Managing on-prem Distribution Point for Enrollment Packages
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-13-2020 04:18 AM
I'm trying to deploy Jamf Connect as part of a PreStage enrollment, and this should now be possible from an on-prem https: DP with no user authentication. I'm obviously not going to replicate my entire package portfolio onto an un-authenticated DP, so I must populate it manually (selective replication is only available for cloud). I've created manifest plists as per documentation and added these to Jamf Pro via the Settings - Packages page, and staged my packages and manifests on the enrollment DP, but cannot get them to deploy in PreStage. Mgt History reports them as being installed, but there are clearly not. Any ideas how to manually manage an enrollment Distribution Point?
- Labels:
-
Enrollment
![twall twall](https://community.jamf.com/legacyfs/online/avatars/d2c167112009465285e83d07fab50fbe.png)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2020 10:00 AM
I'm having trouble doing the same, but with NoMAD Login. I was able to get a custom package with just my logo pushed and installed, but the NoMAD Login pkg will not deploy, with the same results. Mgmt history says installed, but its not on the device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-30-2020 09:03 AM
I've finally got this working, so for what it's worth, I'll answer my own question!
So for ADE provisioning, you can locate your enrollment packages on an unauthenticated https: distribution point. Add it as a new DP in Jamf so that you can specify it in the PreStage, but DO NOT replicate to it and don't put the enrollment packages in your normal DPs. By the way, contrary to the documentation the enrollment package installation order is indeterminate - priority, naming and size matter not a jot and order varies between machines. Upload your enrollment packages manually to your https DP (don't try to use Jamf Admin). Then create manifest files using the template from Apple. Easy for files below 10MB - you just need the file size, md5 checksum and https DP path to the package. For packages bigger than 10MB (e.g. Jamf Connect Login) you need an array of md5 checksums in 10MB chunks. This isn't easy to obtain - the best tool I found is the Intune App Wrapping Tool at https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac. Now create package records in Jamf for each enrollment package by choosing Settings - Packages - +New and entering a package title, filename and uploading the respective manifest file.
You can now add the enrollment packages to a PreStage Enrollment and choose your https DP as the Distribution Point.
You'll find that Jamf Admin now highlights the enrollment packages in red and notifies them as missing and also complains about their absence when you replicate your Primary DP to your Replica DP. Just ignore it. Live with it. Be careful only to replicate to your Replica DP, because your un-authenticated https DP will be shown in Jamf Admin, is probably tiny and you don't want to put all your precious packages on an un-authenticated web share.
Everything else is covered in the Jamf Connect and Jamf Pro admin guides - except I found staging JCL in /tmp when customising it with a postinstall script troublesome (maybe due the way /tmp behaves in Catalina) so I staged JCL in my /usr/local/jamfconnect folder along with my branding image and logos and that worked for me.
![ozzyvanbrunscho ozzyvanbrunscho](https://community.jamf.com/legacyfs/online/avatars/e3dee6867fb14debb70c944aa04b9dbc.png)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-06-2020 02:51 AM
Would you share some config files how to set-up an unauthenticated https server? We run into the same errors, but have some difficulties with the unauthenticated https server...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-06-2020 06:40 AM
I'm afraid I just got someone else to set it up - but I assume it's just a bog-standard public https site with a bit of smb access for uploading.
![andrew_nicholas andrew_nicholas](https://community.jamf.com/legacyfs/online/avatars/3489ffa912ba4a559784b5fae9dd638b.png)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-06-2020 07:33 AM
@ozzyvanbrunschot Not my post but my guess, going by the Intune link posted, is that this is a bit of blob storage in Azure with SMB turned on for syncing and the access level of the blob set to Blob or Container in the Containers Overview. It'd be really useful because you could add it into the CDN but I would have mixed feelings about putting anything in a public facing server for open download.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2022 02:04 AM - edited 06-24-2022 05:33 AM
I stumbled across this post when I was having exactly the same problems as @twall , and since I haven't found any solution online apart from @peternbevan 's hint about the Intune App wrapping tool (and it took me literally days to figure this out) I thought I'd post what I did to get the deployment working in case it helps any other poor soul. It's definitely not straightforward.
- Set up your unauthenticated https: storage and add it into Jamf (how you do this bit's kind-of up to you, as long as you get a secure, internet-accessible share that you can upload files to, and then download again without needing to authenticate using a web browser - or curl command - then you're good to go))
- Add the share into Jamf as an additional File Share Distribution Point (Settings > Server Infrastructure)
- General Tab: Sensible name, Server = myservername.mydomain (no https in front or anything). DO NOT use as principal distribution point and DO NOT set a failover.
- File Sharing Tab: You have to fill out the fields here, but you're never going to need them (Jamf isn't managing the content of this share, you're doing it manually) so make stuff up.
- HTTP/HTTPS: Tick "Use http downloads" and "Use SSL". Port=443 (unless your server guys have told you otherwise). "Context" confused me for ages, but it's basically the name of the folder your packages are going to live in. Make life easy for yourself and use a top level folder called "JamfShare". Authentication Type = None.
Just for clarity - anything you put in this share will be accessible/downloadable by literally anyone with a web browser and basic computer skills. Don't put anything you'd regret in there.
Now your share is set up in Jamf, you need to get your PreStage Enrollment packages ready to go into it.
- Grab your vendor files (e.g. Jamf Connect). Hopefully they're signed by a trusted source or else you'll need to create yourself a signing certificate using your Jamf instance (https://travellingtechguy.blog/signing-packages-and-configuration-profiles-with-the-built-in-jamf-pr...) and fix it yourself. Not covering that here but hopefully https://simplemdm.com/certificate-sign-macos-packages/ or https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/ might help
- Create your bespoke packages (e.g. Branding and Scripts) and sign them using a certificate generated from Jamf. This link gives an excellent walkthrough of how to do it https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf
- Download and install AppManifest from https://github.com/micromdm/tools/archive/v1.zip and unzip
cd tools-1/appmanifest/
brew install go (assumes you have homebrew installed)
go env -w GO111MODULE=off
go get github.com/groob/plist
go build appmanifest.go
sudo chmod 755 appmanifest
mv appmanifest /usr/local/bin
- Download and install Intune App Wrapper Utility from https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac (you'll need this if your package is > 10 Mb in size. Jamf Connect is 11Mb!)
- To create a manifest for the Jamf Connect installer, make a copy in a local folder somewhere (in this example ~/Desktop/JamfConnect/JamfConnect.pkg ) and follow this https://www.dersoldat.org/?p=1456
appmanifest -url https://myservername.mydomain/JamfShare/JamfConnect.pkg ~/Desktop/JamfConnect/JamfConnect.pkg >~/Desktop/JamfConnect/JamfConnect_manifest.plist - If your package exceeds 10Mb, you'll need to also create an Intune App Wrapper file, so you can then extract the accurate md5 stuff (in this example, JamfConnect.pkg in a Desktop folder called "JamfConnect"). The -o command needs a folder name, not a filename. That confused me for ages.
IntuneAppUtil -c ~/Desktop/JamfConnect/JamfConnect.pkg -o ~/Desktop/JamfConnect/intune/
IntuneAppUtil -r intune/JamfConnect.pkg.intunemac > extracted_details.txt - Now the weird bit. Open the "extracted_details.txt" file in a text editor and find the "MD5HashChunkSize Size" value. Copy it to your clipboard. Now open the previously created "JamfConnect_manifest.plist" with a plain text editor and replace whatever the "md5-size" value is with the value in your clipboard. (I'm going to assume that the Hash values are the same in both files - they certainly were in mine).
- Save the updated JamfConnect_manifest.plist file
- Repeat for any other pkg files you need to prestage. If they're <10 Mb you only need to run the appmanifest command, and can ignore the IntuneAppUtil stuff.
