Hello,
I am trying to make a LaunchDaemon that will run a script I packaged in composer when it sees that MDM profiles have been removed from the machine.
The idea is to make it easier for our end users to be enrolled into JAMF from our past MDM.
As I understand it there might still be some user interaction needed but we are trying to make it as seamless as possible given that wiping is not really an option on our side nor do we have the bandwidth among the team to be able to this.
In essence we deploy the package and the plist files to the end users machines(using current MDM), and when the machine becomes unmanaged from said MDM, it kicks off the process of running the pkg which contains a script to renew MDM profile.
I think if the pkg is signed then we should not see too much need for user interaction.
Let me know if this is feasible.
Our other thought was to create a swiftDialog that walks users through running the pkg themselves but of course that is not foolproof.
Possible to deploy a package that runs when certain events occur?
+1
+25There is a lot to ask and discuss with a topic like this… and I apologies in advance because I have this tendency to dig into the question or at least the base assumptions of the question first.
OK, so you’re changing MDMs to Jamf. Cool. Are your devices in DEP? If not, by what method are they enrolled? That will be the big question to start with.
If they’re DEP then Apple has a new-ish process for this… which I’ll admit, I haven’t tried, but it sounds good!
If they’re not, by what enrollment method are you planning to use with Jamf?
+1Yes devices are in DEP managed by Addigy.
Problem is not all our devices are on the version of the OS that supports that feature from JAMF. And we have some deadlines to meet with the project which make it somewhat unrealistic that we can get all users pushed up to that OS.
We are planning to use the JAMF enrollment script sudo /usr/bin/profiles renew -type enrollment as part of a signed pkg
Most new laptops will be done by ADE/DEP.
The idea here is to push this down and then unmanage the devices in Addigy, move them to the JAMF ABM server we created and hopefully have this kick off the profile addition.
+25I can see that you’ve already gotten the mention of the Jamf professional service for this in another thread. If you’ve got a big time crunch that’s a good way to go.
As for the rest. It’s a little beyond me to think of a way to monitor the removal of the MDM profile reliably with launchd across a range of Major OSs. Sorry on that note. Doing this the other way round (if they were managed by Jamf) . I would load a script to remove the jamf MDM profile and binary (This is how we off board BYO machines). Then use that same script to launch the new enrollment package. No need to monitor anything other than the basic success of the script as it runs.
+1Unfortunately it's unlikely that we will go with a professional engagement at this time unfortunately for cost reasons.
So need to look at alternatives. Looking at the report 98% of our devices are on various ver of 15 the rest are 26. Not sure how much difference in launchd behavior there would be.
Is the JAMF script that you are aware of something the uses JAMF binary specific commands or is it at least somewhat universal?
+26No, there is not really a way to do what you are asking. You would need a script running on loop to check the status of the profile you are wanting to monitor, which is essentially you building a program as you would need guardrails so it does not tank the system.
Also you cannot enroll in MDM from CLI, apple retired that ability to do that back with 10.15 years ago. Device enrollment requires user interaction unless it is performed with Automated Device Enrollment at the time the OS is activated. These are hard limits that cannot be worked around.
You can trigger the profiles renew command to check APNS for enrollment commands, but this is very clunky and still requires user interaction and the users to be admins as well as additional commands to put the device in a supervised state that require additional user interaction. If you dont have a tech do this, then the device is in the hands of a privilaged user without any form of management on it.
With macOS 26 apple has added the ability to migrate MDMs in the MDM framework and Jamf is adding this functionality with 11.22, may be worth looking in to; especially since 11.22 is already available and will be rolled out to cloud instances on the 8th.
+1Thanks
And we will build a pkg with the profiles script that is user run specifically for those use cases that are unable to migrate in a decent timeframe.
Unfortunate that so much of what was possible previously is now unavailable.
+25Yea, sorry to say it sounds like the easiest way forward, but it will feel really good when you’re done!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.