Managing on-prem Distribution Point for Enrollment Packages

peternbevan
New Contributor III

I'm trying to deploy Jamf Connect as part of a PreStage enrollment, and this should now be possible from an on-prem https: DP with no user authentication. I'm obviously not going to replicate my entire package portfolio onto an un-authenticated DP, so I must populate it manually (selective replication is only available for cloud). I've created manifest plists as per documentation and added these to Jamf Pro via the Settings - Packages page, and staged my packages and manifests on the enrollment DP, but cannot get them to deploy in PreStage. Mgt History reports them as being installed, but there are clearly not. Any ideas how to manually manage an enrollment Distribution Point?

12 REPLIES 12

twall
New Contributor III

I'm having trouble doing the same, but with NoMAD Login. I was able to get a custom package with just my logo pushed and installed, but the NoMAD Login pkg will not deploy, with the same results. Mgmt history says installed, but its not on the device.

peternbevan
New Contributor III

I've finally got this working, so for what it's worth, I'll answer my own question!
So for ADE provisioning, you can locate your enrollment packages on an unauthenticated https: distribution point. Add it as a new DP in Jamf so that you can specify it in the PreStage, but DO NOT replicate to it and don't put the enrollment packages in your normal DPs. By the way, contrary to the documentation the enrollment package installation order is indeterminate - priority, naming and size matter not a jot and order varies between machines. Upload your enrollment packages manually to your https DP (don't try to use Jamf Admin). Then create manifest files using the template from Apple. Easy for files below 10MB - you just need the file size, md5 checksum and https DP path to the package. For packages bigger than 10MB (e.g. Jamf Connect Login) you need an array of md5 checksums in 10MB chunks. This isn't easy to obtain - the best tool I found is the Intune App Wrapping Tool at https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac. Now create package records in Jamf for each enrollment package by choosing Settings - Packages - +New and entering a package title, filename and uploading the respective manifest file.
You can now add the enrollment packages to a PreStage Enrollment and choose your https DP as the Distribution Point.
You'll find that Jamf Admin now highlights the enrollment packages in red and notifies them as missing and also complains about their absence when you replicate your Primary DP to your Replica DP. Just ignore it. Live with it. Be careful only to replicate to your Replica DP, because your un-authenticated https DP will be shown in Jamf Admin, is probably tiny and you don't want to put all your precious packages on an un-authenticated web share.
Everything else is covered in the Jamf Connect and Jamf Pro admin guides - except I found staging JCL in /tmp when customising it with a postinstall script troublesome (maybe due the way /tmp behaves in Catalina) so I staged JCL in my /usr/local/jamfconnect folder along with my branding image and logos and that worked for me.

ozzyvanbrunscho
New Contributor

Would you share some config files how to set-up an unauthenticated https server? We run into the same errors, but have some difficulties with the unauthenticated https server...

peternbevan
New Contributor III

I'm afraid I just got someone else to set it up - but I assume it's just a bog-standard public https site with a bit of smb access for uploading.

andrew_nicholas
Valued Contributor

@ozzyvanbrunschot Not my post but my guess, going by the Intune link posted, is that this is a bit of blob storage in Azure with SMB turned on for syncing and the access level of the blob set to Blob or Container in the Containers Overview. It'd be really useful because you could add it into the CDN but I would have mixed feelings about putting anything in a public facing server for open download.

NickWilliams
New Contributor III

I stumbled across this post when I was having exactly the same problems as @twall  , and since I haven't found any solution online apart from @peternbevan 's hint about the Intune App wrapping tool (and it took me literally days to figure this out) I thought I'd post what I did to get the deployment working in case it helps any other poor soul. It's definitely not straightforward.

  • Set up your unauthenticated https: storage and add it into Jamf (how you do this bit's kind-of up to you, as long as you get a secure, internet-accessible share that you can upload files to, and then download again without needing to authenticate using a web browser - or curl command - then you're good to go))
  • Add the share into Jamf as an additional File Share Distribution Point (Settings > Server Infrastructure)
    • General Tab: Sensible name, Server = myservername.mydomain (no https in front or anything). DO NOT use as principal distribution point and DO NOT set a failover.
    • File Sharing Tab: You have to fill out the fields here, but you're never going to need them (Jamf isn't managing the content of this share, you're doing it manually) so make stuff up.
    • HTTP/HTTPS: Tick "Use http downloads" and "Use SSL". Port=443 (unless your server guys have told you otherwise). "Context" confused me for ages, but it's basically the name of the folder your packages are going to live in. Make life easy for yourself and use a top level folder called "JamfShare". Authentication Type = None.

Just for clarity - anything you put in this share will be accessible/downloadable by literally anyone with a web browser and basic computer skills. Don't put anything you'd regret in there.

