Posted on 11-16-2021 05:51 AM
I've inherited the day to day responsibilities of managing our JAMF instance within our local school district and there are some things that I am still trying to wrap my head around. Mainly because I'm just unfamiliar with the way the previous Tech had set things up. I'm hoping someone would be able to help me dissect what we currently have in place, in order for me to better understand the setup, as well as be able to recreate, or modify the configuration if need be.
We are using DEPnotify in our prestage to run several enrollment policies after initial enrollment of a device is complete. Once the user is through Setup Assistant and is brought to the desktop, within about 10-30 seconds DEPnotify runs and displays our school district logo and tells the user that apps are being downloaded and installed. Once complete, the device restarts. This is all good and well, when it works, but there have been dozens of times when DEPnotify fails to detect the enrollment complete trigger and therefore does not run, and subsequently the policies do not run. I'm hoping by being able to look more into this issue, I would be able to generate a package for use in Self Service that I can run if it is not automatically triggered.
I have noticed two enrollment packages in our prestage configuration. One called admin-signed.pkg and another called org.schoolname.enrollment-signed.pkg. I understand the naming of these packages is not that important, but rather what is in them. I have looked a bit into each package using the terminal command "pkgutil --expand" since "Show Package Contents" was unavailable. I didn't notice anything that jumped right out at me, but maybe I am not looking at the right file.
It sounds like something is running once Setup Assistant is complete that is installing DEPnotify.app into the Applications/Utilities folder that is then being used to display the setup status of the device. Is that correct? DEPnotify.app gets installed immediately after enrollment is completed and then the policies in our JAMF enrollment stage run one by one? If I look at Console during this process I can see it is running each policy in order by name. Ours look like this:
00 Collect Initial Inventory
01 Set Firmware Password
02 Hide Admin Account At Enrollment
03 Hide "Other" User From Login Window
And so on. I understand the reasoning for numbering the policies, due to the behavior of how JAMF runs policies alphabetically. If anyone has any insight into best practices, and maybe what else I can look into to see exactly what is happening behind the scenes, as well as where I would go to edit the DEPnotify script, I would greatly appreciate. The only script I've found so far in JAMF for DEPnotify is the following:
/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -jamf &
echo "Command: MainTitle: Pardon our dust..." >> $commandLog
echo "Command: MainText: Your computer is undergoing first time setup. This window will automatically disappear when setup is complete." >> $commandLog
echo "Command: KillCommandFile:" >> $commandLog
echo "Command: Quit" >> $commandLog
rm -r /Applications/Utilities/DEPNotify.app