policies triggered 'Enrollment Complete'

tcandela
Valued Contributor II

I'm still at 9.51.

when Mavericks casper imaging configuration completes, policies that are set to run at 'Enrollment Complete' do not get triggered. If I enroll via quickaddpkg the policies run as expected.

anyone have any insight on what might be the cause ?

20 REPLIES 20

mm2270
Legendary Contributor III

Are you certain in the case of it not running that the Macs are actually being enrolled at the end of the imaging run? I've seen/heard of others having problems with their Macs not being auto enrolled after going through a Casper Imaging run, even though they should be. The fix for them has been to include a Recon.app generated QuickAdd.pkg to the package list in the Configuration.

I'm wondering if that's why no policies are running for you - the Macs are in fact, not being enrolled. No enrollment = no policies.

rdwhitt
Contributor II

Do you happen to have autorun data set for these computers? For us, if we have autorun data set, the computer does enroll but the enrollment complete trigger doesn't fire. In this case adding a quickadd to the configuration allows everything to work.

If we do not have autorun data set then everything works as expected.

tcandela
Valued Contributor II

The computer is definitely getting enrolled. It is showing up in my Site, and the JSS info shows Last Enrollment: today at 12:20pm.

here is my JAMF.log, about 20 rows in shows 'enroll complete' but no policies ran. Half way down shows where i ran 'SUDO JAMF POLICY' which then installed those policies that should have ran after 'enrollment complete' (set network time & server, the browser, Gut image.pkg)

Wed Oct 07 12:18:19 SNHS-G01LAB-I jamf[656]: Creating .AppleSetupDone...
Wed Oct 07 09:20:41 SNHS-NHSIT3-P jamf[3116]: Setting home page to 'http://**.edu/' for Existing Users and User Templates
Wed Oct 07 09:20:46 IT3-P jamf[3135]: Creating user jssadmin...
Wed Oct 07 09:21:03 IT3-P jamf[3527]: Installing Adobe Acrobat XI Pro.pkg...
Wed Oct 07 09:22:19 IT3-P jamf[3135]: Enforcing management framework...
Wed Oct 07 09:22:23 IT3-P jamf[3135]: Enforcing scheduled tasks...
Wed Oct 07 09:22:23 IT3-P jamf[3135]: Adding launchd task com.jamfsoftware.task.1...
Wed Oct 07 09:22:23 IT3-P jamf[3135]: Creating launch daemon...
Wed Oct 07 09:22:23 IT3-P jamf[3135]: Downloading the agent...
Wed Oct 07 09:22:24 IT3-P jamf[3135]: Creating launch agent...
Wed Oct 07 09:22:24 IT3-P jamf[3135]: Installing Self Service plug-in Blackboard...
Wed Oct 07 09:22:24 IT3-P jamf[3135]: Installing Self Service plug-in Box...
Wed Oct 07 09:22:24 IT3-P jamf[3135]: Installing Self Service plug-in Google Apps...
Wed Oct 07 09:22:25 IT3-P jamf[3815]: Informing the JSS about login for user adobeinstall
Wed Oct 07 09:22:25 IT3-P jamf[3135]: Installing Self Service plug-in GMS...
Wed Oct 07 09:22:25 IT3-P jamf[3135]: Installing Self Service plug-in MyAccess...
