Deploy network certificates after or before enrollment

walt
Contributor III

I'm looking for suggestions or workflows on deploying network profiles before or after our enrollment process.

Our setup:
• Jamf Cloud
• ADCS connector
• DEPNotify

We don't currently have a provisioning network yet but is in process, so we use dmz/external-facing network connections for enrollment but the network could switch during the enrollment if the profiles deployed during the enrollment or depnotify process and potentially cause an issue.

I tried to find a way to trigger the config profile after depnotify but did not see a way to do using smart group criteria.

any suggestions or ideas?

Thank you!

1 ACCEPTED SOLUTION

psliequ
Contributor III

In your last policy driven by DEPNotify, do a

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

View solution in original post

7 REPLIES 7

psliequ
Contributor III

Put a waypoint file on the system at the end of enrollment, search for its existence with an extension attribute, build a smart group based on the attribute and scope your profile to it, do a jamf recon.

walt
Contributor III

appreciate the suggestion, but I am not familiar with that process, do you have any documentation or steps that show this type of configuration or what the waypoint file and EA would look like?

psliequ
Contributor III

In your last policy driven by DEPNotify, do a

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

walt
Contributor III

Thank you, do you know if EA's take a while to update or resolve?

I created a test for this. Here is my config based on your suggestions:

• created a Policy
–Once Per Computer, re-occurring check-in
–Files & Process
––Execute Command: touch /Library/Preferences/WaltTest
–scoped to my device

• created EA
–script
–– instead of .MacReadyforCertificates, used WaltTest (no prefacing period)

• Created Smart Group
–Criteria: EATest

The EA shows in my device inventory but does not show Yes or No, yet the file is there created by the EA.

psliequ
Contributor III

You'll get a value on the next inventory update. Often with DEPNotify it's good to do an inventory update at the end of your provisioning workflow to update inventory and EA values for any subsequent processing.

walt
Contributor III

I was getting an error with the script, but when I added fi to the end of the script and it showed the results as intended.

thank you for the guidance on this, should be useful for this purpose.

psliequ
Contributor III

Thanks, it got lost in my copy/paste. Added for posterity.