Managing on-prem Distribution Point for Enrollment Packages

peternbevan
New Contributor III

I'm trying to deploy Jamf Connect as part of a PreStage enrollment, and this should now be possible from an on-prem https: DP with no user authentication. I'm obviously not going to replicate my entire package portfolio onto an un-authenticated DP, so I must populate it manually (selective replication is only available for cloud). I've created manifest plists as per documentation and added these to Jamf Pro via the Settings - Packages page, and staged my packages and manifests on the enrollment DP, but cannot get them to deploy in PreStage. Mgt History reports them as being installed, but there are clearly not. Any ideas how to manually manage an enrollment Distribution Point?

5 REPLIES 5

twall
New Contributor III

I'm having trouble doing the same, but with NoMAD Login. I was able to get a custom package with just my logo pushed and installed, but the NoMAD Login pkg will not deploy, with the same results. Mgmt history says installed, but its not on the device.

peternbevan
New Contributor III

I've finally got this working, so for what it's worth, I'll answer my own question!
So for ADE provisioning, you can locate your enrollment packages on an unauthenticated https: distribution point. Add it as a new DP in Jamf so that you can specify it in the PreStage, but DO NOT replicate to it and don't put the enrollment packages in your normal DPs. By the way, contrary to the documentation the enrollment package installation order is indeterminate - priority, naming and size matter not a jot and order varies between machines. Upload your enrollment packages manually to your https DP (don't try to use Jamf Admin). Then create manifest files using the template from Apple. Easy for files below 10MB - you just need the file size, md5 checksum and https DP path to the package. For packages bigger than 10MB (e.g. Jamf Connect Login) you need an array of md5 checksums in 10MB chunks. This isn't easy to obtain - the best tool I found is the Intune App Wrapping Tool at https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac. Now create package records in Jamf for each enrollment package by choosing Settings - Packages - +New and entering a package title, filename and uploading the respective manifest file.
You can now add the enrollment packages to a PreStage Enrollment and choose your https DP as the Distribution Point.
You'll find that Jamf Admin now highlights the enrollment packages in red and notifies them as missing and also complains about their absence when you replicate your Primary DP to your Replica DP. Just ignore it. Live with it. Be careful only to replicate to your Replica DP, because your un-authenticated https DP will be shown in Jamf Admin, is probably tiny and you don't want to put all your precious packages on an un-authenticated web share.
Everything else is covered in the Jamf Connect and Jamf Pro admin guides - except I found staging JCL in /tmp when customising it with a postinstall script troublesome (maybe due the way /tmp behaves in Catalina) so I staged JCL in my /usr/local/jamfconnect folder along with my branding image and logos and that worked for me.

ozzyvanbrunscho
New Contributor

Would you share some config files how to set-up an unauthenticated https server? We run into the same errors, but have some difficulties with the unauthenticated https server...

peternbevan
New Contributor III

I'm afraid I just got someone else to set it up - but I assume it's just a bog-standard public https site with a bit of smb access for uploading.

andrew_nicholas
Valued Contributor

@ozzyvanbrunschot Not my post but my guess, going by the Intune link posted, is that this is a bit of blob storage in Azure with SMB turned on for syncing and the access level of the blob set to Blob or Container in the Containers Overview. It'd be really useful because you could add it into the CDN but I would have mixed feelings about putting anything in a public facing server for open download.