Wed Oct 07 09:22:25 IT3-P jamf[3135]: Installing Self Service plug-in Service Center...
Wed Oct 07 09:22:25 IT3-P jamf[3815]: Failed to load launchAgent for user adobeinstall
Wed Oct 07 09:22:27 IT3-P jamf[3831]: Checking for policies triggered by "enrollmentComplete"...
Wed Oct 07 09:22:28 SNHS-NHSIT3-P jamf[3831]: Upgrading jamf binary...
Wed Oct 07 09:22:28 SNHS-NHSIT3-P jamf[3831]: The management framework will be enforced as soon as all policies are done executing.
Wed Oct 07 09:22:29 IT3-P jamf[3831]: Upgrading jamfHelper.app...
Wed Oct 07 09:22:29 IT3-P jamf[3831]: Upgrading JAMF notification service...
Wed Oct 07 09:22:29 IT3-P jamf[3831]: Upgrading Self Service.app...
Wed Oct 07 09:22:30 IT3-P jamf[3831]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Wed Oct 07 09:22:31 IT3-P jamf[3935]: Enforcing management framework...
Wed Oct 07 09:22:32 IT3-P jamf[3935]: Enforcing scheduled tasks...
Wed Oct 07 09:22:32 IT3-P jamf[3935]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.1.plist...
Wed Oct 07 09:22:32 IT3-P jamf[3935]: Adding launchd task com.jamfsoftware.task.1...
Wed Oct 07 09:22:34 IT3-P jamf[3935]: Creating launch daemon...
Wed Oct 07 09:22:34 IT3-P jamf[3935]: Creating launch agent...
Wed Oct 07 09:22:34 IT3-P jamf[3935]: Existing plug-in, 1.plist, is up to date.
Wed Oct 07 09:22:34 IT3-P jamf[3935]: Existing plug-in, 2.plist, is up to date.
Wed Oct 07 09:22:34 IT3-P jamf[3935]: Existing plug-in, 3.plist, is up to date.
Wed Oct 07 09:22:35 IT3-P jamf[3935]: Existing plug-in, 4.plist, is up to date.
Wed Oct 07 09:22:35 IT3-P jamf[3935]: Existing plug-in, 5.plist, is up to date.
Wed Oct 07 09:22:35 IT3-P jamf[3935]: Existing plug-in, 6.plist, is up to date.
Wed Oct 07 09:22:35 SNHS-NHSIT3-P jamf[3974]: Failed to load launchAgent for user adobeinstall
Wed Oct 07 09:23:16 SNHS-NHSIT3-P jamf[3527]: Successfully installed Adobe Acrobat XI Pro.pkg.
Wed Oct 07 09:23:16 SNHS-NHSIT3-P jamf[4675]: Installing Office 2011 051815.dmg...
Wed Oct 07 09:30:40 IT3-P jamf[4839]: Installing AdobeAcrobatProUpd11012.pkg...
Wed Oct 07 09:34:03 IT3-P jamf[4839]: Successfully installed AdobeAcrobatProUpd11012.pkg.
Wed Oct 07 09:34:04 IT3-P jamf[15718]: Installing Office2011Update1455.pkg...
Wed Oct 07 09:37:11 IT3-P jamf[15718]: Successfully installed Office2011Update1455.pkg.
Wed Oct 07 09:37:14 IT3-P jamf[18436]: Creating user nhsit...
Wed Oct 07 09:37:20 IT3-P jamf[18471]: Creating user user...
Wed Oct 07 09:38:03 IT3-P jamf[18913]: Deleting user adobeinstall...
Wed Oct 07 09:38:03 IT3-P jamf[18913]: Deleting home directory for adobeinstall...
Wed Oct 07 09:38:06 IT3-P jamf[18924]: Reboot. Immediately.
Wed Oct 07 09:38:06 IT3-P jamf[18924]: Rebooting computer immediately...
Wed Oct 07 09:39:11 IT3-P jamf[198]: Checking for policies triggered by "startup"...
Wed Oct 07 09:48:52 IT3-P jamf[428]: Checking for policies triggered by "login" for user "user"...

