Jamf Nation Community

Unlikely. The curl version has changed for 10.9 to use OS X's Secure Transport instead of the traditional OpenSSL. Since it's likely your JSS is running HTTPS, we've had no end of bother trying to make things work.

Try using a -3 in your curl command. That'll force SSLv3.

I have a feeling this won't be possible to automate. For one, I'm not sure how you expect to capture something like the user details when downloading the file since I believe that only gets captured if someone actually logs in on the enrollment page.

curl does have a form fill function, the -F flag that you'll see in the man page. I don't know much about how to use it but it seems the basic idea is it can take direct input or input in the form of a file that can be used to post to a form on a site.

Looking at the enroll page under 8.73 I see this block:

<form name="login_form" method="post">
    <label for="username">Username:</label> <input type="text" name="username" value="" />
    <label for="password">Password:</label><input type="password" name="password" />
    <input class="submit" type="submit" name="submit" value="Login" />
</form>

The above has both labels and input types shown. That would seem to indicate that its using a form where you might be able to specify the type, such as type=text and name=username along with some input, etc. and post back to the page, simulating a login.
The thing is, I believe the ability to script filling in a form like this falls into the category of cross site scripting, or XSS, which is considered a security vulnerability. In fact, JAMF made an effort a few years back to remove various XSS viulns from their product, which is why we can no longer use html code in the Self Service descriptions. Somehow I think filling in a form like this via curl would be blocked.

But, take a look at the man page and that -F flag and some examples and see if you can get it to work.

@Aaron, nice work! I really didn't think that would be possible, but I just tested your script out, punching in my own settings and it worked like a charm!
I'm not sure I have a real need for anything like this right now, but its cool to know its possible. Thanks!

@Aaron, Very Nice! It works great in 10.9.1! I had to tweak it a little to get around a F5 load balancing rule I have in my environment:

curl -d username="username" -d password="password" -s -k -c "/tmp/cookie.txt" 
-o /dev/null https://jss_master_app_server:8443/osxenroll && 
curl -s -b "/tmp/cookie.txt" -c "/tmp/cookie.txt" -k 
-o /tmp/QuickAdd.pkg https://jss_master_app_server:8443/flatpackagedownload

Hey Everyone,

Here are some solutions I have built, as a proof of concept to re-enroll machines when things go wrong from a JSS migration, or if the client device is tampered with or something gets corrupted. The down side to this, is when machines fall off the grid, due to authentication issues (certificate based communication fails) you may need to turn that off in the JSS to get them enrolled again and have certificate based communication resume. If you build a QuickAdd.pkg in Recon.app, and view the package contents, in the PostFlight script there will be an invitation code. This code can be used to enroll a device. You can actually script this, and it will re-enroll the device, however, this really only applies to devices that have somehow lost their ability to authenticate to the JSS. If a user deletes all of the JAMF framework and binary, you will need to reinstall it, via a quickadd. Here is my enroll script, but please remember this is totally proof of concept and only tested in my virtual environment. Which consists of one JSS and one 10.8 VM.

#!/bin/bash

# enroll devices that lose their JAMF.keychain
# scope to a smart group devices that have not checked in x amount of days
# certificate based communication must be disabled for this to work

# variables hard coded below

invitationCode=''
jssURL=''
receiptFilePath=''

# start functions

checkJSS () {
    ping -c 1 ${jssURL}
    if [[ $(echo $?) != 0 ]]
      then "echo cannot connect to the JSS, exiting..."
      exit 1
    fi
}

enrollJSS () {

    if [[ -e '/Library/Application Support/JAMF/JAMF.keychain' ]]
      then echo "need to back up the old keychain, just in case.."
      mv /Library/Application Support/JAMF/JAMF.keychain /Library/Application Support/JAMF/JAMF.keychain.old
    fi

    jamf createConf -k ${jssURL}

    jamf enroll -invitation ${invitationCode}

    if [[ $(echo $?) != 0 ]]
      then echo "enrollment failed..." > ${receiptFilePath}
      jamf recon
      exit 1
      else "echo enrollment was a success.."
      rm ${receiptFilePath}
      jamf recon
    fi
}

# run functions

checkJSS

enrollJSS

exit 0

The other way I have done this, is through a script that will curl down a quickadd from a HTTP distribution point. Here is an installer script I have written, again as total proof of concept, that is meant for 'template use.' Which means you put the script in the JSS, and when site admins want to install something they simply fill in the positional parameters in the policy with the script to tell the client what to download and install. You would have to modify this to run locally via a laucnd, or change the positional parameters to just hard coded variables. This particular script was meant as a template where you set what types of scripts and packages can be installed as a main Casper Admin for your site admins. Some of the code I have redacted, since it is not really relevant to this topic.

#!/bin/bash

# installer script, uses parameters $4, $5 and $6

installURL="$4"

pkgName="$5"

downloadDir="$6"

 # now download the pkg

 echo "${4} is the URL, ${5} is the package, full path is ${4}${5}"

 curl -O ${4}${5} --output ${6}

/usr/sbin/installer -pkg "${downloadDir}${pkgName}" -target /


exit 0

Note that the above enroll script creates a conf file with the -k option, which tells the client to trust the JSS with out a valid certificate. Once the device enrolls and gets a valid certificate you can turn certificate based communication back on and all the keystores should match and it is back to business as usual. Also please note I have not tested any of this on a 10.9 box and from what I have been reading the curl binary has changed.

Thanks,
Tom