Manually Create the package in Jamf and add it to your PreStage workflow:
- Copy the pkg file(s) onto your https:// share
- Check they're downloadable by pointing a web browser at the file and downloading them without authentication
- In Jamf: Settings > Computer Management > Packages > New
- Display Name: whatever's sensible (I put https in my name to make it obvious)
- Filename: exact name of file e.g. JamfConnect.pkg
- Upload your manifest file
- Save
Now you should be able to add the Package(s) into your PreStage and deploy them at point of enrollment. It's really hard to troubleshoot when they fail (fun fact: installing the same packages via a policy to test the install doesn't actually use the manifest, so won't show you when that's wrong. There went another few hours of my life). In theory you can use this command to troubleshoot PreStage installs (but I couldn't work out what I was meant to be looking for):
log show --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"' --debug --info --last 1h
As long as the package installs manually, the failure can only be due to inability to download over unauthenticated https, untrusted, expired or missing package certificate or incorrect manifest. Good luck working out which.
I really hope that helps someone else. Jamf Connect is awesome when it actually installs.
Best of luck - you may need it!
Random, useful, Jamf Connect links:
https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf
https://www.jamf.com/blog/zero-touch-deployment-with-jamf-pro-and-jamf-connect/
https://github.com/jamf/jamfconnect
https://docs.jamf.com/jamf-connect/2.3.3/administrator-guide/Editing_the_macOS_loginwindow_Applicati... (handy when you mess up)
![Baravis Baravis](https://community.jamf.com/legacyfs/online/avatars/3cd9516da8174ea2965eb2f913bc5ec4.jpg)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-07-2023 05:45 PM
This guide is intense and exactly what I need to fill in some holes in my knowledge and set this up quickly. Thanks a ton, mate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2022 09:00 AM
I stumbled across this post when I was having exactly the same problems as @twall , and since I haven't found any solution online apart from @peternbevan 's hint about the Intune App wrapping tool (and it took me literally days to figure this out) I thought I'd post what I did to get the deployment working in case it helps any other poor soul. It's definitely not straightforward.
(Edit: I've tried to post this solution several times and it keeps vanishing. Not sure why. For a last ditch attempt I'm going to break it up into multiple, smaller replies to see what happens)
- Set up your unauthenticated https: storage and add it into Jamf (how you do this bit's kind-of up to you, as long as you get a secure, internet-accessible share that you can upload files to, and then download again without needing to authenticate using a web browser - or curl command - then you're good to go)
- Add the share into Jamf as an additional File Share Distribution Point (Settings > Server Infrastructure)
- General Tab: Sensible name, Server = myservername.mydomain (no https in front or anything). DO NOT use as principal distribution point and DO NOT set a failover.
- File Sharing Tab: You have to fill out the fields here, but you're never going to need them (Jamf isn't managing the content of this share, you're doing it manually) so make stuff up.
- HTTP/HTTPS: Tick "Use http downloads" and "Use SSL". Port=443 (unless your server guys have told you otherwise). "Context" confused me for ages, but it's basically the name of the folder your packages are going to live in. Make life easy for yourself and use a top level folder called "JamfShare". Authentication Type = None.
Just for clarity - anything you put in this share will be accessible/downloadable by literally anyone with a web browser and basic computer skills. Don't put anything you'd regret in there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2022 09:01 AM
Now your share is set up in Jamf, you need to get your PreStage Enrollment packages ready to go into it.
