Jamf Nation Community

Captainamerica · ‎12-21-2021

So there is 2 scenarios:

1. When enrolling a mac manually through browser and installation of profile. Profiles are installed and also have set the "enrollment complete" trigger - and only this one trigger in first policy. But often it can take some time before the depnotify kick in. If I go to terminal and do a manual sudo jamf policy, it triggers that start of depnotify. So my question is how can it be made, so after enrollment the sudo jamf policy kick in right away - so depnotify is launched

2.
In pre-stage enviroment we use Jamf connect that create account and also install depnotify. Seeing the desktop it again takes time before the sudo jamf policy is executed, so depnotify is not launched. Is there a way to trigger this so it launches right away when the desktop is seen first time. Somekind of launchdeamon maybe or what are other using ?

andrew_nicholas · ‎12-21-2021

Something like the below might work for you. It is a script that writes another script to launch the enrollment policy or detect if DEP has run and delete itself and its calling plist. The plist is set to five minutes but can be changed to whatever works for you.

#!/bin/zsh
companyDir="/Library/COMPANY/Scripts"
scriptPath="/Library/COMPANY/Scripts/beginEnrollment.sh"
plistPath="/Library/LaunchDaemons/com.companyname.nudgeenroll.plist"


mkdir -p "$companyDir"

#write script, chown and chmod
touch "$scriptPath"
cat << '_EOF' > $scriptPath
    #!/bin/zsh
	depLogPath="/var/tmp/depnotify.log"
	scriptPath="/Library/COMPANY/Scripts/beginEnrollment.sh"
	plistPath="/Library/LaunchDaemons/com.companyname.nudgeenroll.plist"

    #Detect if DEP has begun, if so delete script
	if [ -f "$depLogPath" ]; then
    	rm "$scriptPath"
    	rm "$plistPath"
	else
    	currentUser=$(ls -l /dev/console | cut -d " " -f 4)
    	currentUserHome=$(dscl . read /Users/$currentUser NFSHomeDirectory | awk '{print $2}') 
    	jamfEnrollURL="<URL_FOR_ENROLLMENT_PORTAL_OR_POLICY_TO_BE_CALLED>"
    	sudo -u $currentUser open "$jamfEnrollURL"
	fi
_EOF
chmod +x "$scriptPath"
chown root:wheel "$scriptPath"

#write launch daemon chown 
touch "$plistPath"
cat << '_EOF' > $plistPath
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.company.nudgeenroll</string>
	<key>ProgramArguments</key>
	<array>
		<string>sh</string>
		<string>-c</string>
		<string>/Library/COMPANY/Scripts/beginEnrollment.sh</string>
	</array>
	<key>StartInterval</key>
    <integer>300</integer>
</dict>
</plist>
_EOF
chown root:wheel "$plistPath"
launchctl load -w "$plistPath"

Captainamerica · ‎12-21-2021

Thanks. However, I think i somehow how to add that the launchdaemon is not kicked off before the desktop is visible for the user. As far I can read a way to do this if to check if the dock or finder process exist - but don´t have the skills to build this into your script

rqomsiya · ‎12-21-2021

You can try taking a look at this tool as well by @Yohan : https://github.com/Yohan460/JAMF-Enrollment-Kickstart

Captainamerica · ‎12-28-2021

If someone else has something usefull I would like to know

I think I launchdaemon that exectutes when finder/dock services is running is the way.

Jamf Nation Community

How to force depnotify to kick in right after enrollment?