Approve UAMDM and repush KEXT Profile

I recently came across a way to have our JAMF JSS resend a failed KEXT whitelist policy triggered from the client end (Retry a failed Profile from a client).  At that point I wasn’t sure how I wanted to deploy it during our provisioning process.  I now have a plan to prompt for UAMDM approval and then automatically resend the KEXT profile.

while ! $(profiles status -type enrollment | grep -q "User Approved"); do 
 open /System/Library/PreferencePanes/Profiles.prefPane
 sleep 10
curl -sku "$apiuser":"$apipass" -H "Content-Type: application/xml" -d "<os_x_configuration_profile><general><redeploy_on_update>Newly Assigned</redeploy_on_update></general></os_x_configuration_profile>" "$jssurl"/JSSResource/osxconfigurationprofiles/id/$id -X PUT

You will need to supply the username, password, url, and the id number of your Kext profile in your script.

I install this script as a login-once action for Outset.  When the user or tech provisioning the Mac signs in after JAMF Imaging is complete, they will see warnings for unapproved kernel extensions.Screen Shot 2018-03-27 at 9.42.45 AM.png

But once the script runs, System Preferences will open to the Profiles pane and keep opening if the user closes it.  Once they approve the MDM Profile, the script triggers the JSS to resend the KEXT profile, which some applications notice immediately.Screen Shot 2018-03-27 at 9.44.22 AM.png

I may add a JAMF helper dialog explaining what to do and will probably add an OS version check as the profiles status line only works in 10.13.4 and above.

Thanks to Rich Trouton for a method to check for UAMDM.


Retry a failed Profile from a client

My organization is working on moving to a DEP based workflow, but in the meantime we are getting computers that have 10.13.4 preinstalled on them. We use JAMF Imaging along with the Apple provided OS to put our software on the Mac and enroll it into our JAMF JSS. After the build process the user can log in, but in 10.13.4 they are shown unapproved kernel extension warnings because our MDM Profile is not yet approved. Once they approve the MDM Profile, our KEXT Whitelist still needs to be pushed again. I can manually do this from the JAMF console by choosing to edit the profile, then save it immediately. When prompted, I have it push to newly assigned clients only and it doesn’t bother the several hundred that already have it. I recently figured out how to prompt for this from the client end with the JAMF API. Continue reading

Automator application to run script as root

I was recently asked to create a shortcut on our users’ Desktops to kick off the High Sierra install. We are caching the installer through our management system. In the past I have created a shortcut to the installer on their Desktop, but that required them to click through the many continue buttons. This method will use the startosinstall script from Slack member @bp to start the install with minimal user interaction. Continue reading

Using installer choices.xml to modify AnyConnect and McAfee deployments

I have seen several posts on MacAdmin Slack asking for help deploying only components of big packages that the business wants or needs.  There are often several ways of handling this.  For example, from the McAfee ePO console, your admin can give you a Threat Prevention only installer instead of the full Endpoint Security package.  That is great if you can grab that yourself or the admin is helpful and able to get it for you.  This isn’t always the case.  Another route is to install the full package and then uninstall the pieces that you don’t want/need.  The Cisco AnyConnect Secure Mobility client installer does put uninstall scripts for each piece of the package in /opt/cisco/anyconnect/bin.  Both of these options can get your Macs to the end state you want, but they do have potential drawbacks/complications.  Using the Apple provided installer command line tool, we can see what options are available in these packages and then create a file to set which pieces we want.  This does take some work upfront, but we have all the tools we need.   Continue reading

Signing Installer Packages with Automator

Apple packages (.pkgs) are opened by the GUI or the command line installer command. If a package is unsigned and gets a quarantine flag (from being transferred over a network), the GUI Installer will refuse to run it.Screen Shot 2016-11-02 at 3.07.35 PM.png We can get around that with a right-click -> Open, but we shouldn’t be training computer users to ignore security warnings like this.

Screen Shot 2016-11-04 at 4.49.33 PM.png
If you are creating your own packages, and users or techs may run them manually, then you really should be signing them. Even if you are deploying them in a way that a person won’t see a warning, signing packages can be very easy and provide a check that nothing changed since you created it. See below the break for how to easily automate signing packages. Continue reading