Skip to main content
Question

User initiated enrollment behind corporate proxy

  • June 14, 2018
  • 5 replies
  • 77 views
M
Forum|alt.badge.img+4

Hello everyone,

I am new to jamf, and I am seeing an issue during the user enrollment process for macOS. I am using the hosted version of jamf.

When I am outside of my corporate network, enrollment works fine, and the jamf binary gets installed.
When I am inside of my corporate network, I get to the screen that says "enrollment complete", but the jamf binary is not installed.

In talking with my firewall guys, it appears that the user initiated enrollment sends a command to download and install the jamf binary. However, this command seems to be ignoring my system proxy settings and trying to take a direct route to the download, which is blocked by our firewall. My security team is not going to open their firewall to all of AWS to get this to work (although we temporarily tested it, and it did work).

Is there a secret to getting the agent to download through the proxy so that on-premise enrollments can complete successfully?

    5 replies

    E
    Forum|alt.badge.img+1
    • e_altbart
    • New Contributor
    • January 10, 2019

    Seeing the same issue here, no resolution yet. We have an open case on that matter - if anything pops up. I´ll post it here.

    M
    Forum|alt.badge.img+14
    • MTFIDjamf
    • Valued Contributor
    • January 10, 2019

    @mnickels Are you using Auto Proxy settings with a pac file on the Macs?

    Asking because we do. And with Mojave, it does not work for enrollment through the enrollment URL or QuickAdd. We have had to set the HTTP/HTTPS as the default proxy settings with url and port, no account authentication. With those both set, and Auto Proxy disabled, enrollment then works.

    Our Jamf instance is on-prem. We have proxy settings to allow the servers and clients to talk out to APNS. We only enroll devices within the corporate network.

    I know that it is not exactly what you are seeing but seems similar.

    We have cases opened with Apple and Jamf on this as El Cap/High Sierra did not exhibit this behavior.

    E
    Forum|alt.badge.img+1
    • e_altbart
    • New Contributor
    • January 16, 2019

    Yes we do as well. Are you saying, that the Jamf agent is able to "read" http-proxy settings correctly ? Thanks for the hint - we´ll give it a try and see what happens - will post update if there is a change ...

    S
    Forum|alt.badge.img+11
    • scheb
    • Contributor
    • October 30, 2019

    The solution here is to set proxies for curl, before you begin the enrollment. I set it explicitly in .curlrc (as the root user), but you can use environment variables as well.

    My solution for Catalina and older versions of macOS
    create file called /var/root/.curlrc
    contents of file are: proxy = proxyservername:port
    example: proxy = proxy.company.com:8080

    That's all you need from the hidden perspective. Don't forget to also set proxies in network properties!

    S
    Forum|alt.badge.img+11
    • scheb
    • Contributor
    • April 6, 2021

    I stumbled into this again with Big Sur. After MUCH testing, i figured out that enrollment (called the quickadd lightweight package) is now executed by the _appstore user and not root.

    My solution for Big Sur and newer versions of macOS
    create file called /var/db/appstore/.curlrc
    change owner/group of file to _appstore:_appstore
    contents of file are: proxy = proxyservername:port
    example: proxy = proxy.company.com:8080

    sdagley
    E
    J
    Terms & ConditionsCookie settingsAccessibility statement