One of our App dev teams is looking to use AWS EC2 mac for their pipeline. Our security department wants this managed like any other Mac in our environment. I know very little about AWS and these instances. Anyone got step by step guide or suggestions?
Solved
Best way to enroll AWS EC2 Mac into jamf
+24Best answer by DBrowning
I am working on a similar issue/setup. I have been able to get our AWS EC2 instances enrolled using our enrollment link, and it does appear to pull down and install at least some of the enrollment items (installs Jamf Connect, Microsoft Defender, access to our self-service store, etc) but does not appear to pull down any of the scoped configuration profiles. I can log into Jamf Pro and download/install the configurations manually, but that sort of dulls some of the shiny benefits and purposes of the enrollment process.
So, in Jamf Pro, I can see the instances in our device inventory and they appear to be regularly checking in just fine, so it's not that there isn't a line of communication between them and Jamf. I can see their "Last Enrollment" date and they show as "Managed by JAMFadmin" (though not supervised). Even though I can see the MDM profile on the instance (complete with its 2-year expiration date) and a number of other Jamf profiles, in Jamf Pro they show as "MDM Capability: No" which is, I assume, why it isn't pulling down the scoped profiles. It sounds like trying to orchestrate an auto-enrollment via Amazon EventBridge isn't going to help me out either? I'd love to be able send these instances through some sort of enrollment and have them mostly configured through those hoops rather than needing to do the bulk of the work manually. Am I correctly understanding here we are just out of luck given the current state of things? Or is this something worth trying to drag Jamf Support technicians into via ticket?
We were able to get this going with the lastMile script. We had to modify the main.scpt to include a line to tell jamf binary that the device is not virtual. I added the following line around line 101 under the "--Set preference for virtual machine" section.
do shell script "defaults write /Library/Preferences/com.jamfsoftware.jamf is_virtual_machine -bool false" with administrator privileges
+25@DBrowning This AWS blog post might be informative: https://aws.amazon.com/blogs/apn/automate-the-enrollment-of-ec2-mac-instances-into-jamf-pro/
+24I see it states there is a limitation that you can't push config profiles. We'd need to push PPPC profiles...any guidance around that?
+25I see it states there is a limitation that you can't push config profiles. We'd need to push PPPC profiles...any guidance around that?
I'm not actually using it, I just remembered this post and had previously forwarded it to our AWS team (which thankfully doesn't want me to manage their mini instances).
+14The profiles piece depends on how you build and enroll the device. If you build a custom, pre-enrolled base image, you cannot push profiles. If you leverage either manual enrollment or Amazon's Event Bridge automation to enroll the EC2 Mac, you will have full profile capabilities.
+24The profiles piece depends on how you build and enroll the device. If you build a custom, pre-enrolled base image, you cannot push profiles. If you leverage either manual enrollment or Amazon's Event Bridge automation to enroll the EC2 Mac, you will have full profile capabilities.
We tried doing manual enrollment but it would only install the main MDM profile and nothing else. The device only showed up as unmanaged and became too much of a pain so we were able to talk our security department out of managing them since they are only being used in a CI/CD pipeline.
+26We did some round abouts with Mac Stadium last year which is a similar platform to EC2. We ultimately decided to stick with our own datacenter hosted mac solution internally.
DEP is off the table, so anything that requires DEP like using MDM commands to issue Software Updates will not work. You are stuck with users installing Software Updates manually. Once the device has been provisioned, IT would need to connect to the device and manually enroll with Device Enrollment, then manually trigger your configuration (or let recurring checkin handle it). Once the device is configured give the user access to it. Since you cannot enroll to MDM with CLI or PKG anymore, this enrollment part is manual. In theory you could have the user enroll their device, but who trusts users...
Again, my experience is with Mac Stadium and a bit old. I would not be shocked if Amazon has some obtuse workaround that apple will break without warning.
I am working on a similar issue/setup. I have been able to get our AWS EC2 instances enrolled using our enrollment link, and it does appear to pull down and install at least some of the enrollment items (installs Jamf Connect, Microsoft Defender, access to our self-service store, etc) but does not appear to pull down any of the scoped configuration profiles. I can log into Jamf Pro and download/install the configurations manually, but that sort of dulls some of the shiny benefits and purposes of the enrollment process.
