Basic logistics around Notify screen with Jamf Connect

Question

Hey all, I've pieced together what I think are all the steps for using a Notify Screen along with our basic Jamf Connect setup, but it's been mostly a copy-paste from the JC documentation so I'm not confident it's as smart as it could be.

We run a very general Jamf Connect login with Okta and are adding a Notify screen to newly enrolled computers to install basic apps on first setup.

Some questions I am confused about:

Is it smart to have two different Jamf Connect config profiles? One for the initial setup and one for ongoing use?

The reason I ask is we have a single Jamf Connect config profile that contains all the login info in: "Jamf Applications" com.jamf.connect.login as well as "Upload" com.jamf.connect for the JC app properties but we ALSO have "Upload" com.jamf.connect.authchanger which contains the default strings of -reset, -jamfconnect, and -notify

Would it be smarter to have one 'enrollment only' config profile that has all 3, then an 'ongoing' config profile that is the same but omits com.jamf.connect.authchanger?
What does the "Upload" of com.jamf.connect.authchanger (with above the flags listed above) even do? We have the 'script path' property that points to our Jamf Notify script in com.jamf.connect.login and I assumed that would be all that's needed?
At the end of our Notify script we run

/usr/local/bin/authchanger -reset

But that seems to reset Jamf Connect entirely to the point I only have the normal MacOS login.

If I instead run:

/usr/local/bin/authchanger -reset -JamfConnect

I will have the expected JamfConnect window (however we use passthrough anyway so I only see it VERY briefly after breaking the Filevault login).

Is that what I should be running at the end of my Notification script? Or more generally, should every Jamf Connect customer be using the -JamfConnect flag to set their default login window back to JamfConnect?

Since piecing this all together it does work but it feels like I've patched it into a whole but there's one or two too many things going on and I've made life hard on myself, or any future person coming to take it over.

Sorry for the novel! I appreciate ANY help or guidance anybody can provide.

GabePPS · Accepted Answer

The config profile we use we attach to the pre-stage enrollment for all devices, but once its enrolled that one falls away as its only scoped during the initial enrollment and once the device gets its name the enrollment profile then is excluded and the notify script wont run for further logins.

GabePPS · Answer

So this is the script we use, and we have swap profiles so when this runs it doesn't run again:

#!/bin/zsh
#variables
NOTIFY_LOG="/var/tmp/depnotify.log"
#For TOKEN_BASIC, use same file path location as set for OIDCIDTokenPath in com.jamf.connect.login
TOKEN_BASIC="/tmp/token"
TOKEN_GIVEN_NAME=$(echo "$(cat $TOKEN_BASIC)" | sed -e 's/\\"//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | grep given_name | cut -d ":" -f2)
TOKEN_UPN=$(echo "$(cat $TOKEN_BASIC)" | sed -e 's/\\"//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | grep upn | cut -d ":" -f2)
/usr/bin/caffeinate -discu -t 3600&
echo $TOKEN_GIVEN_NAME
echo $TOKEN_UPN
 
echo "STARTING RUN" >> $NOTIFY_LOG # Define the number of increments for the progress bar
echo "Command: Determinate: 6" >> $NOTIFY_LOG
 
#1 - Introduction window with username and animation
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.macbookair-2018-space-gray.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Welcome, $TOKEN_GIVEN_NAME" >> $NOTIFY_LOG
echo "Command: MainText: Your Mac is now enrolled and will be automatically configured for you." >> $NOTIFY_LOG
echo "Status: Preparing and naming your new Mac..." >> $NOTIFY_LOG
sleep 10
 
#2 - Setting up single sign-on passwords for local account
echo "Command: Image: /System/Applications/Contacts.app/Contents/Resources/Contacts.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Tired of multiple passwords? \\n $TOKEN_GIVEN_NAME " >> $NOTIFY_LOG
echo "Command: MainText: We use single sign-on services to help you sign in to each of our district services.
Use your email address and account password to sign in to all necessary applications." >> $NOTIFY_LOG
echo "Status: Setting the password for your Mac..." >> $NOTIFY_LOG
sleep 10
 
#3 - Self Service makes the Mac life easier
echo "Command: Image: /Applications/Self Service.app/Contents/Resources/AppIcon.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Self Service makes Mac life easier" >> $NOTIFY_LOG
echo "Command: MainText: Self Service allows you to install software without the need for an admin password." >> $NOTIFY_LOG
echo "Status: Installing Self Service..." >> $NOTIFY_LOG
sleep 10
 
#4 - Everything you need for your first day
###Jamf Triggers
echo "Command: Image: /System/Library/CoreServices/Install in Progress.app/Contents/Resources/Installer.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Installing everything you need." >> $NOTIFY_LOG
echo "Command: MainText: All the apps you will need today are already being installed. When setup is complete, you'll find Microsoft Office and Zoom are all ready to go." >> $NOTIFY_LOG
echo "Status: Installing Apps..." >> $NOTIFY_LOG
/usr/local/bin/jamf policy -event "admindesktop"
sleep 5
 
#5 - Finishing up
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ApplicationsFolderIcon.icns" >> $NOTIFY_LOG
echo "Status: Installing a few more apps..." >> $NOTIFY_LOG
/usr/local/bin/jamf policy -event "NameME"
sleep 5
echo "Status: Finishing up... We're almost ready for you, $TOKEN_GIVEN_NAME" >> $NOTIFY_LOG
sleep 3
 
###Clean Up
sleep 3
echo "Command: Quit" >> $NOTIFY_LOG
sleep 1
rm -rf $NOTIFY_LOG
 
#6 - Disable notify screen from loginwindow process
/usr/local/bin/authchanger -reset -JamfConnect

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded