Adding Framework without triggering any policies with an 'enrollment' trigger

drioux
Contributor

The title pretty much says it:

Does anyone know of a way to add the JSS Framework back onto a client machine (this would be a machine that is still stored in the JSS, but has had the Framework manually removed from the client), and do so without triggering policies that have an 'enrollment' trigger?

We have some large App installs that are scoped to install on newly enrolled machines. But many times we have to remove and reinstall the Framework on client machines, due corruption or such. And I want to be able to bypass those installs since they already exist.

4 REPLIES 4

mike_paul
Contributor III

You are pretty limited on your options with this.

You could modify your policies to be based off the scope of not having the app so regardless if they run policies they wouldnt be in scope for those large installs.

But since the framework is removed (I imagine via Jamf removeFramework), you dont have the binary their to re-enroll locally so your options are go to through User Initiated Enrollment, use the Recon App to enroll or use a quickadd package. The later two would end in a non-user approved enrolled state.

If you are cool with being non-user approved you could actually modify a recon created quickadd via pkgutil, composer, pacifist, packages, etc and add the -noPolicy flag or remove the enrollmentComplete flag (varies depending on version of Jamf Pro)

$jamfCLIPath enroll -invitation 231583812960491481618476648996954128662 -noPolicy
enrolled=$?
if [ $enrolled -eq 0 ]
then
  $jamfCLIPath update
  $jamfCLIPath policy -event enrollmentComplete
  enrolled=$?
fi

becomes

$jamfCLIPath enroll -invitation 231583812960491481618476648996954128662 -noPolicy
enrolled=$?
if [ $enrolled -eq 0 ]
then
  $jamfCLIPath update
  enrolled=$?
fi

drioux
Contributor

Thanks!

I think this might be what I was looking for. Thank you!

Yeah, Smart Groups are out, mostly because without the framework, the inventory may not be accurate.

mike_paul
Contributor III

Awesome, glad that might help you.

But I still think smart groups would accomplish this too. Without framework it wouldn't run a policy so inventory accuracy is less important. If your policy is set to ongoing with the enrollment complete trigger and scoped to a smart group of 'doesn't have this <app>', when it enrolls it submits inventory prior to running policies (its built into the enroll verb as long as you haven't added the -noRecon flag), so it would only run if they needed the software.

ChrisCox
New Contributor III

There is a -noPolicy option for the jamf enroll command. You can see an example of this by taking a look at a Recon-generated QuickAdd package in Composer. There are a couple of easy solutions to your question. You could remove the line that runs post-enrollment policies from the postinstall script in the QuickAdd package or use a script like I have here. Just pull the invitation ID from the Recon-generated QuickAdd package and add it and your Jamf Pro URL to their respective variables. This script will download the Jamf binary from the Jamf Pro web server and enroll a computer without running any policies that have a trigger of enrollment.

#!/bin/bash

# enrollNoPolicy.sh
# Enrolls a computer in Jamf Pro without triggering post-enrollment policies

# Fill out the JAMF_PRO_URL with your environment's URL
JAMF_PRO_URL=""

# Fill out the INVITATION_ID with the one from your QuickAdd
INVITATION_ID=""

BINARY_URL="$JAMF_PRO_URL/bin/level1/jamf"
TMP_BINARY="/tmp/jamf"
BINARY_DIR="/usr/local/jamf/bin"
BINARY="$BINARY_DIR/jamf"
SYMLINK_DIR="/usr/local/bin"
BINARY_SYMLINK="$SYMLINK_DIR/jamf"
JAMF_CONFIG_FILE="/Library/Preferences/com.jamfsoftware.jamf.plist"

# Create directories if they do not already exist
[ ! -d "$BINARY_DIR" ] && /bin/mkdir -p "$BINARY_DIR"
[ ! -d "$SYMLINK_DIR" ] && /bin/mkdir -p "$SYMLINK_DIR"

# Verify Jamf Pro is reachable, exit with error if not
health_check="$(/usr/bin/curl -ks "$JAMF_PRO_URL/healthCheck.html")"
[ "$health_check" = "[]" ] || exit 1

# Download the Jamf binary and move it to the correct
# location if it does not already exist on the system
if [ ! -e "$BINARY" ]; then
    /usr/bin/curl -ks "$BINARY_URL" -o "$TMP_BINARY"
    /bin/mv "$TMP_BINARY" "$BINARY"
fi

# Set file permissions for the Jamf binary
/usr/sbin/chown 0:0 "$BINARY"
/bin/chmod 555 "$BINARY"

# Create the Jamf Binary symlink if it does not already exist
[ ! -e "$BINARY_SYMLINK" ] && /bin/ln -s "$BINARY" "$SYMLINK_DIR"

# Create the Jamf configuration file if it does not already exist
[ ! -e "$JAMF_CONFIG_FILE" ] && "$BINARY" createConf -url "$JAMF_PRO_URL" -verifySSLCert always_except_during_enrollment

# Enroll the computer without trigger post-enrollment policies
"$BINARY" enroll -invitation "$INVITATION_ID" -noPolicy

# Update the Jamf binary and related applications to the latest version
"$BINARY" update

exit 0