So, in Jamf Pro, I can see the instances in our device inventory and they appear to be regularly checking in just fine, so it's not that there isn't a line of communication between them and Jamf. I can see their "Last Enrollment" date and they show as "Managed by JAMFadmin" (though not supervised). Even though I can see the MDM profile on the instance (complete with its 2-year expiration date) and a number of other Jamf profiles, in Jamf Pro they show as "MDM Capability: No" which is, I assume, why it isn't pulling down the scoped profiles. It sounds like trying to orchestrate an auto-enrollment via Amazon EventBridge isn't going to help me out either? I'd love to be able send these instances through some sort of enrollment and have them mostly configured through those hoops rather than needing to do the bulk of the work manually. Am I correctly understanding here we are just out of luck given the current state of things? Or is this something worth trying to drag Jamf Support technicians into via ticket?
+24I am working on a similar issue/setup. I have been able to get our AWS EC2 instances enrolled using our enrollment link, and it does appear to pull down and install at least some of the enrollment items (installs Jamf Connect, Microsoft Defender, access to our self-service store, etc) but does not appear to pull down any of the scoped configuration profiles. I can log into Jamf Pro and download/install the configurations manually, but that sort of dulls some of the shiny benefits and purposes of the enrollment process.
So, in Jamf Pro, I can see the instances in our device inventory and they appear to be regularly checking in just fine, so it's not that there isn't a line of communication between them and Jamf. I can see their "Last Enrollment" date and they show as "Managed by JAMFadmin" (though not supervised). Even though I can see the MDM profile on the instance (complete with its 2-year expiration date) and a number of other Jamf profiles, in Jamf Pro they show as "MDM Capability: No" which is, I assume, why it isn't pulling down the scoped profiles. It sounds like trying to orchestrate an auto-enrollment via Amazon EventBridge isn't going to help me out either? I'd love to be able send these instances through some sort of enrollment and have them mostly configured through those hoops rather than needing to do the bulk of the work manually. Am I correctly understanding here we are just out of luck given the current state of things? Or is this something worth trying to drag Jamf Support technicians into via ticket?
We were able to get this going with the lastMile script. We had to modify the main.scpt to include a line to tell jamf binary that the device is not virtual. I added the following line around line 101 under the "--Set preference for virtual machine" section.
do shell script "defaults write /Library/Preferences/com.jamfsoftware.jamf is_virtual_machine -bool false" with administrator privileges
+16We were able to get this going with the lastMile script. We had to modify the main.scpt to include a line to tell jamf binary that the device is not virtual. I added the following line around line 101 under the "--Set preference for virtual machine" section.
do shell script "defaults write /Library/Preferences/com.jamfsoftware.jamf is_virtual_machine -bool false" with administrator privileges
Manually running this fixed my issue. Thanks
sudo defaults write /Library/Preferences/com.jamfsoftware.jamf is_virtual_machine -bool false
+12I am working on a similar issue/setup. I have been able to get our AWS EC2 instances enrolled using our enrollment link, and it does appear to pull down and install at least some of the enrollment items (installs Jamf Connect, Microsoft Defender, access to our self-service store, etc) but does not appear to pull down any of the scoped configuration profiles. I can log into Jamf Pro and download/install the configurations manually, but that sort of dulls some of the shiny benefits and purposes of the enrollment process.
So, in Jamf Pro, I can see the instances in our device inventory and they appear to be regularly checking in just fine, so it's not that there isn't a line of communication between them and Jamf. I can see their "Last Enrollment" date and they show as "Managed by JAMFadmin" (though not supervised). Even though I can see the MDM profile on the instance (complete with its 2-year expiration date) and a number of other Jamf profiles, in Jamf Pro they show as "MDM Capability: No" which is, I assume, why it isn't pulling down the scoped profiles. It sounds like trying to orchestrate an auto-enrollment via Amazon EventBridge isn't going to help me out either? I'd love to be able send these instances through some sort of enrollment and have them mostly configured through those hoops rather than needing to do the bulk of the work manually. Am I correctly understanding here we are just out of luck given the current state of things? Or is this something worth trying to drag Jamf Support technicians into via ticket?
Hi,
did you ever find the cause of the issue?
we're seeing a similar thing, the profile installs,
/usr/bin/profiles status -type enrollment shows that it's enrolled and MDM capable, the Jamf binary is working and policies are running ok, but the computer in Jamf shows MDM capability as No, and no profiles as being installed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.