- Grab your vendor files (e.g. Jamf Connect). Hopefully they're signed by a trusted source or else you'll need to create yourself a signing certificate using your Jamf instance (https://travellingtechguy.blog/signing-packages-and-configuration-profiles-with-the-built-in-jamf-pr...) and fix it yourself. Not covering that here but hopefully https://simplemdm.com/certificate-sign-macos-packages/ or https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/ might help
- Create your bespoke packages (e.g. Branding and Scripts) and sign them using a certificate generated from Jamf. This link gives an excellent walkthrough of how to do it https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf
- Download and install AppManifest from https://github.com/micromdm/tools/archive/v1.zip and unzip
cd tools-1/appmanifest/
brew install go (assumes you have homebrew installed)
go env -w GO111MODULE=off
go get github.com/groob/plist
go build appmanifest.go
sudo chmod 755 appmanifest
mv appmanifest /usr/local/bin
- Download and install Intune App Wrapper Utility from https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac (you'll need this if your package is > 10 Mb in size. Jamf Connect is 11Mb!)
To create a manifest for the Jamf Connect installer, make a copy in a local folder somewhere (in this example ~/Desktop/JamfConnect/JamfConnect.pkg ) and follow this https://www.dersoldat.org/?p=1456
appmanifest -url https://myservername.mydomain/JamfShare/JamfConnect.pkg ~/Desktop/JamfConnect/JamfConnect.pkg >~/Desktop/JamfConnect/JamfConnect_manifest.plist - If your package exceeds 10Mb, you'll need to also create an Intune App Wrapper file, so you can then extract the accurate md5 stuff (in this example, JamfConnect.pkg in a Desktop folder called "JamfConnect"). The -o command needs a folder name, not a filename. That confused me for ages.
IntuneAppUtil -c ~/Desktop/JamfConnect/JamfConnect.pkg -o ~/Desktop/JamfConnect/intune/
IntuneAppUtil -r intune/JamfConnect.pkg.intunemac > extracted_details.txt - Now the weird bit. Open the "extracted_details.txt" file in a text editor and find the "MD5HashChunkSize Size" value. Copy it to your clipboard. Now open the previously created "JamfConnect_manifest.plist" with a plain text editor and replace whatever the "md5-size" value is with the value in your clipboard. (I'm going to assume that the Hash values are the same in both files - they certainly were in mine).
- Save the updated JamfConnect_manifest.plist file
- Repeat for any other pkg files you need to prestage. If they're <10 Mb you only need to run the appmanifest command, and can ignore the IntuneAppUtil stuff.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2022 09:03 AM
Manually Create the package in Jamf and add it to your PreStage workflow:
- Copy the pkg file(s) onto your https:// share
- Check they're downloadable by pointing a web browser at the file and downloading them without authentication
- In Jamf: Settings > Computer Management > Packages > New
- Display Name: whatever's sensible (I put https in my name to make it obvious)
- Filename: exact name of file e.g. JamfConnect.pkg
- Upload your manifest file
- Save
Now you should be able to add the Package(s) into your PreStage and deploy them at point of enrollment. It's really hard to troubleshoot when they fail (fun fact: installing the same packages via a policy to test the install doesn't actually use the manifest, so won't show you when that's wrong. There went another few hours of my life). In theory you can use this command to troubleshoot PreStage installs (but I couldn't work out what I was meant to be looking for):
log show --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"' --debug --info --last 1h
As long as the package installs manually, the failure can only be due to inability to download over unauthenticated https, untrusted, expired or missing package certificate or incorrect manifest. Good luck working out which.
I really hope that helps someone else. Jamf Connect is awesome when it actually installs.
Best of luck - you may need it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2022 09:03 AM
Random, useful, Jamf Connect links:
https://hcsonline.com/images/PDFs/Jamf_Connect_Azure.pdf
https://www.jamf.com/blog/zero-touch-deployment-with-jamf-pro-and-jamf-connect/
https://docs.jamf.com/jamf-connect/2.12.0/documentation/Notify_Screen.html?hl=notify%2Cscreen%2Cjamf...
https://github.com/jamf/jamfconnect
https://docs.jamf.com/jamf-connect/2.3.3/administrator-guide/Editing_the_macOS_loginwindow_Applicati... (handy when you mess up)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2022 01:32 AM
Well that's embarrassing...
![](/skins/images/EDB7F33459909164EF067077E24A9C4B/responsive_peak/images/icon_anonymous_message.png)