Posted on 03-02-2023 02:22 PM
I'm in a little predicament whereby we receive "new user" requests that contain a display name (first and last) and email address (not connected to our Corporate domain) which is followed (once approved) by a Jamf enrollment invitation sent to said email address.
Once the enrollment (of a device of which we currently have no information) is complete our process dictates that we continue to create email account and other app accounts for the new user.
I'm using webhooks (computerAdded, and computerCheckin trigger=enrollmentComplete) to try to kick off the second part of the process, however I currently can't think of a way to link the enrolled computer to the invitation. I don't have the computer serial number from the request, and the local username won't necessarily equal what we will create for the user.
I know I can see enrolled computers from the computerinvitations.html page in the Jamf console. Can I get this via the API?
Posted on 03-03-2023 11:14 AM
The Classic API has the following resource that may help.
/JSSResource/computerinvitations
The above will list all invitations, such as user initiated enrollments and so on. It reports things like Invitation ID, Invitation type and Invitation Date in a few forms. See if that shows what you're looking for.
Posted on 03-03-2023 11:41 AM
Thanks for the response.
This is the endpoint I am using to create the invitation but when I query
/JSSResource/computerinvitations/id/<id>
It doesn't show which computer enrolled using the invitation.
I'm monitoring a computerCheckin:enrollmentComplete webhook on the far end and trying to tie the enrolled device back to the invitation.
Posted on 03-03-2023 12:22 PM
Yes, I can see that too. It shows details of the enrollment, but not which device used it. Perhaps a different approach is needed? Is there a reason you can't use the Enrollment Complete trigger to have a policy run once the Mac completes enrollment, which could maybe run a script to do some of the post enrollment tasks? That's usually what most admins do in these cases, since that's the main reason Jamf provides that enrollment complete trigger for policies.
Posted on 03-03-2023 03:35 PM
So the task that I want to run post-enrollment will reach out to multiple service providers and use their APIs to create new accounts.
This is a workflow we will use for a small subset of offshore contractors, so the users in question are in a dedicated site in Jamf and do not exist in our directory. They are also providing their own hardware for this project, so we aren't purchasing/have no control over the device before it's enrolled.
I've been struggling with this for a couple of days, so I've decided in the meantime to use the user's display name as my link for now, although it's not the best data to use. I have the name in my initila Jira request, and upon the enrollmentComplete checkin, I can lookup the device id and grab the local user name and compare back to a database.
I think the cleanest way to accomplish this would have been to manage the invitation from creation to identifying the device that used it to enroll. But it doesn't seem to be possible.