Running Jamf Setup Manager with user-initiated enrollment

Are these machines already managed with Jamf? We’re not currently using JSM for our own environment, but I do keep an eye on it just in case our current tools (modified DEP-Notify) suddenly become unusable.

As for a site or place to ask questions, jump on the MacAdmins Slack and add the channel for it #jamf-setup-manager

https://github.com/jamf/Setup-Manager/tree/main

​@Chris_Hafner Nope, these particular machines are not already managed in any state. They’ve all been in use for months or years before we implemented Jamf in our environment. We’re trying to bring them into the fold so that we 1) know about them, and 2) can attempt to manage them.

Thanks for the info about the Slack channel. I’ll try posing my question there as well!

it’s actually not bad. Scope the profile to all machines, put the PKG in a policy scoped to computers that have the profile and run it from Self Service. I use it for any time I need to re-run JSM.

​@mattjerome - That’s an idea I hadn’t even thought of yet, so thanks for the suggestion! 😊

In this case, these computers aren’t in Jamf yet, nor in Apple School Manager. These would be ones out in the wild that our techs may come across in their duties. I found this from Michigan State University that comes pretty close to what I’m looking to do: tech/customer does a user-initiated enrollment via the web, and JSM automatically runs afterwards to do some registration/configuration stuff.

https://tdx.msu.edu/TDClient/32/Portal/KB/ArticleDet?ID=1533

I’m interested in this as well. I’m unclear if this is recommended/supported for Jamf Setup Manager (JSM), which seems intended for post-prestage installs, and anything after login, hand off to macOS Onboarding. Maybe macOS Onboarding is a better DEPNotify replacement for user-initiated enrollments? Or can JSM be shoehorned into this role too? 

Hi ​@barret55 ,

You’re getting closer. Before you proceed with this step (https://tdx.msu.edu/TDClient/32/Portal/KB/ArticleDet?ID=1533),
you’ll need to prepare the JSM Apps and the JSM Configuration Profiles (Application & Custom Settings > Jamf Applications). Once you’ve completed these two preparations,
then you can enroll the Mac using user-initiated enrollment from a web browser.

​@czarmark we started looking at JSM specifically for replacing DEPNotify which we currently use for both DEP and User Initiated (Device/profile based) enrollment here. It seemed to work fine in our testing, though the current version warns to be sure you’re not using other policies with “Enrollment Complete” as a trigger. 

I do keep waiting/hoping for more native onboarding tools. Which it the primary reason we’re still happily sitting on DEPNotify instead of moving to a new 3rd party tool. However, if I was starting fresh, JSM seems the way to go while we wait.

Hi ​@agungsujiwo! I already have a configuration profile cloned and ready to use for this process. The part that I’m struggling with is I can’t figure out how run that JSM process from a user-initiated enrollment. I can’t find any documentation or guidance anywhere on the step-by-step process of how to set it up and make it work. The site clearly shows that it can be done, but how is it done? This is the part that I can’t figure out. 😂

​@barret55 , ​@mattjerome  has a great point on this one!

Now, if you take that very same policy he mentions and add the “Enrollment Complete” trigger, my guess is that would sort it out for you. As you know, the only thing is that the Profile needs to be loaded on the machine before the trigger. If you have the profile scoped properly, it should end up on the machine well ahead of the Enrollment Complete trigger, and if it didn’t you could still launch it from Self-Service after the fact. 

If you wanted to be extra smooth about it you could build in some logic or a script to ensure all of this in advance, but I’m guessing it would work fairly well!

I think this sounds like the part I’m trying to figure out. How would I get the profile onto the computer as part of the user-initiated enrollment, and secondly, how would I then get it to execute once the enrollment is complete? 

The last time I actively used Jamf was wayyyyyy back when I had it installed on an Apple XServe, so I’m pretty much starting from zero again. 😅

​@barret55 Here are some steps you can use:

1. Create a smart group for devices enrolled with User Initiated enrollment
2. Scope the profile to that smart group
3. Make a smart group for computers that have the profile
4. Make the policy available to those in the smart group that have the profile

I like using the self service method to have a bit more control on when it launches. Techincally, because the profile is reliant on smart groups which update at inventories, enrollment complete could be before your workflow with the smart groups is complete thus potentially causing a problem.

​@Chris_Hafner Thanks for the Enrollment Complete trigger reminder, because I would have overlooked that. Current setup has two policies using Enrollment Complete: 0Install Rosetta and 1Install run DEPNotify. (Until a developer who shall not be named updates its software, we’re forced to enable Rosetta). I can just co-opt that Rosetta policy into JSM now and meet its Enrollment Complete requirement. Some great comments from others about scoping the JSM profile to all computers and adding a JSM UIE policy in Self Service. Off to test!

​@mattjerome - Very much appreciated for the help, and apologies to all for so many questions. Taking baby steps all over again. 😂

I don’t see any smart group criteria that expressly says something to the effect of “enrolled: user-initiated”, but I do see a criteria labeled “Enrolled via Automated Device Enrollment”, with a “yes” or “no” answer. I’m guessing that if it is set to “no”, then that would only scope out devices that were enrolled by user-initiated enrollment?

There are many ways to roll this! Self service is a really good way to go. Besides, you can have it auto launch if you wanted to with the policy right there and it get’s users looking at what other optional items they may have access to.

You could also front load the configuration file prior to enrollment to be sure the profile exit when called by JSM. I am kind of assuming that you’ll be using a profile based enrollment. When you set this up the user logs into the enrollment URL, and get’s a profile… usually after signing in. It’s really installing this profile that begins the enrollment process into your Jamf Pro. While there are many options to roll this, you “could” also have them manually install the configuration profile prior to the MDM profile they will have to load. 

I think I’m probably going to include the policy in Self Service as well, but with our customer base, I can’t reliably expect them to click it to get things rolling, and am going to operate under the assumption that they’ll enroll their device, close whatever popped up, and be on their way, not doing anything else. 😂

Having it run upon immediately after enrollment puts the process directly in their face, and it blocks out the screen behind it, so they can’t do anything else until it’s finished. I just have to learn the “how” part. 😊