JSS resend a failed KEXT whitelist policy triggered from the client end (Retry a failed Profile from a client). At that point I wasn’t sure how I wanted to deploy it during our provisioning process. I now have a plan to prompt for UAMDM approval and then automatically resend the KEXT profile.
#!/bin/bash#!/bin/bash while ! $(profiles status -type enrollment | grep -q "User Approved"); do open /System/Library/PreferencePanes/Profiles.prefPane sleep 10 done curl -sku "$apiuser":"$apipass" -H "Content-Type: application/xml" -d "<os_x_configuration_profile><general><redeploy_on_update>Newly Assigned</redeploy_on_update></general></os_x_configuration_profile>" "$jssurl"/JSSResource/osxconfigurationprofiles/id/$id -X PUT
You will need to supply the username, password, url, and the id number of your Kext profile in your script.
I install this script as a login-once action for Outset. When the user or tech provisioning the Mac signs in after JAMF Imaging is complete, they will see warnings for unapproved kernel extensions.
But once the script runs, System Preferences will open to the Profiles pane and keep opening if the user closes it. Once they approve the MDM Profile, the script triggers the JSS to resend the KEXT profile, which some applications notice immediately.
I may add a JAMF helper dialog explaining what to do and will probably add an OS version check as the profiles status line only works in 10.13.4 and above.
Thanks to Rich Trouton for a method to check for UAMDM.