Hello,
I am trying to make a LaunchDaemon that will run a script I packaged in composer when it sees that MDM profiles have been removed from the machine.
The idea is to make it easier for our end users to be enrolled into JAMF from our past MDM.
As I understand it there might still be some user interaction needed but we are trying to make it as seamless as possible given that wiping is not really an option on our side nor do we have the bandwidth among the team to be able to this.
In essence we deploy the package and the plist files to the end users machines(using current MDM), and when the machine becomes unmanaged from said MDM, it kicks off the process of running the pkg which contains a script to renew MDM profile.
I think if the pkg is signed then we should not see too much need for user interaction.
Let me know if this is feasible.
Our other thought was to create a swiftDialog that walks users through running the pkg themselves but of course that is not foolproof.
There is a lot to ask and discuss with a topic like this… and I apologies in advance because I have this tendency to dig into the question or at least the base assumptions of the question first.
OK, so you’re changing MDMs to Jamf. Cool. Are your devices in DEP? If not, by what method are they enrolled? That will be the big question to start with.
If they’re DEP then Apple has a new-ish process for this… which I’ll admit, I haven’t tried, but it sounds good!
If they’re not, by what enrollment method are you planning to use with Jamf?
Yes devices are in DEP managed by Addigy.
Problem is not all our devices are on the version of the OS that supports that feature from JAMF. And we have some deadlines to meet with the project which make it somewhat unrealistic that we can get all users pushed up to that OS.
We are planning to use the JAMF enrollment script sudo /usr/bin/profiles renew -type enrollment as part of a signed pkg
Most new laptops will be done by ADE/DEP.
The idea here is to push this down and then unmanage the devices in Addigy, move them to the JAMF ABM server we created and hopefully have this kick off the profile addition.
I can see that you’ve already gotten the mention of the Jamf professional service for this in another thread. If you’ve got a big time crunch that’s a good way to go.
As for the rest. It’s a little beyond me to think of a way to monitor the removal of the MDM profile reliably with launchd across a range of Major OSs. Sorry on that note. Doing this the other way round (if they were managed by Jamf) . I would load a script to remove the jamf MDM profile and binary (This is how we off board BYO machines). Then use that same script to launch the new enrollment package. No need to monitor anything other than the basic success of the script as it runs.
Unfortunately it's unlikely that we will go with a professional engagement at this time unfortunately for cost reasons.
So need to look at alternatives. Looking at the report 98% of our devices are on various ver of 15 the rest are 26. Not sure how much difference in launchd behavior there would be.
Is the JAMF script that you are aware of something the uses JAMF binary specific commands or is it at least somewhat universal?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.