Skip to main content

Getting fond memories of Sim City 2000, but not necessarily having the best time with Jamf Pro at the moment...

 

So I have the jamf connect metapackage going out and being installed - yes, all the permissions have been set to wheel/root, yes, it is signed, yes, by an apple developer ID cert, and yes, the cert is valid. It contains the jamfconnect PKG, branding assets, postintall script, and the notify script. It is being installed, as booting into the machine we are getting the jamfconnect login screen, which works normally.

 

However, after logging in, at the point where the notify script should be run, I am getting the generic notify screen and the "reticulating splines Again.." status message, to which I have to command +control + X to get past.

After the fact I check that the depnotify.log file does indeed exist in /var/tmp/, but it is blank. So it is appearing that the script is not running to update it - hence the splines.

I have tried several scripts, thinking that maybe I made the process too complicated for it, but it seems that doesn't matter in my case.

So, while I open a ticket with Jamf support, I am putting my config out here (with omissions to protect the innocent) so that any blaring issues can be pointed and laughed at.

 

Prestage Config:

- installs 2 packages:

  • jamfconnectlaunchagent.pkg
  • jamfconnectmetapackage.pkg

- installs various config profiles, but the main two we are concerned with are:

  • Jamf Connect CA - MFA
  • Jamf Connect Login CA - MFA 

(we use Azure with conditional access MFA)

The settings for the Jamf Connect CA - MFA config profile are:

  • Computer Level
  • Install Automatically

Applications and Custom Settings plist for com.jamf.connect (just for full transparency):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>HiddenMenuItems</key>
<array>
<string>about</string>
<string>preferences</string>
<string>quit</string>
</array>
<key>IdPSettings</key>
<dict>
<key>ChangePasswordURL</key>
<string>nope</string>
<key>DiscoveryURL</key>
<string>https://nope</string>
<key>Provider</key>
<string>Azure</string>
<key>ROPGID</key>
<string>nope</string>
<key>ResetPasswordURL</key>
<string>nope</string>
<key>TenantID</key>
<string>nope</string>
</dict>
<key>LicenseFile</key>
<data>
imagine
</data>
<key>SignIn</key>
<dict>
<key>AutoAuthenticate</key>
<true/>
<key>SignInLogo</key>
<string>/usr/local/jamfconnect/logo.png</string>
</dict>
<key>UserHelp</key>
<dict>
<key>HelpOptions</key>
<string>https://noneya</string>
<key>HelpType</key>
<string>URL</string>
</dict>
</dict>
</plist>

The settings for the Jamf Connect Login - CA MFA config profile are:

  • Computer Level
  • Install Automatically

Applications and Custom Settings plist for com.jamf.connect.login:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OIDCUsePassthroughAuth</key>
<true/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCClientID</key>
<string>nope</string>
<key>OIDCROPGID</key>
<string>nope</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCAdmin</key>
<string>Administrator</string>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCIgnoreAdmin</key>
<false/>
<key>OIDCTenant</key>
<string>nope</string>
<key>OIDCDiscoveryURL</key>
<string>https://nope</string>
<key>OIDCScopes</key>
<string>api://nope</string>
<key>CreateJamfConnectPassword</key>
<true/>
<key>LocalFallback</key>
<true/>
<key>DenyLocal</key>
<true/>
<key>DenyLocalExcluded</key>
<array>
<string>local_admin</string>
</array>
<key>LicenseFile</key>
<string>imagine</string>
<key>Migrate</key>
<true/>
<key>MigrateUsersHide</key>
<array>
<string>local_admin</string>
</array>
<key>BackgroundImage</key>
<string>/usr/local/jamfconnectbranding/background.jpg</string>
<key>LoginLogo</key>
<string>/usr/local/jamfconnectbranding/logo.png</string>
<key>AllowNetworkSelection</key>
<true/>
<key>ScriptPath</key>
<string>/usr/local/jamfconnectbranding/newnotify.sh</string>
</dict>
</plist>

Applications and Custom Settings plist for com.jamf.connect.authchanger:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Arguments</key>
<array>
<string>-reset</string>
<string>-JamfConnect</string>
<string>-Notify</string>
</array>
</dict>
</plist>

 

So with that out of the way, here are the two scripts that I had set up, both of which failed with the splines error.

