Hey @tony.schaps,

Someone correct me if I'm wrong, but in the past JAMF has offered zero-day compatibility with new OS X releases, so if Phil's "leaked" e-mail is correct, we'll be getting a patch from JAMF on or around September 30.

El Cap is bringing a lot of changes, though. System Integrity Protection (a.k.a. rootless), and among other things, NetBoot servers will now need to be trusted. These changes are big for Casper, which relies heavily on OS X's underlying architecture. So, I'm not surprised at all to hear that your client is having difficulty.

So no, I don't think you're over your head! If you have the option, I would wait until the (presumed) Casper 9.8 binary is released, and then get your client enrolled. Even then, you'll want to upgrade them off the beta and on to the final Release Candidate (again, presumably available on 9/30).

If you look on apple.com/osx the Sept 30 date is on there too.....little more official then the leaked email.

In my experience, some apps can survive the upgrade to 10.11 with all or most functionality intact, but the app cannot be reinstalled or installed on 10.11.

Thanks everyone--
Just recently rolled out Casper Suite at our growing software development company. I only knew she'd updated to 10.11 beta because our Aerohive HiveManager detected it. Not sure it was a good idea to upgrade to 10.11 beta in a production environment, but not sure software engineers care what TechOps thinks :)

We're really trying to get our holdouts to get enrolled, so waiting for Sept. 30 is undesirable. All of this talk has put a bit of fear in me what we can expect with El Capitan.

@davidacland If the Quickadd wouldn't launch, then the jamf binary could not be installed, or do I understand that process incorrectly?

Thanks again--

@tony.schaps it will depend what stage the installer fails. If it starts but then fails to actually enroll, it might have got far enough to get the jamf binary on there.

Failing that you could grab the binary from another Mac, then run it and see if you can get it enrolled.

That all being said, I'd probably wipe the Mac, re-install 10.10.5, enroll and then setup the beta 10.11 installer as restricted software.

You could consider adding El Cap to restricted software, with disclaimer message, I've used

Due to recently discovered compatibility issues, YouCoName IT recommends that staff do not upgrade to OSX 10.11 El Capitan at this time. We fully expect these OSX compatibility issues to be resolved in short order by Apple in the coming OSX update.

Installed the GM of 10.11 today and Casper apps run fine, JSS picks up OS level in the Inventory update.

Packages being pushed out work, still testing for issues.

MS Lync does not work with 10.11 GM

@dmw3 good info, did you try launching the Quickadd package on 10.11 GM, or did you upgrade an existing installation? thx

@tony.schaps It was an in place upgrade, will be running a Quickadd.pkg test tomorrow when I redo a computer.

@dmw3 Great, I will look forward to hearing the result, please report back. Thanks!

@davidacland The Quickadd package would not even launch for this person, and she said it was not Gatekeeper related (i.e. she knows how to handle that, and it was also in our instructions). We're evolving from a small shop, and rolling out Casper is a step forward, but these devs have managed their own machines themselves the past few years. Requiring one to re-image is not something I'd probably get support for as long as a dev is doing a good job with their tools.

firstworldproblems

:)
Thanks

@dmw3 Which part of MS Lync isn't working for you? I'm able to fire up MS Lync and login without issue.

@dmw3 I have experienced the same issue with MS Lync crashing after an OS upgrade to Yosemite. The fix is fairly simple...

rm ~/Library/Preferences/com.microsoft.Lync.plist
rm ~/Library/Preferences/ByHost/MicrosoftLyncRegistrationDB.*
rm -rf ~/Documents/Microsoft User Data/Microsoft Lync Data/
Killall cfpfefsd

This should completely remove any Lync settings and allow you to reconfigure it.

@tony.schaps I am able to get our JAMF binaries on to a 10.11 GM machine but I cannot use a QuickAdd directly from the enrollment page or the from Recon. I took our standard QuickAdd and opened it inside of Composer. I moved the standard install location from /usr/sbin and put them in /tmp (updating permissions to be owned by root:wheel). I then added a line to move the binaries to /usr/sbin and left everything else in place. With these settings it worked without issue.

JSS 9.65

Oh it's not just me, @andrew.nicholas! I've been trying to get the QuickAdd to install all morning to no avail. Was just about to dig into the QuickAdd package when you posted this. It's nice to know I'm not suffering alone.

@emilykausalik Glad to help! I'm also noticing that Casper Imaging is no bueno as well. 9.65 (Prod) crashes out right and 9.73 (Test) will try to start but throws a NilObject error and then crashes. Self Service once enrolled works great at least so I can offer a solution to any outliers that just HAVE to run 10.11.

All tests done on a fresh 10.11GM install.

As an aside, I've also noticed some changes with createmobileaccount. It no longer throws the two ignorable errors when successfully completing, so thats cool.

So basically the JSS has been updated but none of the Suite software has? That's the impression I'm getting, anyway.

