Prestage Enrollment packages are no longer deploying

scottfeit
New Contributor II

Hi all,

Our Prestage Enrollment process involves deploying 6 profiles, adding 1 admin account, and installing 4 packages: branding, DEPNotify, Jamf Connect Login, and Jamf Connect Sync. As of 2021-07-09, none of the packages appear to install as part of Prestage Enrollment. Looking at /private/var/log/jamf.log, it appears policies triggered by "enrollmentComplete" do kick off, but policies triggered by "start-depnotify" (which is a command in the DEPNotify post-install script) do not. I have created a brand new Prestage Enrollment using the same packages, and it also does not work. I have removed all packages except DEPNotify, and that also does not work. Technically, the other packages do install, but only because they are also triggered by "enrollmentComplete." DEPNotify is not, as that's not the recommendation per the setup guide.

In searching, it seems the most common issue was unsigned packages, but again these were working fine until 2021-07-09, so that isn't it.

I did consider recreating the DEPNotify package, but again, since it's not the only package not installing in prestage, I don't think that's it. Plus it does install if added to a policy and I call that policy manually.

I did make a presumably unrelated change on 2021-07-08 to our Installomator script, fixing two packages whose URLs had changed. Computers would deploy packages fine before the change, yet do not deploy after the change. However, I believe the timing is coincidental, as the Installomator script should not have any impact on a prestage enrollment package deployment whatsoever, unless I'm seriously missing something. I only mention the change for full disclosure.

I appreciate all suggestions!

1 ACCEPTED SOLUTION

scottfeit
New Contributor II

Resolved-- the problem was me not putting 2 and 2 together. Yes, the packages were signed, and had been working fine the previous day... but the signing cert was only valid for one year, and had elapsed the previous day. I swear I had checked logs and not seen any references to DEPNotify at all, but a colleague checked and found references to the expired cert that I had missed. Ah well. Ended up downloading the packages from Jamf (nifty trick I found to do that is to make a temporary policy set to cache them, with a manual trigger (e.g. "get-pakcages"), and then call them on my own machine using "sudo jamf policy -event get-packages" before using pkgutil to extract them), re-signing them using the Jamf CA, and re-uploading. Worked like a charm.

View solution in original post

4 REPLIES 4

mpuyet
New Contributor II

1 : the prestage enrollment package installation have a timeout of 60seconds (Apple restrictions) after what install not finish are canceled.

2 : your issue appears on mac M1 ? if yes, you will have to install Rosetta before installing pkg not compatible.

3:  i am using Octory, but for prestage enrolment pkg : i have a script on post-install that wait a GUI user before launching Octory window

 

loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name  && ! /loginwindow/ { print $3 }' )

while [ "$loggedInUser" = "_mbsetupuser" ] || [ "$loggedInUser" = "root" ]; 
do 
        sleep 1
        loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name  && ! /loginwindow/ { print $3 }' )
done

# You can run your App/other script - a GUI Session was opened

 

 

scottfeit
New Contributor II

Thanks for the reply.

1. I don't think this is it-- each package under normal circumstances takes only a few seconds to install, and even removing all but DEPNotify, it still does not kick off.

2. These are all Intel Macs

3. This script goes into one of your prestage enrollment packages? We have a similar script, but the problem is since the .pkg never deploys in the first place, the script never runs.

scottfeit
New Contributor II

Resolved-- the problem was me not putting 2 and 2 together. Yes, the packages were signed, and had been working fine the previous day... but the signing cert was only valid for one year, and had elapsed the previous day. I swear I had checked logs and not seen any references to DEPNotify at all, but a colleague checked and found references to the expired cert that I had missed. Ah well. Ended up downloading the packages from Jamf (nifty trick I found to do that is to make a temporary policy set to cache them, with a manual trigger (e.g. "get-pakcages"), and then call them on my own machine using "sudo jamf policy -event get-packages" before using pkgutil to extract them), re-signing them using the Jamf CA, and re-uploading. Worked like a charm.

esummers78
New Contributor III

If anyone else runs in to this, another thing to look for is to make sure the JWT Token in your PKI settings is disabled. PreStage Packages can't handle authentication, so that needs to be disabled. The packages will still have some protection in the form of a rotating token embedded in the URL.