#1

#!/bin/zsh

#variables
JAMFBIN="/usr/local/bin/jamf"

echo "STARTING RUN" >> /var/tmp/depnotify.log
# Define the number of increments for the progress bar
echo "Command: Determinate: 11" >> /var/tmp/depnotify.log

#1 - Introduction window with username and animation
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.macbookpro-15-retina-touchid-silver.icns" >> /var/tmp/depnotify.log
echo "Command: MainTitle: Welcome, to your new mac!" >> /var/tmp/depnotify.log
echo "Command: MainText: Your Mac is now enrolled and will be automatically configured for you." >> /var/tmp/depnotify.log
echo "Status: Preparing your new Mac..." >> /var/tmp/depnotify.log
sleep 10

# Check the path of the Jamf client binary. If not present yet, wait 2 seconds and
# check again.
until [ -f $JAMFBIN ]
do
echo "Status: Waiting on Jamf" >> /var/tmp/depnotify.log
sleep 2
done


#2 - Setting up single sign-on passwords for local account
echo "Command: Image: /System/Applications/Utilities/Keychain Access.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log
echo "Command: MainTitle: Tired of remembering multiple passwords?" >> /var/tmp/depnotify.log
echo "Command: MainText: We use single sign-on services to help you sign in to each of our corporate services.\\\\nUse your email address and account password to sign in to all necessary applications." >> /var/tmp/depnotify.log
echo "Status: Setting the password for your Mac to sync with your network password..." >> /var/tmp/depnotify.log
sleep 10

#3 - Self Service makes the Mac life easier
echo "Command: Image: /Applications/Self Service.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log
echo "Command: MainTitle: Self Service makes Mac life easier" >> /var/tmp/depnotify.log
echo "Command: MainText: Self Service includes helpful bookmarks and installers for other applications that may interest you." >> /var/tmp/depnotify.log
echo "Status: Installing Self Service..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallTeamViewer"
sleep 10


#4 - Everything you need for your first day, Installing Office
###Jamf Triggers
echo "Command: Image: /usr/local/jamfconnectbranding/office-365-icon.png" >> /var/tmp/depnotify.log
echo "Command: MainTitle: Installing everything you need for your first day." >> /var/tmp/depnotify.log
echo "Command: MainText: All the apps you will need today are already being installed. When setup is complete, you'll find Microsoft Office, Teams, Box, Cisco AnyConnect VPN, Google Chrome are all ready to go. Launch apps from the Dock and have fun!" >> /var/tmp/depnotify.log
echo "Status: Installing Microsoft Office..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallOffice"
sleep 5

#5 - Installing Teams
echo "Command: Image: /usr/local/jamfconnectbranding/teamslogo.png" >> /var/tmp/depnotify.log
echo "Status: Installing Microsoft Teams..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallTeams"
sleep 30

#6 - Installing Box
echo "Command: Image: /usr/local/jamfconnectbranding/box.png" >> /var/tmp/depnotify.log
echo "Status: Installing Box Drive..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallBox"
sleep 30

#7 - Installing Defender
echo "Command: Image: /usr/local/jamfconnectbranding/windef.png" >> /var/tmp/depnotify.log
echo "Status: Installing Microsoft Defender Anti-Virus..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallDefender"
sleep 30

#8 - Installing Cisco AnyConnect
echo "Command: Image: /usr/local/jamfconnectbranding/anyconnect.png" >> /var/tmp/depnotify.log
echo "Status: Installing Cisco AnyConnect VPN..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallCiscoVPN"
sleep 30

#9 - Installing Chrome
echo "Command: Image: /usr/local/jamfconnectbranding/chrome.png" >> /var/tmp/depnotify.log
echo "Status: Installing Google Chrome..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event "InstallChrome"
sleep 30

#10 - Finishing up
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ApplicationsFolderIcon.icns" >> /var/tmp/depnotify.log
sleep 5
echo "Status: Finishing up... We're almost ready for you." >> /var/tmp/depnotify.log
sleep 3

##Creating file to establish that enrollment has completed
#### This corresponds to the Extension Attribute "Post-Enrollment Complete File Exists"
touch /usr/local/jamfconnect/enrollmentcomplete.txt

###Clean Up
sleep 3
echo "Command: Quit" >> /var/tmp/depnotify.log
sleep 1

#11 - Disable notify screen from loginwindow process
#/usr/local/bin/authchanger -reset -JamfConnect

