Jamf Nation Community

walt · ‎07-09-2020

I'm looking for suggestions or workflows on deploying network profiles before or after our enrollment process.

Our setup:
• Jamf Cloud
• ADCS connector
• DEPNotify

We don't currently have a provisioning network yet but is in process, so we use dmz/external-facing network connections for enrollment but the network could switch during the enrollment if the profiles deployed during the enrollment or depnotify process and potentially cause an issue.

I tried to find a way to trigger the config profile after depnotify but did not see a way to do using smart group criteria.

any suggestions or ideas?

Thank you!

psliequ · ‎07-10-2020

In your last policy driven by DEPNotify, do a

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

View solution in original post

psliequ · ‎07-10-2020

Put a waypoint file on the system at the end of enrollment, search for its existence with an extension attribute, build a smart group based on the attribute and scope your profile to it, do a jamf recon.

walt · ‎07-10-2020

appreciate the suggestion, but I am not familiar with that process, do you have any documentation or steps that show this type of configuration or what the waypoint file and EA would look like?

psliequ · ‎07-10-2020

In your last policy driven by DEPNotify, do a

touch /Library/Preferences/.MacReadyforCertificates

or something similar.

The extension attribute could be named something like "Ready for Certificate Deployment," be script based and would look like this for this example;

#!/bin/sh

if [[ -f /Library/Preferences/.MacReadyforCertificates ]]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Your smart group would just look for the Yes criteria to deploy the MDM profile to.

walt · ‎07-10-2020

Thank you, do you know if EA's take a while to update or resolve?

I created a test for this. Here is my config based on your suggestions:

• created a Policy
–Once Per Computer, re-occurring check-in
–Files & Process
––Execute Command: touch /Library/Preferences/WaltTest
–scoped to my device

• created EA
–script
–– instead of .MacReadyforCertificates, used WaltTest (no prefacing period)

• Created Smart Group
–Criteria: EATest

The EA shows in my device inventory but does not show Yes or No, yet the file is there created by the EA.

psliequ · ‎07-10-2020

You'll get a value on the next inventory update. Often with DEPNotify it's good to do an inventory update at the end of your provisioning workflow to update inventory and EA values for any subsequent processing.

walt · ‎07-10-2020

I was getting an error with the script, but when I added fi to the end of the script and it showed the results as intended.

thank you for the guidance on this, should be useful for this purpose.

psliequ · ‎07-10-2020

Thanks, it got lost in my copy/paste. Added for posterity.

Jamf Nation Community

Deploy network certificates after or before enrollment