Posted on 05-18-2015 02:20 AM
Hey folks,
We recently switched from our default builtin self assigned SSL certificate to a properly signed certificate from an external CA.
I created a policy which would update the JSS Url on all of our clients, as follows.
defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url https://casper.domain.com:8443
What else do i need to do, if anything? One thought is the MDM profile. Does this need to be deleted and reapplied? If yes, what does that actually look like? Is it asking each user to re-enroll, or can i manage it completely unnoticed over ssh or some other remote management tools? The reason i ask about MDM, is because in system preferences, the "server" url is still the old one.. AND i suspect some of my smart groups are not updating properly, potentially, because of this also..
So what is the best practice, and next steps when changing the JSS Url?
Solved! Go to Solution.
Posted on 05-18-2015 04:41 AM
Hey,
I actually just went through this very recently and it's a bit of a headache. The issue I had was that even after updating the MDM Profile server entry it still reported the old URL if I included Update Inventory in the actual script. This is how I tackled it but there are probably better ways of doing it.
First of, I created an Extension Attribute called MDM Profile Server URL to check which Server URL is present on the clients:
#!/bin/bash
#
# Created by Love Bååk 2015-04-29
# Assisted by Mattias Hedlund
#
# This Extension Attribute checks if the user has the old MDM profile by grepping which URL is present in the MDM Profile's Server entry
#
mdm_server_url=$(sudo profiles -Lv -o stdout | grep ServerURL | sed -e 's/^[[:space:]]*//')
if [ "$mdm_server_url" = "ServerURL = ""https://jss.YOUR_CORRECT_URL.com:8443//computer/mdm"";" ]; then
echo "<result>New URL</result>"
else
echo "<result>Old URL</result>"
fi
echo "<result>$result</result>"
exit 0
I then created this script:
#!/bin/bash
#
# MDM Profile Update Script
#
# Created by Love Bååk 2015-05-08
# Special thanks to Mattias Hedlund, rtrouton and jamfnation threads!
#
# This script checks proper communication with internal servers and ensuring
# that the JSS is reachable and then updates the MDM profile
#
internalServer='server.only.accessible.from.inside.your.network'
ping -c 1 -t300 $internalServer 2>/dev/null 1>/dev/null
if [ "$?" = 0 ]
then
echo "Server is reachable. Proceeding with JSS check..."
else
echo "Server is not reachable. Exiting..."
exit 1
fi
# Verifies that the client machine can communicate with the JSS server
jss_connection=`/usr/sbin/jamf checkJSSConnection -retry 2 > /dev/null; echo $?`
if [[ "$jss_connection" -gt 0 ]]; then
echo "Machine cannot connect to the JSS. Exiting..."
exit 2
elif [[ "$jss_connection" -eq 0 ]]; then
echo "Machine can connect to the JSS. Proceeding with MDM profile update..."
sleep 5
/usr/sbin/jamf removeMdmProfile -verbose
echo "MDM Profiles have been removed"
sleep 5
/usr/sbin/jamf manage -verbose
echo "MDM Profiles have been re-added"
sleep 5
/usr/sbin/jamf recon
echo "Inventory submitted"
sleep 5
fi
echo "All done!"
exit 0
I then created a policy with this script scoped towards the above MDM Profile Server URL Extension Attribute with "Once per computer" as the Execution Frequency. Still, for some odd reason, all clients reported the old URL until I actually forced the Update Inventory in a separate policy. So I created a new Update Inventory policy, set it to Ongoing and scoped it towards a Smart Group with the criteria MDM Profile Server URL is Old URL.
The only problem I found with is that I have to manually flush the policy from time to time. So, as I said, the script has its quirks but it works good enough for us anyways :)
Posted on 05-18-2015 04:41 AM
Hey,
I actually just went through this very recently and it's a bit of a headache. The issue I had was that even after updating the MDM Profile server entry it still reported the old URL if I included Update Inventory in the actual script. This is how I tackled it but there are probably better ways of doing it.
First of, I created an Extension Attribute called MDM Profile Server URL to check which Server URL is present on the clients:
#!/bin/bash
#
# Created by Love Bååk 2015-04-29
# Assisted by Mattias Hedlund
#
# This Extension Attribute checks if the user has the old MDM profile by grepping which URL is present in the MDM Profile's Server entry
#
mdm_server_url=$(sudo profiles -Lv -o stdout | grep ServerURL | sed -e 's/^[[:space:]]*//')
if [ "$mdm_server_url" = "ServerURL = ""https://jss.YOUR_CORRECT_URL.com:8443//computer/mdm"";" ]; then
echo "<result>New URL</result>"
else
echo "<result>Old URL</result>"
fi
echo "<result>$result</result>"
exit 0
I then created this script:
#!/bin/bash
#
# MDM Profile Update Script
#
# Created by Love Bååk 2015-05-08
# Special thanks to Mattias Hedlund, rtrouton and jamfnation threads!
#
# This script checks proper communication with internal servers and ensuring
# that the JSS is reachable and then updates the MDM profile
#
internalServer='server.only.accessible.from.inside.your.network'
ping -c 1 -t300 $internalServer 2>/dev/null 1>/dev/null
if [ "$?" = 0 ]
then
echo "Server is reachable. Proceeding with JSS check..."
else
echo "Server is not reachable. Exiting..."
exit 1
fi
# Verifies that the client machine can communicate with the JSS server
jss_connection=`/usr/sbin/jamf checkJSSConnection -retry 2 > /dev/null; echo $?`
if [[ "$jss_connection" -gt 0 ]]; then
echo "Machine cannot connect to the JSS. Exiting..."
exit 2
elif [[ "$jss_connection" -eq 0 ]]; then
echo "Machine can connect to the JSS. Proceeding with MDM profile update..."
sleep 5
/usr/sbin/jamf removeMdmProfile -verbose
echo "MDM Profiles have been removed"
sleep 5
/usr/sbin/jamf manage -verbose
echo "MDM Profiles have been re-added"
sleep 5
/usr/sbin/jamf recon
echo "Inventory submitted"
sleep 5
fi
echo "All done!"
exit 0
I then created a policy with this script scoped towards the above MDM Profile Server URL Extension Attribute with "Once per computer" as the Execution Frequency. Still, for some odd reason, all clients reported the old URL until I actually forced the Update Inventory in a separate policy. So I created a new Update Inventory policy, set it to Ongoing and scoped it towards a Smart Group with the criteria MDM Profile Server URL is Old URL.
The only problem I found with is that I have to manually flush the policy from time to time. So, as I said, the script has its quirks but it works good enough for us anyways :)
Posted on 05-18-2015 04:56 AM
We were also looking to change the JSS URL however I have hesitated because I had been told that all mobile devices/iPads would instantly drop off management requiring us to immediately re-enroll them all to get them on the new JSS URL.
Has anyone found a way around this?
Gabe Shackney
Princeton Public Schools
Posted on 05-18-2015 06:00 AM
As far as the MDM cert on iOS goes, I'm afraid the only option, should you change your JSS management URL, is to recreate your Push certificate with the new URL and to install / deploy this to every iOS device.
Darren
Posted on 05-19-2015 03:11 AM
Thank you all for your feedback.
Posted on 05-19-2015 06:45 PM
@love.baak One thing that I have been doing recently is trying to have the EA actually remediate the issue that it is checking for. Since an EA is really just a script that runs at inventory update, you can leverage (with some additional logic) them to fix the thing you are checking for.
Obviously there are some times where you want the extra feedback you can get with a policy but other times it's nice just to have it go ahead and fix it!