 

Now your share is set up in Jamf, you need to get your PreStage Enrollment packages ready to go into it.

cd tools-1/appmanifest/
brew install go (assumes you have homebrew installed)
go env -w GO111MODULE=off
go get github.com/groob/plist
go build appmanifest.go
sudo chmod 755 appmanifest
mv appmanifest /usr/local/bin

  • Download and install Intune App Wrapper Utility from https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac (you'll need this if your package is > 10 Mb in size. Jamf Connect is 11Mb!)
  • To create a manifest for the Jamf Connect installer, make a copy in a local folder somewhere (in this example ~/Desktop/JamfConnect/JamfConnect.pkg ) and follow this https://www.dersoldat.org/?p=1456 
    appmanifest -url https://myservername.mydomain/JamfShare/JamfConnect.pkg ~/Desktop/JamfConnect/JamfConnect.pkg >~/Desktop/JamfConnect/JamfConnect_manifest.plist
  • If your package exceeds 10Mb, you'll need to also create an Intune App Wrapper file, so you can then extract the accurate md5 stuff (in this example, JamfConnect.pkg in a Desktop folder called "JamfConnect"). The -o command needs a folder name, not a filename. That confused me for ages.
    IntuneAppUtil -c ~/Desktop/JamfConnect/JamfConnect.pkg -o ~/Desktop/JamfConnect/intune/
    IntuneAppUtil -r intune/JamfConnect.pkg.intunemac > extracted_details.txt
  • Now the weird bit. Open the "extracted_details.txt" file in a text editor and find the "MD5HashChunkSize Size" value. Copy it to your clipboard.  Now open the previously created "JamfConnect_manifest.plist" with a plain text editor and replace whatever the "md5-size" value is with the value in your clipboard. (I'm going to assume that the Hash values are the same in both files - they certainly were in mine).
  • Save the updated JamfConnect_manifest.plist file
  • Repeat for any other pkg files you need to prestage. If they're <10 Mb you only need to run the appmanifest command, and can ignore the IntuneAppUtil stuff.

Manually Create the package in Jamf and add it to your PreStage workflow:

  • Copy the pkg file(s) onto your https:// share
  • Check they're downloadable by pointing a web browser at the file and downloading them without authentication
  • In Jamf: Settings > Computer Management > Packages > New
    • Display Name: whatever's sensible (I put https in my name to make it obvious)
    • Filename: exact name of file e.g. JamfConnect.pkg
    • Upload your manifest file
    • Save

Now you should be able to add the Package(s) into your PreStage and deploy them at point of enrollment. It's really hard to troubleshoot when they fail (fun fact: installing the same packages via a policy to test the install doesn't actually use the manifest, so won't show you when that's wrong. There went another few hours of my life). In theory you can use this command to troubleshoot PreStage installs (but I couldn't work out what I was meant to be looking for):

log show --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"' --debug --info --last 1h

As long as the package installs manually, the failure can only be due to inability to download over unauthenticated https, untrusted, expired or missing package certificate or incorrect manifest. Good luck working out which.

I really hope that helps someone else.  Jamf Connect is awesome when it actually installs.

Best of luck - you may need it!

 

Random, useful, Jamf Connect links:

https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf 

https://www.jamf.com/blog/zero-touch-deployment-with-jamf-pro-and-jamf-connect/ 

https://docs.jamf.com/jamf-connect/2.12.0/documentation/Notify_Screen.html?hl=notify%2Cscreen%2Cjamf... 

https://github.com/jamf/jamfconnect 

https://docs.jamf.com/jamf-connect/2.3.3/administrator-guide/Editing_the_macOS_loginwindow_Applicati... (handy when you mess up)

Baravis
New Contributor III

This guide is intense and exactly what I need to fill in some holes in my knowledge and set this up quickly.  Thanks a ton, mate.  

NickWilliams
New Contributor III

I stumbled across this post when I was having exactly the same problems as @twall , and since I haven't found any solution online apart from @peternbevan 's hint about the Intune App wrapping tool (and it took me literally days to figure this out) I thought I'd post what I did to get the deployment working in case it helps any other poor soul. It's definitely not straightforward.
(Edit: I've tried to post this solution several times and it keeps vanishing. Not sure why. For a last ditch attempt I'm going to break it up into multiple, smaller replies to see what happens)

  • Set up your unauthenticated https: storage and add it into Jamf (how you do this bit's kind-of up to you, as long as you get a secure, internet-accessible share that you can upload files to, and then download again without needing to authenticate using a web browser - or curl command - then you're good to go)
  • Add the share into Jamf as an additional File Share Distribution Point (Settings > Server Infrastructure)
    • General Tab: Sensible name, Server = myservername.mydomain (no https in front or anything). DO NOT use as principal distribution point and DO NOT set a failover.
    • File Sharing Tab: You have to fill out the fields here, but you're never going to need them (Jamf isn't managing the content of this share, you're doing it manually) so make stuff up.
    • HTTP/HTTPS: Tick "Use http downloads" and "Use SSL". Port=443 (unless your server guys have told you otherwise). "Context" confused me for ages, but it's basically the name of the folder your packages are going to live in. Make life easy for yourself and use a top level folder called "JamfShare". Authentication Type = None.

