Device Signature Error : A tool to make people contact the IT

hepvd
Contributor

Hi Jamf users,

I'm facing an odd and recurring issue with random users, from time to time the enrollment break and the end users is no longer received updates, use the Self Service and son on. We have to re-enroll the computer using : jamf enroll -prompt

So I was thinking of making a small shell script running everyday on computer checking if the commande jamf policy returns the error Device Signature Error and if "yes" starting JamfHelper and displaying a message to contact the IT.

My script is the following :

#!/bin/bash

output=$(jamf policy 2>&1)

if [[ $output =~ "Device Signature Error" ]]; then
    /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -description "Please contact IT immediatly"
else
    exit 0
fi

Then I've written a LaunchDaemon : com.pretendo.JCE.plist to start at login and run it every 2 hours :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>JCE_tool</string>
	<key>Program</key>
	<string>/Library/Scripts_Rep/jamf_check_enroll.sh</string>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>7200</integer>
</dict>
</plist>

and finally a Script that set the right "after" pushing the script and plot via a policy :

#!/bin/bash

chmod 644 /Library/LaunchDaemons/com.pretendo.JCE.plist
chown root:wheel /Library/LaunchDaemons/com.pretendo.JCE.plist

chmod +x /Library/Scripts_Rep/jamf_check_enroll.sh

launchctl load /Library/LaunchDaemons/com.pretendo.JCE.plist

 

 

 

 

If I'm here looking for help, as you can easily guess, it's not working. I'll happily get some help to make it work

 

.

 

 

 

 

4 REPLIES 4

AJPinto
Esteemed Contributor

You may want to open a ticket with Jamf. Over the years I have only seen issues like this a few times, if you are seeing it frequently enough to attempt to automate remediation there is something wrong in your environment. 

thebrucecarter
Contributor II

We see that particular issue more than I would like as well.  Not sure what the root cause is, though.

mojo21221
Contributor II

We had this issue in the past as well. Our culprit was Migration Assistant that a handful from our fleet used to migrate to their newly issued macs. Problem wouldnt always show itself right away, but once we disabled the ability to run migration assistant that problem went away. jamf enroll -prompt was the fix and we even went a little overkill by creating a new local user account, transferring only necessary files to give the userspace a clean slate. 

hepvd
Contributor

Finally managed to make it work, it's pretty straightforward but hope will be able to catch the ones escaping the net.

There is the Launchdaemon :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.pretendco.jce_tool</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/bash</string>
		<string>/Library/Scripts/jce_tool.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>3600</integer>
</dict>
</plist>

The script itself :

#!/bin/bash

# Exec cmd 'jamf policy' and keep the output into a variable
output=$(/usr/local/bin/jamf policy 2>&1)

# Verify if the output contains 'device signature error'
if [[ $output =~ "Device Signature Error" ]]; then
    # If true : run the command  'jamfHelper' and custom message 
    /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -description "Do not turn it off and on again, contact the IT Guys." -windowType fs -icon "/Library/Custom_Ressources/error.png"
else
    # If not found, quit the script
    exit 0
fi

And finally a post install script added to the PKG :

#!/bin/bash

# Set permissions on launchd daemon files
chown root:wheel "/Library/LaunchDaemons/com.pretendco.jce_tool.plist"
chmod 644 "/Library/LaunchDaemons/com.pretendco.jce_tool.plist"
chown -R root:wheel "/Library/Scripts/jce_tool.sh"
chmod -R 755 "/Library/Scripts/jce_tool.sh"

exit 0