Basic logistics around Notify screen with Jamf Connect

Nate1
New Contributor III

Hey all, I've pieced together what I think are all the steps for using a Notify Screen along with our basic Jamf Connect setup, but it's been mostly a copy-paste from the JC documentation so I'm not confident it's as smart as it could be.

 

We run a very general Jamf Connect login with Okta and are adding a Notify screen to newly enrolled computers to install basic apps on first setup.

 

Some questions I am confused about:

  1. Is it smart to have two different Jamf Connect config profiles? One for the initial setup and one for ongoing use?

    The reason I ask is we have a single Jamf Connect config profile that contains all the login info in: "Jamf Applications" com.jamf.connect.login as well as "Upload" com.jamf.connect for the JC app properties but we ALSO have "Upload" com.jamf.connect.authchanger which contains the default strings of -reset, -jamfconnect, and -notify


    Would it be smarter to have one 'enrollment only' config profile that has all 3, then an 'ongoing' config profile that is the same but omits com.jamf.connect.authchanger?

  2. What does the "Upload" of com.jamf.connect.authchanger (with above the flags listed above) even do? We have the 'script path' property that points to our Jamf Notify script in com.jamf.connect.login and I assumed that would be all that's needed?
  3.  At the end of our Notify script we run 

 

/usr/local/bin/authchanger -reset​​

 

But that seems to reset Jamf Connect entirely to the point I only have the normal MacOS login.

If I instead run:

/usr/local/bin/authchanger -reset -JamfConnect​

I will have the expected JamfConnect window (however we use passthrough anyway so I only see it VERY briefly after breaking the Filevault login).

Is that what I should be running at the end of my Notification script? Or more generally, should every Jamf Connect customer be using the -JamfConnect flag to set their default login window back to JamfConnect?

 

 


Since piecing this all together it does work but it feels like I've patched it into a whole but there's one or two too many things going on and I've made life hard on myself, or any future person coming to take it over.

 

Sorry for the novel! I appreciate ANY help or guidance anybody can provide.

1 ACCEPTED SOLUTION

GabeShack
Valued Contributor III

The config profile we use we attach to the pre-stage enrollment for all devices, but once its enrolled that one falls away as its only scoped during the initial enrollment and once the device gets its name the enrollment profile then is excluded and the notify script wont run for further logins.

Gabe Shackney
Princeton Public Schools

View solution in original post

4 REPLIES 4

GabeShack
Valued Contributor III

So this is the script we use, and we have swap profiles so when this runs it doesn't run again:

#!/bin/zsh
#variables
NOTIFY_LOG="/var/tmp/depnotify.log"
#For TOKEN_BASIC, use same file path location as set for OIDCIDTokenPath in com.jamf.connect.login
TOKEN_BASIC="/tmp/token"
TOKEN_GIVEN_NAME=$(echo "$(cat $TOKEN_BASIC)" | sed -e 's/\"//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | grep given_name | cut -d ":" -f2)
TOKEN_UPN=$(echo "$(cat $TOKEN_BASIC)" | sed -e 's/\"//g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | grep upn | cut -d ":" -f2)
/usr/bin/caffeinate -discu -t 3600&
echo $TOKEN_GIVEN_NAME
echo $TOKEN_UPN
 
echo "STARTING RUN" >> $NOTIFY_LOG # Define the number of increments for the progress bar
echo "Command: Determinate: 6" >> $NOTIFY_LOG
 
#1 - Introduction window with username and animation
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.macbookair-2018-space-gray.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Welcome, $TOKEN_GIVEN_NAME" >> $NOTIFY_LOG
echo "Command: MainText: Your Mac is now enrolled and will be automatically configured for you." >> $NOTIFY_LOG
echo "Status: Preparing and naming your new Mac..." >> $NOTIFY_LOG
sleep 10
 