* this is where i ran SUDO JAMF POLICY to install policies that should have installed after enrollment

Wed Oct 07 09:59:35 IT3-P jamf[693]: Checking for policies triggered by "recurring check-in"...
Wed Oct 07 09:59:36 IT3-P jamf[693]: Executing Policy Install Tanium Client...
Wed Oct 07 09:59:37 IT3-P jamf[693]: Verifying package integrity...
Wed Oct 07 09:59:38 IT3-P jamf[693]: Installing TaniumClient-11-26-2014-1.dmg...
Wed Oct 07 09:59:48 IT3-P jamf[693]: Executing Policy Set Network Time Server & Zone...
Wed Oct 07 12:59:49 IT3-P jamf[693]: Executing Policy Adobe Flash Player...
Wed Oct 07 13:00:10 IT3-P jamf[693]: Executing Policy Cache Ugrade to Yosemite InstallESD.dmg...
Wed Oct 07 13:01:46 IT3-P jamf[693]: Executing Policy Daily Recon...
Wed Oct 07 13:01:46 IT3-P jamf[693]: Executing Policy Dock Item Self Service...
Wed Oct 07 13:01:48 IT3-P jamf[693]: Executing Policy Firefox Web Browser...
Wed Oct 07 13:02:29 IT3-P jamf[693]: Executing Policy Google Chrome Web Browser...
Wed Oct 07 13:03:17 IT3-P jamf[693]: Executing Policy Install Image File...
Wed Oct 07 13:03:17 IT3-P jamf[693]: Verifying package integrity...
Wed Oct 07 13:03:17 IT3-P jamf[693]: Installing GUt Image.pkg...
Wed Oct 07 13:03:21 IT3-P jamf[693]: Successfully installed GUt Image.pkg.
Wed Oct 07 13:03:22 IT3-P jamf[693]: Executing Policy Symantec EP v12.1.5...
Wed Oct 07 13:03:22 IT3-P jamf[693]: Verifying package integrity...
Wed Oct 07 13:03:23 IT3-P jamf[693]: Installing SymantecEPv1215.pkg...
Wed Oct 07 13:04:29 IT3-P jamf[693]: Successfully installed SymantecEPv1215.pkg.
Wed Oct 07 13:04:29 IT3-P jamf[693]: Verifying package integrity...
Wed Oct 07 13:04:29 IT3-P jamf[693]: Installing SymantecEPv1215Uninstaller.pkg...
Wed Oct 07 13:04:33 IT3-P jamf[693]: Successfully installed SymantecEPv1215Uninstaller.pkg.
Wed Oct 07 13:04:34 IT3-P jamf[693]: Executing Policy Turn ON Firewall...
Wed Oct 07 13:04:34 IT3-P jamf[693]: Executing Policy Update Inventory...
Wed Oct 07 13:26:08 IT3-P jamf[1872]: Checking for policy ID 115...
Wed Oct 07 13:26:09 IT3-P jamf[1872]: Executing Policy Set Network Time Server & Zone...
Wed Oct 07 13:26:58 IT3-P jamf[1946]: Checking for policies triggered by "logout" for user "nhsuser"...
Wed Oct 07 13:26:58 IT3-P jamf[1946]: Executing Policy APPLE SOFTWARE UPDATE @ LOGOUT...
Wed Oct 07 13:26:58 IT3-P jamf[1946]: Installing all available Software Updates...
Wed Oct 07 13:27:16 IT3-P jamf[1946]: A reboot was required with one or more of the installed updates.
Wed Oct 07 13:27:33 IT3-P jamf[1946]: Blessing i386 OS X System on /...
Wed Oct 07 13:27:33 IT3-P jamf[2359]: Reboot. 10.4+. Background.
Wed Oct 07 13:27:33 IT3-P jamf[2359]: Adding launchd task to reboot...
Wed Oct 07 13:27:34 IT3-P jamf[2382]: Reboot. Immediately.
Wed Oct 07 13:27:34 IT3-P jamf[2382]: Rebooting computer immediately...
Wed Oct 07 13:30:27 IT3-P jamf[203]: Checking for policies triggered by "startup"...
Wed Oct 07 13:31:01 IT3-P jamf[374]: Checking for policies triggered by "login" for user "nhsuser"...
Wed Oct 07 13:36:24 IT3-P jamf[189]: Checking for policies triggered by "startup"...
Wed Oct 07 13:36:32 IT3-P jamf[314]: Checking for policies triggered by "login" for user "nhsuser"...
Wed Oct 07 14:07:16 IT3-P jamf[620]: Checking for policy ID 448...
Wed Oct 07 14:07:18 IT3-P jamf[620]: Executing Policy Google Drive...
Wed Oct 07 14:07:18 IT3-P jamf[620]: Verifying package integrity...
Wed Oct 07 14:07:20 IT3-P jamf[620]: Installing Google Drive.pkg...
Wed Oct 07 14:07:47 IT3-P jamf[620]: Successfully installed Google Drive.pkg.
Wed Oct 07 14:09:00 IT3-P jamf[1097]: Checking for policies triggered by "logout" for user "user"...
Wed Oct 07 14:14:28 IT3-P jamf[1211]: Checking for policies triggered by "login" for user "user"...

tcandela
Valued Contributor II

I do not have any auto run imaging options set

dferrara
Contributor II

@tcandela I've had this issue for months with Yosemite and 9.65. Super annoying. The only way I've found to fix it is to completely erase the computer record in question. Then, the policies run as normal.

I ended up filing a bug report with JAMF. It turns out (if this is the same issue) it's a known defect, although you won't find it in the Release Notes proper.

For that reason, I recommend upvoting this Feature Request.

I also suggest contacting JAMF and filing your own bug report. This bug hasn't received much traction from the community but it's a big problem for environments that rely on the enrollment trigger.

