Jamf Nation Community

As I wrote this, I figured this would be the answer, but I had to ask. Below is a response that may lead to a decent solution.

Thanks! I have a pretty full day today, but I will reach out on Slack. If we have to do this with user interaction, I can live with it. I still haven't solved the mystery of how these systems became unenrolled in the first place. If the users are admin users and they know the command they can run it.

Thanks! I will look at this.

Try this
https://github.com/red5coder/Jamf-Framework-Redeploy

I like this! Thanks!!!!

Looking for a way to do this, but in mass quantities.

I think jamf deprecated something server-side to where this script no longer works: https://www.modtitan.com/2022/02/jamf-binary-self-heal-with-jamf-api.html

I see I can do it through the API, or using that .app, but really hoping to do in batch quantities. Script on that website I'd linked used to work great.

Disregard the above, the 'request auth token' function in my script wasn't correct, leading to '401 unauthorized' errors. Script still works as intended once fixing that.

Thanks for reminding me about this. I remember reading about it when Jamf Pro 10.36 was released. I tried this on my test Mac after running the "jamf removeFramework" command. It worked perfectly. This is a good kick in the butt to finally learn how to use the API. The API is the one major skill I lack with Jamf Pro. It has always been a matter of not needing to use it, so I didn't learn it.

I had an issue with this script last month. I reported it. I didn't see any response.

I actually did find a way to automate this. Several months ago, I wrote a script that uses the API command to redeploy the Jamf framework. My script is basicaly the same as a lot of other scripts that do this. I just wanted to learn how to do it myself instead of using someone else's script. We have been having an issue with LAPS not working properly. My support team would try to use the password stored in a computer's inventory and find that it doesn't work. On investigation, I found that for some reason, the password rotation was not happening on some Macs. We are currently not using the MDM LAPS that would be setup during PreStage. We are using the Jamf binary LAPS that relies on a Mac to check-in and run inventories to get the password rotated. I created a policy that first deploys a script that deletes the LAPS account (management account), and then it deploys my script to run the Jamf management framework command to re-enroll the Mac. This recreates the Jamf binary LAPS account. The user is unaware that this happened since I first excluded their Mac from any enrollment policies that would be visible to the user. We are using an enrollment customization in our PreStage that prompts the user for their AD credentials but when a Mac gets re-enrolled by this policy, the login prompt does not appear. I can see that the information that gets pulled down from our LDAP connection is still present in User and Location. I am still testing this process to see if it causes any issues, but so far, it looks like a good way to re-enroll a Mac without the user being disturbed. For this to work, it does require that the Jamf binary is working properly.

Can you share the script? Also can you share the criteria that you used for tracking out those devices. I set it up for checkin in last 24h and no inventory update in longer than 7 days. 

Here's the script. I recommend that you test it a lot to understand how it will work in your environment. 

#!/bin/zsh

# API login
jamfProURL="https://yourserver.jamfcloud.com"
username="apiuser"
password="SuperDuperSecretPassword"

# computer serial number
serialNumber=$(system_profiler SPHardwareDataType | grep Serial | /usr/bin/awk '{ print $4 }')

# request auth token
authToken=$( /usr/bin/curl \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/token" \
--user "$username:$password" )

# parse auth token
token=$( /usr/bin/plutil \
-extract token raw - <<< "$authToken" )

tokenExpiration=$( /usr/bin/plutil \
-extract expires raw - <<< "$authToken" )

localTokenExpirationEpoch=$( TZ=GMT /bin/date -j \
-f "%Y-%m-%dT%T" "$tokenExpiration" \
+"%s" 2> /dev/null )

# determine Jamf Pro device id
deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${token}" ${jamfProURL}/JSSResource/computers/serialnumber/"$serialNumber" | xmllint --xpath '/computer/general/id/text()' -)
echo "The JSS ID of this computer is $deviceID"

# re-enrolling the Mac
echo "Running the Jamf management API command"
curl -X 'POST' \
  "$jamfProURL/api/v1/jamf-management-framework/redeploy/$deviceID" \
  -H 'accept: application/json' \
  -H "Authorization: Bearer $token" \
  -d ''

This Jamf Nation thread has a post of the extension attributes that I use to track down Macs with MDM issues. https://community.jamf.com/t5/jamf-pro/help-with-tracking-down-macs-that-are-not-communicating-over-... Since my script above uses MDM, it may not work on a Mac that is having trouble with MDM functionality. Right now, my dilemma is getting the Jamf binary LAPS account to work properly. The only way to get it working right is to remove and reinstall it.