Deploy network certificates after or before enrollment

I'm looking for suggestions or workflows on deploying network profiles before or after our enrollment process.

Our setup:
• Jamf Cloud
• ADCS connector
• DEPNotify

We don't currently have a provisioning network yet but is in process, so we use dmz/external-facing network connections for enrollment but the network could switch during the enrollment if the profiles deployed during the enrollment or depnotify process and potentially cause an issue.

I tried to find a way to trigger the config profile after depnotify but did not see a way to do using smart group criteria.

any suggestions or ideas?

Thank you!

Page 1 / 1

Put a waypoint file on the system at the end of enrollment, search for its existence with an extension attribute, build a smart group based on the attribute and scope your profile to it, do a jamf recon.

appreciate the suggestion, but I am not familiar with that process, do you have any documentation or steps that show this type of configuration or what the waypoint file and EA would look like?

In your last policy driven by DEPNotify, do a

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh



if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then

  echo "<result>Yes</result>"

else

  echo "<result>No</result>"

fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

Thank you, do you know if EA's take a while to update or resolve?

I created a test for this. Here is my config based on your suggestions:

• created a Policy
–Once Per Computer, re-occurring check-in
–Files & Process
––Execute Command: touch /Library/Preferences/WaltTest
–scoped to my device

• created EA
–script
–– instead of .MacReadyforCertificates, used WaltTest (no prefacing period)

• Created Smart Group
–Criteria: EATest

The EA shows in my device inventory but does not show Yes or No, yet the file is there created by the EA.

You'll get a value on the next inventory update. Often with DEPNotify it's good to do an inventory update at the end of your provisioning workflow to update inventory and EA values for any subsequent processing.

I was getting an error with the script, but when I added fi to the end of the script and it showed the results as intended.

thank you for the guidance on this, should be useful for this purpose.

Thanks, it got lost in my copy/paste. Added for posterity.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded