Enabling MDM Capable Users and weird results

mlemieux
New Contributor II

Hello all,
in the past weeks I've been looking at making our users MDM Capable on their computers to push user-level profiles. While it's still a work in progress, I've noticed a few weird results that I'd like to hear if the community understands what's going on.

First, the user accounts are admins created by Jamf Connect during prestage enrollment. This is the initial reason why the accounts are not MDM Capable and that I'm trying to fix.

After reading many threads, it would seem that using sudo /usr/bin/profiles renew -type enrollment is how many solved that. After trying, I find that the computer is no longer Managed by JSS and this happens on every computer I tried. Why does this happen ?

Testing other options, I found that the Renew MDM Profile command from Jamf Pro Management also removes the management account. Leaving the Managed field of the computer empty. I don't understand why this happens.

In the end, what worked so far is
1. sudo /usr/bin/profiles renew -type enrollment
This changes the computer to Unmanaged and converts the user to MDM Capable

2. Reinstall CA Certificate from jamfcloud.com/enroll
The enrollmentprofile is not possible to install and not needed the make the computer manageable again

3. Enable in Jamf "Allow Jamf Pro to perform management tasks" on the computer with a local admin account
Computer is now Managed in Jamf with the local account

4. Renew MDM Profile in Management
Computer is now managed by Jamf _JSS

This is all very confusing to me and if possible, I'd like to find a way to make all of this simpler as we need over 100 users to become MDM Capable.

1 ACCEPTED SOLUTION

wsmits
New Contributor II

There should be two certs, the CA cert should be in the System Keychain but the User certificate should only be in Users login keychain.

 

The base script has been pasted below but I have made some changes to suite our environment but essentially is a variation from an older FileVault one.

 

- Prompt for the Users password

- Runs the /usr/bin/profiles renew -type enrollment command

- It then requires the User to click the device enrollment toast notification and complete the enrolment in System Settings.

 

What I did to make it easier was to add a command to bring up the Profiles pane and open an image that tells the User what to do 

i.e

1 - Click Date & Time

2- Choose Options, Update

3 - Select "Update"

 

This what I added prior to the profiles command opening.

###

open /System/Library/PreferencePanes/Profiles.prefPane
 
## Sleep for a few seconds as the profiles command can fail if pref pane is not fully open already
sleep 2
 
open $ImageInstructions
 
sudo profiles renew -type enrollment

###

 

 

Original Script

 

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2017, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
#
# The purpose of this script is to allow a new individual recovery key to be issued
# if the current key is invalid and the management account is not enabled for FV2,
# or if the machine was encrypted outside of the JSS.
#
# First put a configuration profile for FV2 recovery key redirection in place.
# Ensure keys are being redirected to your JSS.
#
# This script will prompt the user for their password so a new FV2 individual
# recovery key can be issued and redirected to the JSS.
#
# Repurposed for MDM Enabled Users via profiles renew -type enrollment
####################################################################################################
#
# HISTORY
#
# -Created by Sam Fortuna on Sept. 5, 2014
# -Updated by Sam Fortuna on Nov. 18, 2014
# -Added support for 10.10
# -Updated by Sam Fortuna on June 23, 2015
# -Properly escapes special characters in user passwords
# -Updated by Bram Cohen on May 27, 2016
# -Pipe FV key and password to /dev/null
# -Updated by Jordan Wisniewski on Dec 5, 2016
# -Removed quotes for 'send {${userPass}} ' so
# passwords with spaces work.
# -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017
# - Fixed an issue with usernames that contain
# sub-string matches of each other.
# -Updated by Bram Cohen on Jan 3, 2018
# - 10.13 adds a new prompt for username before password in changerecovery
# -Updated by Matt Boyle on July 6, 2018
# - Error handeling, custom Window Lables, Messages and FV2 Icon
# -Updated by David Raabe on July 26, 2018
# - Added Custom Branding to pop up windows
# -Updated by Sebastien Del Saz Alvarez on January 22, 2021
# -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur
####################################################################################################
#
# Parameter 4 = Set organization name in pop up window
# Parameter 5 = Failed Attempts until Stop
# Parameter 6 = Custom text for contact information.
# Parameter 7 = Custom Branding - Defaults to Self Service Icon
#Customizing Window

selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png"
jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"

if [ ! -z "$4" ]
then
orgName="$4 -"
fi

if [ ! -z "$6" ]
then
haltMsg="$6"
else
haltMsg="Please Contact IT for Further assistance."
fi

if [[ ! -z "$7" ]]; then
brandIcon="$7"
elif [[ -f $selfServiceBrandIcon ]]; then
brandIcon=$selfServiceBrandIcon
elif [[ -f $jamfBrandIcon ]]; then
brandIcon=$jamfBrandIcon
else
brandIcon=$fileVaultIcon
fi


## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Grab the UUID of the User
#userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')

## Get the OS build
BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
# userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`
# if [ "${userCheck}" != "${userName}" ]; then
# echo "This user is not a FileVault 2 enabled user."
# exit 3
# fi

## Counter for Attempts
try=0
if [ ! -z "$5" ]
then
maxTry=$5
else
maxTry=2
fi

# ## Check to see if the encryption process is complete
# encryptCheck=`fdesetup status`
# statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
# expectedStatus="FileVault is On."
# if [ "${statusCheck}" != "${expectedStatus}" ]; then
# echo "The encryption process has not completed."
# echo "${encryptCheck}"
# exit 4
# fi

passwordPrompt () {
## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass=$(/usr/bin/osascript -e "
on run
display dialog \"To make this Account MDM enabled \" & return & \"Enter your login password for '$userName'\" default answer \"\" with title \"$orgName MDM Enable User\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer
set userPass to text returned of the result
return userPass
end run")
if [ "$?" == "1" ]
then
echo "User Canceled"
exit 0
fi
try=$((try+1))
if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then
## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
result=$(expect -c "
log_user 0
spawn profiles renew -type enrollment
expect \"Password:\"
send {${userPass}}
send \r
log_user 1
expect eof
" >> /dev/null)
elif [[ $BUILD -ge 17 ]]; then
result=$(expect -c "
log_user 0
spawn profiles renew -type enrollment
expect \"Password:\"
send {${userPass}}
send \r
log_user 1
expect eof
")
else
echo "OS version not 10.9+ or OS version unrecognized"
echo "$(/usr/bin/sw_vers -productVersion)"
exit 5
fi
}

successAlert () {
/usr/bin/osascript -e "
on run
display dialog \"\" & return & \"'$userName' was successfully made MDM enabled" with title \"$orgName MDM enabled User" \" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\"
end run"
}

errorAlert () {
/usr/bin/osascript -e "
on run
display dialog \"Issues encountered with MDM enablement for '$userName'\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName MDM enabled User\" with icon POSIX file \"$brandIcon\"
end run"
if [ "$?" == "1" ]
then
echo "User Canceled"
exit 0
else
try=$(($try+1))
fi
}

haltAlert () {
/usr/bin/osascript -e "
on run
display dialog \"Issues encountered with MDM enablement for '$userName'\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName MDM enabled User\" with icon POSIX file \"$brandIcon\"
end run
"
}

while true
do
passwordPrompt
if [[ $result = *"Error"* ]]
then
echo "Error Enabling User"
if [ $try -ge $maxTry ]
then
haltAlert
echo "Quitting.. Too Many failures"
exit 0
else
echo $result
errorAlert
fi
else
echo "Successfully Enabled User $userName"
successAlert
exit 0
fi
done

 

##########

View solution in original post

4 REPLIES 4

jamf-42
Valued Contributor

im sure someone will correct me.. but are user level config profiles deprecated? sure I read that somewhere.. 

wsmits
New Contributor II

We need to still use User profiles to install a Cert based auth Wi-Fi as due to security reasons are unable to deploy as a device based profile. What OS version are you running? I say that because there was a known issue that I experienced in Ventura that made the devices unmanaged(the enrollment URL changes when you run this command in Ventura and Apple was not allowing it). This was fixed in 13.2 and this now works 99% of the time.

We have a Self Service policy that runs a script to do all this that prompts for the password and kicks of the "sudo /usr/bin/profiles renew -type enrollment" command.

 

mlemieux
New Contributor II

I successfully ran the enrollment command without removing the management of a recently updated macbook. It is possible that it was due to the Ventura issue you mentioned. I'll test some more on the computers that are now on 13.3

wsmiths, does your script also authorize the profil to install in system setting > profiles or do your users still need to go there to install it ? Because that is something my users may have trouble with.

And since you are talking about wifi user cert, I found that the certificate I push from a User-Level profile are installed in the system keychain available to any user on the computer. I was expecting it to go in the session keychain. Did I miss an option in the config profile ?

wsmits
New Contributor II

There should be two certs, the CA cert should be in the System Keychain but the User certificate should only be in Users login keychain.

 

The base script has been pasted below but I have made some changes to suite our environment but essentially is a variation from an older FileVault one.

 

- Prompt for the Users password

- Runs the /usr/bin/profiles renew -type enrollment command

- It then requires the User to click the device enrollment toast notification and complete the enrolment in System Settings.

 

What I did to make it easier was to add a command to bring up the Profiles pane and open an image that tells the User what to do 

i.e

1 - Click Date & Time

2- Choose Options, Update

3 - Select "Update"

 

This what I added prior to the profiles command opening.

###

open /System/Library/PreferencePanes/Profiles.prefPane
 
## Sleep for a few seconds as the profiles command can fail if pref pane is not fully open already
sleep 2
 
open $ImageInstructions
 
sudo profiles renew -type enrollment

###

 

 

Original Script

 

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2017, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
#
# The purpose of this script is to allow a new individual recovery key to be issued
# if the current key is invalid and the management account is not enabled for FV2,
# or if the machine was encrypted outside of the JSS.
#
# First put a configuration profile for FV2 recovery key redirection in place.
# Ensure keys are being redirected to your JSS.
#
# This script will prompt the user for their password so a new FV2 individual
# recovery key can be issued and redirected to the JSS.
#
# Repurposed for MDM Enabled Users via profiles renew -type enrollment
####################################################################################################
#
# HISTORY
#
# -Created by Sam Fortuna on Sept. 5, 2014
# -Updated by Sam Fortuna on Nov. 18, 2014
# -Added support for 10.10
# -Updated by Sam Fortuna on June 23, 2015
# -Properly escapes special characters in user passwords
# -Updated by Bram Cohen on May 27, 2016
# -Pipe FV key and password to /dev/null
# -Updated by Jordan Wisniewski on Dec 5, 2016
# -Removed quotes for 'send {${userPass}} ' so
# passwords with spaces work.
# -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017
# - Fixed an issue with usernames that contain
# sub-string matches of each other.
# -Updated by Bram Cohen on Jan 3, 2018
# - 10.13 adds a new prompt for username before password in changerecovery
# -Updated by Matt Boyle on July 6, 2018
# - Error handeling, custom Window Lables, Messages and FV2 Icon
# -Updated by David Raabe on July 26, 2018
# - Added Custom Branding to pop up windows
# -Updated by Sebastien Del Saz Alvarez on January 22, 2021
# -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur
####################################################################################################
#
# Parameter 4 = Set organization name in pop up window
# Parameter 5 = Failed Attempts until Stop
# Parameter 6 = Custom text for contact information.
# Parameter 7 = Custom Branding - Defaults to Self Service Icon
#Customizing Window

selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png"
jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"

if [ ! -z "$4" ]
then
orgName="$4 -"
fi

if [ ! -z "$6" ]
then
haltMsg="$6"
else
haltMsg="Please Contact IT for Further assistance."
fi

if [[ ! -z "$7" ]]; then
brandIcon="$7"
elif [[ -f $selfServiceBrandIcon ]]; then
brandIcon=$selfServiceBrandIcon
elif [[ -f $jamfBrandIcon ]]; then
brandIcon=$jamfBrandIcon
else
brandIcon=$fileVaultIcon
fi


## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Grab the UUID of the User
#userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')

## Get the OS build
BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
# userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`
# if [ "${userCheck}" != "${userName}" ]; then
# echo "This user is not a FileVault 2 enabled user."
# exit 3
# fi

## Counter for Attempts
try=0
if [ ! -z "$5" ]
then
maxTry=$5
else
maxTry=2
fi

# ## Check to see if the encryption process is complete
# encryptCheck=`fdesetup status`
# statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
# expectedStatus="FileVault is On."
# if [ "${statusCheck}" != "${expectedStatus}" ]; then
# echo "The encryption process has not completed."
# echo "${encryptCheck}"
# exit 4
# fi

passwordPrompt () {
## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass=$(/usr/bin/osascript -e "
on run
display dialog \"To make this Account MDM enabled \" & return & \"Enter your login password for '$userName'\" default answer \"\" with title \"$orgName MDM Enable User\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer
set userPass to text returned of the result
return userPass
end run")
if [ "$?" == "1" ]
then
echo "User Canceled"
exit 0
fi
try=$((try+1))
if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then
## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
result=$(expect -c "
log_user 0
spawn profiles renew -type enrollment
expect \"Password:\"
send {${userPass}}
send \r
log_user 1
expect eof
" >> /dev/null)
elif [[ $BUILD -ge 17 ]]; then
result=$(expect -c "
log_user 0
spawn profiles renew -type enrollment
expect \"Password:\"
send {${userPass}}
send \r
log_user 1
expect eof
")
else
echo "OS version not 10.9+ or OS version unrecognized"
echo "$(/usr/bin/sw_vers -productVersion)"
exit 5
fi
}

successAlert () {
/usr/bin/osascript -e "
on run
display dialog \"\" & return & \"'$userName' was successfully made MDM enabled" with title \"$orgName MDM enabled User" \" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\"
end run"
}

errorAlert () {
/usr/bin/osascript -e "
on run
display dialog \"Issues encountered with MDM enablement for '$userName'\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName MDM enabled User\" with icon POSIX file \"$brandIcon\"
end run"
if [ "$?" == "1" ]
then
echo "User Canceled"
exit 0
else
try=$(($try+1))
fi
}

haltAlert () {
/usr/bin/osascript -e "
on run
display dialog \"Issues encountered with MDM enablement for '$userName'\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName MDM enabled User\" with icon POSIX file \"$brandIcon\"
end run
"
}

while true
do
passwordPrompt
if [[ $result = *"Error"* ]]
then
echo "Error Enabling User"
if [ $try -ge $maxTry ]
then
haltAlert
echo "Quitting.. Too Many failures"
exit 0
else
echo $result
errorAlert
fi
else
echo "Successfully Enabled User $userName"
successAlert
exit 0
fi
done

 

##########