Automatically reset Jamf Connect after user-initiated MacOS Update

AVSquadLeader
New Contributor II

Hi Everyone,

I put together a policy to allow users to self-initiate MacOS updates from Self Service without the need for a local Admin to authenticate using the erase-install.sh tool ( https://github.com/grahampugh/erase-install

However one issue in our build is that when updating MacOS to a newer version, it breaks Jamf Connect as noted here  - (Re-enabling_the_Login_Window_after_a_Major_macOS_Upgrade)

I'm bouncing around a few ideas but I'm wondering if there is an easier way to have the system, upon reboot completing a MacOS update, automatically re-enable the login window.

Its important that we retain the flexibility of having users initiate the MacOS update on their own time and while there are many ways to push the jamf connect fix, they lack the automation i'm hoping for. 

Thank you in advance. 


4 REPLIES 4

Nicholaus
Contributor

Erase-Install lets you add a post install command, but it didn't seem to work when I tried it. If you can get it working, it would be as simple as adding the following to your Erase-Install arguments: --postinstall-command "authchanger -reset -JamfConnect"

In the case that doesn't work, you can do something quite a bit more complicated like this:

1. Run Erase-Install with your arguments and "-rebootdelay 300" (or however long you want to delay for other things to run. You don't want it so long that the authchanger policy at the end runs pre update reboot though.)
2. Add a script to the policy, or if running Erase-Install via script add this line: touch "/Library/Application Support/JAMF/Receipts/com.jamf.macOSupdateCheck.pkg"
3. Configure the "Execute Command" field in "Files and Processes" in the policy to kick off another policy via a trigger (example: jamf policy --trigger macOSUpdatesPending)
4. Create a policy to Update Inventory that runs at a custom event and populate it with the trigger from before (macOSUpdatesPending)
5. Create a smart computer group that looks for "Packages Installed by Casper" called "com.jamf.macOSupdateCheck.pkg"
6. Create a policy to run "authchanger -reset -JamfConnect" and set the policy for recurring check-in/once per computer with the group you created as the scope.

This wouldn't be immediate or perfect because the user may have to wait up to 5 minutes for the authchanger policy to kickoff once they are at the regular login screen, but it would at least automate the process.

Hey Nicholaus,

I'm currently looking at setting up a Launch Daemon based on my findings posted here by @mdls (https://community.jamf.com/t5/jamf-pro/macos-updates-and-resetting-jamf-connect-login-window/m-p/277...

but the post-install command would be the fastest for me to test at least, i'll give that a shot. These are all really great places for me to start with and i'll definitely update my post once I find one that works. 

Actually taking a look at the erase-install documentation its noted here under --post-install

"Note: this does NOT run after the computer restarts, but after startosinstall has finished preparing the update and immediately before the restart."

So likely this will not work for correcting the jamf connect login window but hopefully i can adapt the launch daemon to work as such. 

mickgrant
Contributor III

Update your Jamf Connect Login window with these new preference keys as Documented here 

  • DisableUpdateWatcher
  • DisableRSRWatcher