 

Just for clarity - anything you put in this share will be accessible/downloadable by literally anyone with a web browser and basic computer skills. Don't put anything you'd regret in there.

NickWilliams
New Contributor III

Now your share is set up in Jamf, you need to get your PreStage Enrollment packages ready to go into it.

  1. Grab your vendor files (e.g. Jamf Connect). Hopefully they're signed by a trusted source or else you'll need to create yourself a signing certificate using your Jamf instance (https://travellingtechguy.blog/signing-packages-and-configuration-profiles-with-the-built-in-jamf-pr...) and fix it yourself. Not covering that here but hopefully https://simplemdm.com/certificate-sign-macos-packages/ or https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/ might help
  2. Create your bespoke packages (e.g. Branding and Scripts) and sign them using a certificate generated from Jamf. This link gives an excellent walkthrough of how to do it https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf
  3. Download and install AppManifest from https://github.com/micromdm/tools/archive/v1.zip and unzip
    cd tools-1/appmanifest/
    brew install go (assumes you have homebrew installed)
    go env -w GO111MODULE=off
    go get github.com/groob/plist
    go build appmanifest.go
    sudo chmod 755 appmanifest
    mv appmanifest /usr/local/bin
  • Download and install Intune App Wrapper Utility from https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac (you'll need this if your package is > 10 Mb in size. Jamf Connect is 11Mb!)
    To create a manifest for the Jamf Connect installer, make a copy in a local folder somewhere (in this example ~/Desktop/JamfConnect/JamfConnect.pkg ) and follow this https://www.dersoldat.org/?p=1456
    appmanifest -url https://myservername.mydomain/JamfShare/JamfConnect.pkg ~/Desktop/JamfConnect/JamfConnect.pkg >~/Desktop/JamfConnect/JamfConnect_manifest.plist
  • If your package exceeds 10Mb, you'll need to also create an Intune App Wrapper file, so you can then extract the accurate md5 stuff (in this example, JamfConnect.pkg in a Desktop folder called "JamfConnect"). The -o command needs a folder name, not a filename. That confused me for ages.
    IntuneAppUtil -c ~/Desktop/JamfConnect/JamfConnect.pkg -o ~/Desktop/JamfConnect/intune/
    IntuneAppUtil -r intune/JamfConnect.pkg.intunemac > extracted_details.txt
  • Now the weird bit. Open the "extracted_details.txt" file in a text editor and find the "MD5HashChunkSize Size" value. Copy it to your clipboard. Now open the previously created "JamfConnect_manifest.plist" with a plain text editor and replace whatever the "md5-size" value is with the value in your clipboard. (I'm going to assume that the Hash values are the same in both files - they certainly were in mine).
  • Save the updated JamfConnect_manifest.plist file
  • Repeat for any other pkg files you need to prestage. If they're <10 Mb you only need to run the appmanifest command, and can ignore the IntuneAppUtil stuff.

NickWilliams
New Contributor III

Manually Create the package in Jamf and add it to your PreStage workflow:

  • Copy the pkg file(s) onto your https:// share
  • Check they're downloadable by pointing a web browser at the file and downloading them without authentication
  • In Jamf: Settings > Computer Management > Packages > New
    • Display Name: whatever's sensible (I put https in my name to make it obvious)
    • Filename: exact name of file e.g. JamfConnect.pkg
    • Upload your manifest file
    • Save

Now you should be able to add the Package(s) into your PreStage and deploy them at point of enrollment. It's really hard to troubleshoot when they fail (fun fact: installing the same packages via a policy to test the install doesn't actually use the manifest, so won't show you when that's wrong. There went another few hours of my life). In theory you can use this command to troubleshoot PreStage installs (but I couldn't work out what I was meant to be looking for):

log show --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"' --debug --info --last 1h

As long as the package installs manually, the failure can only be due to inability to download over unauthenticated https, untrusted, expired or missing package certificate or incorrect manifest. Good luck working out which.

I really hope that helps someone else. Jamf Connect is awesome when it actually installs.

Best of luck - you may need it!

NickWilliams
New Contributor III

Well that's embarrassing...