Jamf Nation Community

bwoods · ‎04-03-2023

Noticed this message on one of my pilot machines today. I had to reinstall the framework via the API. Anyone seen this on version 10.44.1 or 10.45.0 of Jamf Cloud? User is running macOS Ventura 13.2.

piotrr · ‎04-14-2023

Errr, not yet but thanks for the scare.

Any idea how it happened?

Daniel_Mork · ‎04-25-2023

I just got this error after upgrading a Mac from 12.6.4 to 13.3.1.

JAMF Cloud Version: 10.45.0-t1678116779

Daniel_Mork · ‎04-25-2023

10.45.0-t1678116779

bwoods · ‎04-26-2023

@Daniel_Mork , I'm noticing this happening on my clients as they update to 13.3.1 as well. Seems like Ventura's security framework is a bit overzealous.

bwoods · ‎04-26-2023

Found this on reddit. I wonder if this has anything to do with it.

(1) If you´re receiving a message saying your app is damaged and can not be opened in Mac OS Ventura...

bwoods · ‎04-26-2023

Something else to help:

How macOS Ventura App Management works and doesn't work (lapcatsoftware.com)

Daniel_Mork · ‎04-26-2023

Thanks for the extra info. A simple un-enrollment and re-enrol back into JAMF has fixed it, but hoping when I start upgrading customers this doesn't happen regularly. Thankfully this was a test machine.

bwoods · ‎04-27-2023

@Daniel_Mork I would advise opening a ticket with jamf support. Others in the Macadmins Slack are seeing it too. Imagine re-enrolling your fleet on a large scale.

bwoods · ‎04-27-2023

You can just redeploy the framework via API by the way.

erickj · ‎04-28-2023

Did anything new come of this? Seeing some systems just going through enrollment with the issue.

bwoods · ‎04-28-2023

@erickj , this is basically how Apple intends for gatekeeper to behave now. They gave some warning that changes were being made, but they were never transparent about what admins and vendors can and cannot do. From what I've seen in the past, Apple will never change gatekeeper back to the way it was. Admins and vendors just have to adjust the changes that they've made; even though we don't know what they are exactly. (sucks)

I've opened a ticket with Jamf to warn them. This may affect their business.

https://eclecticlight.co/2022/06/17/app-security-changes-coming-in-ventura/

https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#rapid-security-res...

https://www.kolide.com/blog/the-security-and-it-admin-s-guide-to-macos-ventura

mredell · ‎07-24-2023

@bwoods did Jamf ever get back to you about a fix for this? Or is un-enrolling and reenrolling the way to go? I'm now seeing it with an end user in our environment.

bwoods · ‎07-25-2023

@mredell , nothing much came from my ticket. I created an API script that my techs can run from Self Service to redeploy the frame work when they run into the issue. Running "sudo jamf update -forceUpdate" also fixes a majority of these issues. The script below is for instances in which the binary is completely broken. The issue predominantly happens after a binary update.

#!/bin/sh

# Name: redeployJamfFramework.sh
# Author: Brandon Woods

# Date 05/18/2023
# This will allow technicians to redeploy a machine's framework from Self Service without needing to reference the API username or password.
# The script also encodes the API credentials to prevent bad actors from stealing our information.

# Server connection information
url="https://yourinstance.jamfcloud.com"
username="$4"
password="$5"

# local variables
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
currentUID=`id -u "$currentUser"`

# functions
Serial(){
	# Prompts the user for serial number that the jamf framework should be redeployed to.
	/bin/launchctl asuser "$currentUID" sudo -iu "$currentUser" /usr/bin/osascript <<APPLESCRIPT
	set validatedPass to false
	repeat while (validatedPass = false)
	-- Prompt the user to enter their filevault password
	display dialog "Please enter the serial number." with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:com.apple.macbookpro-16-space-gray.icns" default answer "" buttons {"Continue"} default button "Continue"
	set fvPass to (text returned of result)
	display dialog "Please re-enter the serial number." with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:com.apple.macbookpro-16-space-gray.icns" default answer "" buttons {"Continue"} default button "Continue"
	if text returned of result is equal to fvPass then
	set validatedPass to true
	fvPass
	else
	display dialog "The serial numbers you have entered do not match. Please enter matching serial numbers." with title "Serial Number Validation Failed" buttons {"Re-Enter Serial Number"} default button "Re-Enter Serial Number" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:com.apple.macbookpro-16-space-gray.icns"
	end if
	end repeat
APPLESCRIPT
}

initilizeFrameworkRedeployment(){
	# create base64-encoded credentials
	encodedCredentials=$( printf "${username}:${password}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )
	
	# request auth token
	authToken=$( curl -X POST "${url}/api/v1/auth/token" -H "accept: application/json" -H "Authorization: Basic ${encodedCredentials}" )
	
	# parse authToken for bearertoken, omit expiration
	token=$(/usr/bin/awk -F \" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs)
	
	serialNumber=$(Serial)
	
	# Determine Jamf Pro device id
	deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${token}" ${url}/JSSResource/computers/serialnumber/"{$serialNumber}" | xmllint --xpath '/computer/general/id/text()' -)
	echo $deviceID
	
	# Redeploye Jamf Framework
	curl -X POST "https://${url}/api/v1/jamf-management-framework/redeploy/$deviceID" -H "accept: application/json" -H "Authorization: Bearer $token"
	
    # Invalidate existing token and generate new token
	curl -X POST "${url}/api/v1/auth/keep-alive" -H "accept: application/json" -H "Authorization: Bearer ${token}"
}

# Script Execution
initilizeFrameworkRedeployment

Jamf Nation Community

Jamf.app is damaged and cannot be opened