We're running a 9.65 JSS and do light imaging -- we just put the base installer on the computer and then load the packages on triggered by the enrollment event once it's there. Our process seems to work flawlessly with El Capitan even though we are not running the latest version of Casper, so I'm wondering what I have overlooked, confident that something must be broken somewhere.
I know Apple added exceptions to SIP for the jamf binary, at least for now. Self service doesn't seem to crash for me. We have a lot of custom-written bash scripts that function fine, and a directory we've placed under Library -> Application Support with some binaries in it, all functioning fine.
We do know we have to upgrade to the new 10.11 compatible release of the JSS, but that may be the first time we spin up a development server and test it and could take a while. In the meantime we're blocking the El Capitan Installer via restricted software right now for upgrades -- any reason that we should be?
That was my understanding too, but I have a computer right here, working. Doing stuff. I can sudo root and run the jamf command from where it is (I read in another discussion that apple had put it into a list of exceptions that could remain in /usr/sbin, at least for now.)
If your question is really whether you should block Macs from updating to El Capitan while still running your JSS on 9.65, I would think that's still going to be a good idea, regardless of what your testing is showing at the moment. Because JAMF will likely not be able to support your environment if things start breaking after clients update to 10.11. Its kind of a risk if you ask me.
I am running 9.63 still. If you upgrade a Mac to El Capitan, the jamf binary remains and still works (well enough to recon and whatnot) thanks to an exclusion Apple put in place. However, you will not be able to enroll or install a QuickAdd on an El Capitan Mac.
We have two methods to get our image on machines. One is via the netboot environment, if we have a computer that should be reimaged. The other is the out-of-the-box DEP one. Based on what you have said I suspect the DEP method, which I haven't tried, is broken, because it puts the client on while the OS is cognizant and could get upset about it.
There's one broken thing. I am now satisfied.
Yeah, I am playing around with 9.63 imaging from USB boot media onto a fresh 10.11 install, and it is able to copy the jamf binary to it and it manages to enroll. That does seem to be the difference: the booted OS won't allow it.