#2 - Setting up single sign-on passwords for local account
echo "Command: Image: /System/Applications/Contacts.app/Contents/Resources/Contacts.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Tired of multiple passwords? \n $TOKEN_GIVEN_NAME " >> $NOTIFY_LOG
echo "Command: MainText: We use single sign-on services to help you sign in to each of our district services.
Use your email address and account password to sign in to all necessary applications." >> $NOTIFY_LOG
echo "Status: Setting the password for your Mac..." >> $NOTIFY_LOG
sleep 10
 
#3 - Self Service makes the Mac life easier
echo "Command: Image: /Applications/Self Service.app/Contents/Resources/AppIcon.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Self Service makes Mac life easier" >> $NOTIFY_LOG
echo "Command: MainText: Self Service allows you to install software without the need for an admin password." >> $NOTIFY_LOG
echo "Status: Installing Self Service..." >> $NOTIFY_LOG
sleep 10
 
#4 - Everything you need for your first day
###Jamf Triggers
echo "Command: Image: /System/Library/CoreServices/Install in Progress.app/Contents/Resources/Installer.icns" >> $NOTIFY_LOG
echo "Command: MainTitle: Installing everything you need." >> $NOTIFY_LOG
echo "Command: MainText: All the apps you will need today are already being installed. When setup is complete, you'll find Microsoft Office and Zoom are all ready to go." >> $NOTIFY_LOG
echo "Status: Installing Apps..." >> $NOTIFY_LOG
/usr/local/bin/jamf policy -event "admindesktop"
sleep 5
 
#5 - Finishing up
echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ApplicationsFolderIcon.icns" >> $NOTIFY_LOG
echo "Status: Installing a few more apps..." >> $NOTIFY_LOG
/usr/local/bin/jamf policy -event "NameME"
sleep 5
echo "Status: Finishing up... We're almost ready for you, $TOKEN_GIVEN_NAME" >> $NOTIFY_LOG
sleep 3
 
###Clean Up
sleep 3
echo "Command: Quit" >> $NOTIFY_LOG
sleep 1
rm -rf $NOTIFY_LOG
 
#6 - Disable notify screen from loginwindow process
/usr/local/bin/authchanger -reset -JamfConnect

 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

The config profile we use we attach to the pre-stage enrollment for all devices, but once its enrolled that one falls away as its only scoped during the initial enrollment and once the device gets its name the enrollment profile then is excluded and the notify script wont run for further logins.

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

also if you can see we have the above script calling specific policy names that we made for the initial setup of the device, you would have to change those -triggers to fit your environment.

Gabe Shackney
Princeton Public Schools

Nate1
New Contributor III

In the month+ since I posted this I've done quite a bit of research and testing so I'm coming back here to follow up on my questions with hopefully some answers:

 

1. (Is it smart to have two config profiles?)

Yes! When using a Notify script during your enrollment it seems perfect fine to have a Config Profile that runs until it's done then goes away. @GabeShack mentioned as much in the reply but here's a much more in depth topic where it's discussed as well as alternatives: https://community.jamf.com/t5/jamf-pro/de-scoping-machines-from-config-profile-immediately-after/m-p...

 

2. (What does the 'upload' of com.jamf.connect.authchanger do?)

I'm not entirely sure of the technicals behind this, but it looks necessary. I think it uploads the authchanger line to your machine to make sure the Notify script runs? 'Authchanger' being a MacOS line that runs on each login, so making sure to change it so it knows to run a/any script on the first boot, then the 'script path' property is just the script that's actually running. Then reset it again when you're done with the first boot to go back to normal.

 

3. (Using /usr/local/bin/authchanger -reset -JamfConnect​ at the end of your Notify script)

Certainly for our situation this is what's needed and I would think most people with Jamf Connect would want to as well, but I can certainly think of situations where you would want to just have the -reset flag and no -jamfconnect flag. Without the -jamfconnect flag I think it reverts to the MacOS default login so as long as you have accounts setup able to login, you may not need or want the Jamf Connect login, though that's dependent on your situation (and what you want the login to look like, whether or not you have Filevault enabled, etc). Jamf Connect documentation will be your friend here, but I frequently refer to the page here for Filevault and the page here for different types of authenticating protocols