My case was apparently merged with D-006509, if that's helpful.

tcandela
Valued Contributor II

Prior to deleting the computer from the JSS I send the remote management command to remove the MDM profile (making sure it displays MDM=NO) and then from the computer itself I run the command 'JAMF removeFramework'.

Does this completely erase the computers record ?

mm2270
Legendary Contributor III

removeFramework only removes the local JAMF items from the Mac. It won't remove it from the JSS' inventory. You need to do that in the JSS UI. It can also be done with scripting and the JSS API.

Edit: Sorry, I read too quickly and didn't see that you are going in and deleting them from the JSS. The commands you're doing shouldn't really be necessary though if they are getting wiped and re-imaged. Just delete it from the JSS.

But taking a step back, are we talking about policies that are set to run 'once per computer' that are not running again after re-imaging? The JSS, or Casper Imaging is supposed to, I thought, run a flushPolicyHistory command on the Mac upon re-imaging so any once per computer policies get run again. Just wondering if the policy log isn't getting flushed when its re-enrolled perhaps.

tcandela
Valued Contributor II

The policies are once per computer. Enrollment complete does not trigger it, but if I run 'jamf policy' at command line the policies run. So the policy history looks to be flushed.

I have the policies setup with two triggers,
--- enrollment complete
--- recurring checkin

When I run a config that installs OS, the computer either has been wiped and/or I check 'wipe drive'. If it's a new Mac I do a thin imaging just applications.

makander
Contributor

I'm having this issue too, I'm glad I'm not the only one experiencing it. It's a really annoying problem though.

For me it's adding user accounts with Enrollment Complete that doesn't work anymore.

Running 10.10.5 images, Casper 9.81, Server.app 5.04.

Machines are displayed as "Enrolled" within the JSS.

Removing the Computer record and re-imaging doesn't help either.

And my solution to the problem is to create smart groups with "Last Enrollment" set to Less than: 1 day and deploy those polices through that instead of using the "Enrollment Complete" trigger.

tcandela
Valued Contributor II

Before I created a group and called it prestage, the criteria would be the SN of the computer I'm enrolling, I put that into the policies scope and i believe it would then run the policies after enrollment.
Right now I have the scope set at 'All Computers', I'll readd the 'prestage' group to the policies scope and test enroll a new computer

Dalmatian
Contributor

Same issue here as @makander , my policy triggered " enrollment completes" stops working on Yosemite on Oct 12. and on the same day, we upgraded jss to 9.81.
weird thing is i freshly enrolled a El Capitan, the policy works.

maybe something changed by the upgrade on server side?

makander
Contributor

This issue occurred for me before I upgraded to 9.81. I think it stopped working around the same week 5.04 was released but that's probably just a coincidence.

I upgraded as part of a troubleshooting step from Jamf.

Edit: I'm still having this problem, ordinary polices work, enrollment complete doesn't.

makander
Contributor

Last update on this is from my correspondence with Jamf.

" We have seen some product issues open up with the enrollment complete trigger and I would recommend utilizing a different trigger for your policies. The issues were popping up on 9.8 and 9.81 and the workarounds are to use another trigger. I have associated this case to the defect. Please don't hesitate to reach out if anything else comes up."

I've stopped using the enrollmentComplete trigger all together now.

tcandela
Valued Contributor II

upgraded to 9.81 a few weeks ago. EnrollmentComplete trigger is working now for me.

tcandela
Valued Contributor II

actually just enrolled a macbook air and EnrollmentComplete trigger did not work. Looked like this issue ended for me but has started up again.

chris_kemp
Contributor III

Seems that this issue just reared its head for us...the Enrollment Completed trigger was working fine, until an upgrade to 9.82 yesterday morning. Not sure what's up here...but we're trying to remove use of this trigger at the moment, because post-install config of new installations are dead in the water.

ant89
Contributor

I wish i seen this sooner. We have just upgraded to 9.82 last night and our enrollment complete trigger is not working.

FrankPicken
New Contributor

Now we have this issue to.
Updated to 9.82 yesterday, no enrollment trigger will be executed.
has anyone a solution?
Has anyone a script to get the last enrollment?
thank you.

dferrara
Contributor II

@acorn @FrankPicken Try running a policy with

sudo jamf policy -trigger enrollmentComplete

as a workaround. The trigger still works for me this way.

ant89
Contributor

I may have found a fix.

I have updated our netboot image and used autocasperNBI to create it. I have updated it with casper imaging 9.82 and it seems to have fixed the enrollment complete trigger. I imaged my test machine twice and the policies with this trigger works as expected.