Jamf Connect meta-package for zero touch deployment

rabbitt
Contributor
Contributor

Purpose: While Jamf Pro can deploy multiple packages as part of a pre-stage enrollment, some MDMs are not capable of this. Alternatively, if a client computer is on a slow network connection or a user proceeds through Setup Assistant very quickly before Jamf Connect can be installed, a user may experience an unexpected result of getting a macOS login screen.

By wrapping the Jamf Connect installer package in another installer package with assets and a postinstaller script, administrators can add custom branding images and scripts in a single package.

Tools required: Jamf Composer or similar tool to create .pkg files.

Procedure: Collect wallpaper images, branding logos, help files, scripts, and any additional assets needed for a zero touch deployment of Jamf Connect. Refer to https://www.jamf.com/blog/zero-touch-deployment-with-jamf-pro-and-jamf-connect/ for a larger discussion on this topic.

Keep the assets to be included in the file as small as possible. For best user experience, a larger package will take longer to download, especially on slow connections like wireless hotspots, DSL connections, or on rural networks. This may affect the end user experience negatively.

Download the latest version of Jamf Connect from your Jamf Nation account under Assets.

Create a new package with Jamf Composer or import a placeholder package from https://github.com/sean-rabbitt/JamfConnectMetaPackageSample

5265e4b854794993804330901431cebb

Place the JamfConnect.pkg file from the Jamf Connect installer disk image you downloaded from Jamf Nation in the directory /private/tmp. Set the owner to root and the group to wheel

Place the additional branding and support assets into the directory /usr/local/jamfconnectbranding . Change the owner of all of the assets to root and the group to wheel. Refer to https://docs.jamf.com/technical-papers/jamf-pro/deploying-jamf-products/Jamf_Connect_Package_Prepara... for full details on how to set the minimum permissions on each file to execute correctly.

Expand the package to see the Scripts folder. If it does not already exist, add a postinstall script and include the following code:

#!/bin/bash

# Jamf Connect Meta Package post installer example
# S. Rabbitt - 17 FEB 2021

# We are wrapping the JamfConnect.pkg in this package with additional branding
# images, scripts, help files, etc. for a zero touch enrollment.
#
# Lastly, after all is installed, we check to see what the current state of 
# the user experience is showing
# * If it's in the user space, we assume that the user is in Finder and working
#   on the computer - do nothing, just install silently.
# * If it's still in the Setup Assistant - do nothing, install silently, and
#   assume the user is still reading steps to use their computer and hasn't 
#   gotten to the macOS login window yet
# * If the user is root, we're probably on a macOS login window already.  Kill
#   the existing login window so we can reload the Jamf Connect login experience


# MIT License
#
# Copyright (c) 2021 Jamf Software

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.


# Jamf Connect installer package name and where we've placed it with this 
#  metapackage
INSTALLER_FILENAME="/private/tmp/JamfConnect.pkg"

# If we're coming in from Jamf Pro, we should have been passed a target mount
#   point.  Otherwise, assume root directory is target drive.

TARGET_MOUNT=$3
if [ -z "$TARGET_MOUNT" ]; then 
        TARGET_MOUNT="/"
fi 

# Install the JamfConnect.pkg software
/usr/sbin/installer -pkg "$INSTALLER_FILENAME" -target "$TARGET_MOUNT"

# Now, you would be tempted to install the Jamf Connect launch agent here, but 
# don't! Install that as a separate policy.  You could potentially be launching 
# the Jamf Connect menu bar agent and its welcome screen for every user - 
# including the root user - which is the user that appears on the login screen 
# for the very first setup.  
#
# That would be annoying, and we want a beautiful experience for users.

# Remove the JamfConnect.pkg file
rm -f "$INSTALLER_FILENAME"

#####################################################################
# For zero touch enrollment only!  If an enrollment computer is on a slow
# network connection, the user may be presented with a standard macOS login
# window asking for a typed user name and password.  We must kill the 
# loginwindow IF and ONLY IF we're at the Setup Assistant user still.  If we 
# kill the loginwindow process while a user is actually using the computer, they
# will be unceremoniously kicked out of their current session.
#
# Thanks to Richard Pures for additions to this script,
#####################################################################

# For macOS Big Sur - Wait until they've decided that Apple Setup is Done.

while [ ! -f "/var/db/.AppleSetupDone" ]; do
        sleep 2
done

# Look for a user
loggedinuser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )

# If loginwindow, setup assistant or no user, then we're in an automated device 
#        enrollment environment.
if [[ "$loggedinuser" == "loginwindow" ]] || [[ "$loggedinuser" == "_mbsetupuser" ]] || [[ "$loggedinuser" == "root" ]] || [[ -z "$loggedinuser" ]];
        then
                # Now check to see if Setup Assistant is a running process.  
                # If Setup Assistant is running, we're not at the login screen yet. 
                #         Exit and let macOS finish setup assistant and display the new Jamf 
                #        Connect login screen.
                [[ $( /usr/bin/pgrep "Setup Assistant" ) ]] && exit 0

                # Otherwise, kill the login window so it reloads and shows the Jamf 
                #        Connect login window instead.
                /usr/bin/killall -9 loginwindow
        fi

exit 0

Select Composer → Preferences from the menu bar. Enable the option to “Build flat PKGs” and to sign with a certificate.

Note: Packages must be signed using a certificate that is trusted by the computer at the time of enrollment. Signing the package with a certificate generated from either the Jamf Pro built-in CA or from an Apple Developer Program account is recommended. For more information about signing certificates, see the following Knowledge Base articles:

Upload the package to your file share distribution point and include the package in your prestage enrollment.

6 REPLIES 6

KyleEricson
Valued Contributor II

Thanks @sean.rabbitt as always excellent helpful info!

Read My Blog: https://www.ericsontech.com

tadeas_kinkor
New Contributor II

I can only say that thanks to guidance in macadmins slack (pretty much the same as above) I was able to get to nearly zero-touch enrollment.
It would however be nice if AJMF can offer something like this out of the box.
Thanks again @sean.rabbitt

Same, man. Jamf's documentation on the *actual* complete process is very lacking. While I understand that they wish to also sell Professional Services, there is a big lack of proper documentation of configuration requirements to make zero-touch deployment *actually* work. For example, I have never seen anywhere stated that users need to have Jamf Pro application assigned to them in IDP (Okta in our case) in order to have the SSO pane working properly in the Enrolment Customisations.

Oh my gosh. If that turns out to be why my last runthrough didn't work, I'm gonna scream.

bcrockett
Contributor III

I am seeing this problem on machines with fast network connections running macOS Big Sur v11.2.3

stumcdonald
New Contributor

Super helpful! Thanks @rabbitt 👍