Policies with startup trigger fail to run

howie_isaacks
Valued Contributor II

My company users Global Protect to keep all of us connected when we're not in the office. For the most part, Global Protect works well. The way we're setup is if GP is not connected we have no internet access. This results in any policies that I setup to run at startup to fail. The Jamf log will show "Connection failure: The Internet connection appears to be offline." I asked one of our firewall guys to add an exception to allow Macs to connect to the Jamf Pro server whether GP is connected or not. This doesn't appear to be working so I want to get some advice on an idea that I have. I want to create a launch agent to ensure that an inventory is ran right after the user is logged in. Also, after my zero touch provisioning process is finished, and the user reboots, I want the first policy that runs after the user logs in to be the one I have setup to check to make sure that all of the apps that should have installed through ZTP did install and then install any that are missing. The way things are now, there's about a 15 minute wait before the inventory runs and the "Post ZTP" policy runs. I want them to run much sooner. They would have ran right away if GP had connected quick enough! I think a launch agent or a launch daemon that would run a "jamf policy" command would solve that. Does anyone have another suggestion that you feel may work better? In the past I have used the startup trigger to run an inventory and it has always worked. It's Global Protect not connecting on time that is the root of this problem. Until that is solved I want the inventory to run right after the user reboots.

4 REPLIES 4

jamf-42
Valued Contributor II

internet access for JAMF IP ranges and ports along with Apple 17.x block all need to be whitelisted and allowed. Blocking this will always cause issues.. Fix Global Protect... rather than fudging a fix in JAMF 

howie_isaacks
Valued Contributor II

I totally agree but when you work for a large company you can't always get what you want. I did talk to the person who can make the change. He insisted that we are allowing connectivity to Jamf Pro. He showed me the traffic rules. We're also not blocking MDM traffic coming from Apple. I will work on creating launch daemon to make this work.

easyedc
Valued Contributor II

Just wondering, did you create a profile to allow the Global Protect to be a login item?  Also - if you're having network issues still, how does global protect work with cert pinning? That's always caused issues where ever I've been with services like Zscaler. They deny traffic thinking that the pinned certs are man in the middle if I recall. 

howie_isaacks
Valued Contributor II

Nothing is wrong with Global Protect, except that it sometimes takes a while to establish a connection. It auto-launches. It's just annoying me that my policies with a startup trigger don't run as expected. They will if GP is not installed.