We're running the beta of the next version. While I guess we can't talk about it here, I would think that you are going to see things change with this release.
There are a lot of changes in 10.11 and I would recommend at least signing up for the betas as you can see what's going on over there and discuss.

I was Wunderding if it was just me.

The Suite Software worked around beta 3 or 4 then stopped at the next beta release.

Hope to see a fix to this shortly.

@bracyj_SAIC Thanks, had removed all but the ByHost files, so Lync now works. I will have to get a script up to remove those files on an upgrade to 10.11.

Hey @andrew.nicholas any chance you can share the modifications you made to the postinstall script in the QuickAdd.pkg?

@emilykausalik Sure thing!

This is how I delivered the binaries:

This is how I moved them into place:

I just imaged a machine in Imaging (9.72) using a 10.11 GM base created in AutoDMG, and for the most part it seems to work as expected. The machine does enroll in the JSS (using the automatic enrollment in the configuration), and updates inventory, though with a minor error. Self Service lets me auth and presents a list of policies but will not run anything.

@dgreening Was the environment you were running casper Imaging from within 10.11?

Nope, its on a 10.10.4 based NetBoot created with AutoCasperNBI.

The initial testing I did with imaging using Casper Imaging on my production (9.73) JSS had the machine image, but enrollment failed and none of the policies worked (all software is installed after CI lays down the OS X package on a custom trigger called by a script).

It's no surprise that in-place upgrades to El Capitan are going smoothly.

Did you know that Apple has added a Compatibility exception list to the System Integrity Protection function?

That list can be found here:

/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

In my other post on this topic, I discovered that the "paths" file contains hundreds of exceptions for programs like puppet, vagrant, shake, gutenprint, nortonscanner, folding@home, VirtualBox, and filesystem extensions like Fuse and Tuxera.

These are very well known tools in the Mac community, and the creation of this exception list means that at least a few engineers at Apple have taken notice. The exception list has also persisted for several beta cycles AND is included in the GM Candidate of El Capitan that was released yesterday.

The JAMF Software Engineers need to be made aware that this change will not be required as they had initially planned when the first beta of El Capitan had dropped.

@bradtchapman,

Why does the existence of the exception list matter? Apple giveth, Apple can also taketh away.

In the long run, it's best to go with what the OS vendor says you should do as a best practice.

One more thing...

In a recent Casper 9.8 beta, this is how JAMF has moved the binaries:

/usr/local/jamf                 // symbolic link
/usr/local/jamfAgent            // symbolic link

/usr/local/jamf/bin/jamf           // actual file
/usr/local/jamf/bin/jamfAgent      // actual file

To JAMF Software Engineers, I would say this: "Bro, do you even UNIX?"

Have you looked at the "PATH" environment variable on a stock OS X system lately?

declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"

Please correct me if I'm wrong, but if JAMF moves the binaries to the location(s) mentioned above, it's my understanding that the scripts will break because they are not in locations that are part of the PATH environment variable. It will be their responsibility to modify the PATH variable with an export command.

You can see status of this using

csrutil status

To disable it (for testing) you boot into the Recovery HD and run:

csrutil disable

I'm not sure if there's a way to disable it on an active system, but that is what I know.

@rtrouton , I agree that JAMF should be following standard practice.

The binaries should go to /usr/local/bin . I sincerely hope they fix that before the final release of 9.8.

@bradtchapman,

You're wrong. The symlink is actually stored in /usr/local/bin/, so it's /usr/local/bin/jamf.

You should be able to verify this by running which jamf in Terminal on your test box. It should return /usr/local/bin/jamf.

So then maybe part of the problem is the directory structure, unless I'm reading this incorrectly (which is likely):

if [ $major_version -lt 10 ] || [ $major_version -eq 10 -a $minor_version -lt 7 ];then
  jamfCLIPath=/usr/sbin/jamf
  /bin/rm /Applications/JAMFQuickAdd/Binaries/jamf
  /bin/mv /Applications/JAMFQuickAdd/Binaries/jamf2 $jamfCLIPath
else
  jamfCLIPath=/usr/local/jamf/bin/jamf
  /bin/rm /Applications/JAMFQuickAdd/Binaries/jamf2
  /bin/mkdir -p /usr/local/jamf/bin
  /bin/mv /Applications/JAMFQuickAdd/Binaries/jamf /usr/local/jamf/bin/jamf
  /bin/ln -s /usr/local/jamf/bin/jamf /usr/local/bin
fi

It looks like it's trying to use /usr/local/jamf/bin/jamf instead of /usr/local/bin/jamf/.

Thanks, @rtrouton. I did say a "recent" 9.8 beta, but I didn't say which one. Are you running 9.8 b2?

My cloud instance is running 9.8b1.

@alexjdale and I were talking yesterday after he noticed the individual recovery key disappears and the system no longer shows up as encrypted in the JSS after upgrading to 10.11. I tested on my 9.72 JSS this morning and noticed the same thing. This could cause major issues...has anyone else noticed this?

Yep. Recovery key escrow breaks for me too.