Approve UAMDM and repush KEXT Profile

I recently came across a way to have our JAMF JSS resend a failed KEXT whitelist policy triggered from the client end (Retry a failed Profile from a client).  At that point I wasn’t sure how I wanted to deploy it during our provisioning process.  I now have a plan to prompt for UAMDM approval and then automatically resend the KEXT profile.

#!/bin/bash#!/bin/bash
while ! $(profiles status -type enrollment | grep -q "User Approved"); do 
 open /System/Library/PreferencePanes/Profiles.prefPane
 sleep 10
done
curl -sku "$apiuser":"$apipass" -H "Content-Type: application/xml" -d "<os_x_configuration_profile><general><redeploy_on_update>Newly Assigned</redeploy_on_update></general></os_x_configuration_profile>" "$jssurl"/JSSResource/osxconfigurationprofiles/id/$id -X PUT

You will need to supply the username, password, url, and the id number of your Kext profile in your script.

I install this script as a login-once action for Outset.  When the user or tech provisioning the Mac signs in after JAMF Imaging is complete, they will see warnings for unapproved kernel extensions.Screen Shot 2018-03-27 at 9.42.45 AM.png

But once the script runs, System Preferences will open to the Profiles pane and keep opening if the user closes it.  Once they approve the MDM Profile, the script triggers the JSS to resend the KEXT profile, which some applications notice immediately.Screen Shot 2018-03-27 at 9.44.22 AM.png

I may add a JAMF helper dialog explaining what to do and will probably add an OS version check as the profiles status line only works in 10.13.4 and above.

Thanks to Rich Trouton for a method to check for UAMDM.

Advertisements

Retry a failed Profile from a client

My organization is working on moving to a DEP based workflow, but in the meantime we are getting computers that have 10.13.4 preinstalled on them. We use JAMF Imaging along with the Apple provided OS to put our software on the Mac and enroll it into our JAMF JSS. After the build process the user can log in, but in 10.13.4 they are shown unapproved kernel extension warnings because our MDM Profile is not yet approved. Once they approve the MDM Profile, our KEXT Whitelist still needs to be pushed again. I can manually do this from the JAMF console by choosing to edit the profile, then save it immediately. When prompted, I have it push to newly assigned clients only and it doesn’t bother the several hundred that already have it. I recently figured out how to prompt for this from the client end with the JAMF API. Continue reading

FileCruiser – Where are my files?

We are testing a 90-day trial of Promise’s FileCruiser.  It is a private Dropbox look-a-like.  We have been pretty happy with how it works and the performance.  One tricky part is occasionally I have had to try to find the files in the filesystem.

If you need to find the data in FileCruiser, it is stored in folders named by a UUID number in /mnt/UserData/MongaStorage/tenants/<UUID>/home/.

Network Services and IPs

I have long had a GeekTool item on my desktop that tells me what network interfaces were active and what IPs I have on them, as well as my external IP address.  For a long time this relied on ifconfig and manually updating the interface numbers (en0, en1, etc…).  Now that I have a Retina MBP, without an ethernet port, I have a lot of possible interfaces with the various adapters.  Managing the script manually was getting annoying.  So I rewrote it to use networksetup and a while loop.   Continue reading