 

#2 (simplified)

#!/bin/zsh

#Variable List:
JAMFBIN="/usr/local/bin/jamf"

# Notify Mechanism:
# Change the default text displayed to the user
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.macbookpro-15-retina-touchid-silver.icns" >> /var/tmp/depnotify.log
echo "Command: MainTitle: Welcome to Gizmonics!" >> /var/tmp/depnotify.log
echo "Command: MainText: Welcome to your new Mac.\\\\nSit tight as we do some basic setup to get you ready for success.\\\\nYou can see the status of the setup on the progress bar below." >> /var/tmp/depnotify.log

# Update the user of the status of the onboarding
echo "Status: Installing Jamf" >> /var/tmp/depnotify.log

# Check the path of the Jamf client binary. If not present yet, wait 2 seconds and
# check again.
until [ -f $JAMFBIN ]
do
echo "Status: Waiting on Jamf" >> /var/tmp/depnotify.log
sleep 2
done

# Notify the user that we will let Jamf Pro take over at this point
echo "Status: Passing command and control to Jamf Pro" >> /var/tmp/depnotify.log

# Call a custom triggers

echo "Status: Installing TeamViewer Host" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallTeamViewer

echo "Status: Installing Microsoft Office" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallOffice

echo "Status: Installing Microsoft Teams" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallTeams

echo "Status: Installing Box Drive" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallBox

echo "Status: Installing Microsoft Defender Antivirus" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallDefender

echo "Status: Installing Cisco AnyConnect VPN" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallCiscoVPN

echo "Status: Installing Google Chrome" >> /var/tmp/depnotify.log
$JAMFBIN policy -event InstallChrome

echo "Status: Finishing up... We're almost ready!" >> /var/tmp/depnotify.log

sleep 3

#5 - Clean Up
sleep 3
echo "Command: Quit" >> /var/tmp/depnotify.log
sleep 1
rm -rf /var/tmp/depnotify.log

#6 - Disable notify screen from loginwindow process
/usr/local/bin/authchanger -reset -JamfConnect

 

So that's it. And I am absolutely stumped on this one. Anyone have any thoughts on this mess?

We've had the issue (we're using Okta though) when the package, created in the Jamf Composer, wasn't signed correctly. Do you have it signed?

We've had the issue (we're using Okta though) when the package, created in the Jamf Composer, wasn't signed correctly. Do you have it signed?


Yes - it is signed with our Apple Developer ID cert, which is valid. 

All I know is that the Notify mechanism is being triggered by the config profile, but the script is not being run. I have a support case open with Jamf Support about this. I will post what they find.

Hey, @mander5055 I'm having the exact same issue. All I get is the reticulating message and I removed all the policies it calls for except for the google chrome one, which I've re-packaged, and signed with the Cert I created using my jamf Pro account (following jamf's instructions). I get the jamf connect login scree, sign in, then the depNotify screen comes up with the same message. Already tried like 10 dif things, and no luck. Have you heard anything back from Jamf Support?  

Yes - it is signed with our Apple Developer ID cert, which is valid. 

All I know is that the Notify mechanism is being triggered by the config profile, but the script is not being run. I have a support case open with Jamf Support about this. I will post what they find.


Not sure if you're supposed to use the Developer certification; we use the JSS one, following the Jamf instructions on this page: https://docs.jamf.com/technical-articles/Creating_a_Signing_Certificate_Using_Jamf_Pros_Built-in_CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html

Hey, @mander5055 I'm having the exact same issue. All I get is the reticulating message and I removed all the policies it calls for except for the google chrome one, which I've re-packaged, and signed with the Cert I created using my jamf Pro account (following jamf's instructions). I get the jamf connect login scree, sign in, then the depNotify screen comes up with the same message. Already tried like 10 dif things, and no luck. Have you heard anything back from Jamf Support?  


Did you use this? https://docs.jamf.com/technical-articles/Creating_a_Signing_Certificate_Using_Jamf_Pros_Built-in_CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html

Hey, @mander5055 I'm having the exact same issue. All I get is the reticulating message and I removed all the policies it calls for except for the google chrome one, which I've re-packaged, and signed with the Cert I created using my jamf Pro account (following jamf's instructions). I get the jamf connect login scree, sign in, then the depNotify screen comes up with the same message. Already tried like 10 dif things, and no luck. Have you heard anything back from Jamf Support?  


