Question

How to force depnotify to kick in right after enrollment?

Forum|Forum|4 years ago
December 21, 2021
4 replies
89 views

+8

Captainamerica
Contributor

So there is 2 scenarios:

1. When enrolling a mac manually through browser and installation of profile. Profiles are installed and also have set the "enrollment complete" trigger - and only this one trigger in first policy. But often it can take some time before the depnotify kick in. If I go to terminal and do a manual sudo jamf policy, it triggers that start of depnotify. So my question is how can it be made, so after enrollment the sudo jamf policy kick in right away - so depnotify is launched

2.
In pre-stage enviroment we use Jamf connect that create account and also install depnotify. Seeing the desktop it again takes time before the sudo jamf policy is executed, so depnotify is not launched. Is there a way to trigger this so it launches right away when the desktop is seen first time. Somekind of launchdeamon maybe or what are other using ?

A

+13

andrew_nicholas
Honored Contributor
Forum|Forum|4 years ago
December 21, 2021

Something like the below might work for you. It is a script that writes another script to launch the enrollment policy or detect if DEP has run and delete itself and its calling plist. The plist is set to five minutes but can be changed to whatever works for you.

#!/bin/zsh
companyDir="/Library/COMPANY/Scripts"
scriptPath="/Library/COMPANY/Scripts/beginEnrollment.sh"
plistPath="/Library/LaunchDaemons/com.companyname.nudgeenroll.plist"


mkdir -p "$companyDir"

#write script, chown and chmod
touch "$scriptPath"
cat << '_EOF' > $scriptPath
    #!/bin/zsh
	depLogPath="/var/tmp/depnotify.log"
	scriptPath="/Library/COMPANY/Scripts/beginEnrollment.sh"
	plistPath="/Library/LaunchDaemons/com.companyname.nudgeenroll.plist"

    #Detect if DEP has begun, if so delete script
	if [ -f "$depLogPath" ]; then
    	rm "$scriptPath"
    	rm "$plistPath"
	else
    	currentUser=$(ls -l /dev/console | cut -d " " -f 4)
    	currentUserHome=$(dscl . read /Users/$currentUser NFSHomeDirectory | awk '{print $2}') 
    	jamfEnrollURL="<URL_FOR_ENROLLMENT_PORTAL_OR_POLICY_TO_BE_CALLED>"
    	sudo -u $currentUser open "$jamfEnrollURL"
	fi
_EOF
chmod +x "$scriptPath"
chown root:wheel "$scriptPath"

#write launch daemon chown 
touch "$plistPath"
cat << '_EOF' > $plistPath
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.company.nudgeenroll</string>
	<key>ProgramArguments</key>
	<array>
		<string>sh</string>
		<string>-c</string>
		<string>/Library/COMPANY/Scripts/beginEnrollment.sh</string>
	</array>
	<key>StartInterval</key>
    <integer>300</integer>
</dict>
</plist>
_EOF
chown root:wheel "$plistPath"
launchctl load -w "$plistPath"

Like

C

+8

Captainamerica
Author
Contributor
Forum|Forum|4 years ago
December 21, 2021

Thanks. However, I think i somehow how to add that the launchdaemon is not kicked off before the desktop is visible for the user. As far I can read a way to do this if to check if the dock or finder process exist - but don´t have the skills to build this into your script

Like

+12

rqomsiya
Honored Contributor
Forum|Forum|4 years ago
December 21, 2021

Thanks. However, I think i somehow how to add that the launchdaemon is not kicked off before the desktop is visible for the user. As far I can read a way to do this if to check if the dock or finder process exist - but don´t have the skills to build this into your script

You can try taking a look at this tool as well by @Yohan : https://github.com/Yohan460/JAMF-Enrollment-Kickstart