Skip to main content
Solved

Deploy network certificates after or before enrollment

  • July 10, 2020
  • 7 replies
  • 55 views
W
Forum|alt.badge.img+9
  • walt
  • Valued Contributor

I'm looking for suggestions or workflows on deploying network profiles before or after our enrollment process.

Our setup:
• Jamf Cloud
• ADCS connector
• DEPNotify

We don't currently have a provisioning network yet but is in process, so we use dmz/external-facing network connections for enrollment but the network could switch during the enrollment if the profiles deployed during the enrollment or depnotify process and potentially cause an issue.

I tried to find a way to trigger the config profile after depnotify but did not see a way to do using smart group criteria.

any suggestions or ideas?

Thank you!

Best answer by psliequ

In your last policy driven by DEPNotify, do a 

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

7 replies

P
Forum|alt.badge.img+13
  • psliequ
  • Contributor
  • July 10, 2020

Put a waypoint file on the system at the end of enrollment, search for its existence with an extension attribute, build a smart group based on the attribute and scope your profile to it, do a jamf recon.

    W
    Forum|alt.badge.img+9
    • walt
    • Author
    • Valued Contributor
    • July 10, 2020

    appreciate the suggestion, but I am not familiar with that process, do you have any documentation or steps that show this type of configuration or what the waypoint file and EA would look like?

    P
    Forum|alt.badge.img+13
    • psliequ
    • Contributor
    • Answer
    • July 10, 2020

    In your last policy driven by DEPNotify, do a 

    touch /Library/Preferences/.MacReadyforCertificates

    or something similar.

    The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

    #!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

    Your smart group would just look for the Yes criteria to deploy the MDM profile to.

    W
    Forum|alt.badge.img+9
    • walt
    • Author
    • Valued Contributor
    • July 10, 2020

    Thank you, do you know if EA's take a while to update or resolve?

    I created a test for this. Here is my config based on your suggestions:

    • created a Policy
    –Once Per Computer, re-occurring check-in
    –Files & Process
    ––Execute Command: touch /Library/Preferences/WaltTest
    –scoped to my device

    • created EA
    –script
    –– instead of .MacReadyforCertificates, used WaltTest (no prefacing period)

    • Created Smart Group
    –Criteria: EATest

    The EA shows in my device inventory but does not show Yes or No, yet the file is there created by the EA.

    P
    Forum|alt.badge.img+13
    • psliequ
    • Contributor
    • July 10, 2020

    You'll get a value on the next inventory update. Often with DEPNotify it's good to do an inventory update at the end of your provisioning workflow to update inventory and EA values for any subsequent processing.

    W
    Forum|alt.badge.img+9
    • walt
    • Author
    • Valued Contributor
    • July 10, 2020

    I was getting an error with the script, but when I added fi to the end of the script and it showed the results as intended.

    thank you for the guidance on this, should be useful for this purpose.

    P
    Forum|alt.badge.img+13
    • psliequ
    • Contributor
    • July 10, 2020

    Thanks, it got lost in my copy/paste. Added for posterity.

    Terms & ConditionsCookie settingsAccessibility statement