They verified everything I already told them, and had me rebuild the package with the example notify script, without any improvement. I have a meeting with an actual support tech tomorrow. I will post any updates from that afterwards.

Not sure if you're supposed to use the Developer certification; we use the JSS one, following the Jamf instructions on this page: https://docs.jamf.com/technical-articles/Creating_a_Signing_Certificate_Using_Jamf_Pros_Built-in_CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html


I have a meeting with a support tech tomorrow - I will try this in the meantime. Thanks!

Did you use this? https://docs.jamf.com/technical-articles/Creating_a_Signing_Certificate_Using_Jamf_Pros_Built-in_CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html


I tried this. It did not produce any different results. Still Reticulating Splines Again status message. I am going to look into other things.

So my findings so far is that the following did not change the outcome:

  • - creating a new notify script and modifying the config profile to target this new script, even if it was the example script from the jamf documentation.
  • - repackaging the metapackage and signing it with the jamf pro CA certificate, instead of my developer certificate
  • - changing the configuration profile from a gui-based setup, to uploading a plist

The logs for com.jamf.connect.login seem to indicate that it can't find the script to run in the first place:

Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: RunScript mech starting
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Status of didSaveToken is false, Status of didSaveTokenRaw is false
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Unable to run script. The operation couldn...t be completed. No such file or directory
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Status of didRunScript is false

So I'm not sure if that the file is not being accessed correctly by whatever system process this is running under, or that the metapackage isn't being deployed to the system by the time the notify mechanism is run.

I can't prove either, but the background and logos are showing up, and those are packaged in the metapackage, so I don't understand why that would be accessible but not the script, since they all receive the same rights from the package.

 

Still working through possibilities.

So my findings so far is that the following did not change the outcome:

  • - creating a new notify script and modifying the config profile to target this new script, even if it was the example script from the jamf documentation.
  • - repackaging the metapackage and signing it with the jamf pro CA certificate, instead of my developer certificate
  • - changing the configuration profile from a gui-based setup, to uploading a plist

The logs for com.jamf.connect.login seem to indicate that it can't find the script to run in the first place:

Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: RunScript mech starting
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Status of didSaveToken is false, Status of didSaveTokenRaw is false
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Unable to run script. The operation couldn...t be completed. No such file or directory
Tue Sep 27 14:36:17 [com.jamf.connect.login] - Info - RunScript: Status of didRunScript is false

So I'm not sure if that the file is not being accessed correctly by whatever system process this is running under, or that the metapackage isn't being deployed to the system by the time the notify mechanism is run.

I can't prove either, but the background and logos are showing up, and those are packaged in the metapackage, so I don't understand why that would be accessible but not the script, since they all receive the same rights from the package.

 

Still working through possibilities.


What the support tech suggested was that we separate the jamfconnect installer pkg from the branding package - so basically build a new assets package. All assets in the package were set to root/wheel, and all permissions set to 777. They also moved where the branding and script assets are being deployed from /usr/local to /Users/Shared. We modified the configuration profile to point to the new locations of the logo, background, and notify script.

I built a package and signed it with the Jamf CA certificate. And I built another and signed it with my apple developer ID. Neither worked. 

The notify mechanism was triggered and the Reticulating Splines Again message was displayed, but according to the logs it could not find the notify script itself. I have no idea why - the customized branding images are being displayed just fine.

Once again, I am waiting for support to give me further instruction and info. I will update this further when they get back to me.

So we have this particular issue resolved. The issue was either with the permissions on the directory that it was being deployed to, or with the script. So this is the solution that we came to that allowed the Notify mechanism to finally kick in:

- Change the directory where the assets are being deployed from /usr/local/jamfconnect to /Users/Shared/jamfconnect/

- Recreate the notify.sh script again, using the example script at https://github.com/jamf/jamfconnect/blob/main/scripts/Notify/Jamf-Connect-Notify-Script.sh

 

But as soon as I got a copy of the example script and deployed it to /Users/Shared/jamfconnect/, and edited the configuration profile to set the ScriptPath to /Users/Shared/jamfconnect/notify.sh, it was able to trigger and run. I then just edited that script again to what I needed.

 

So I hope that helps others that run into this - RELOCATE THE ASSETS, RECREATE YOUR SCRIPT.

Reply


Terms & ConditionsCookie settings