Problems with the enrollment user experience

gajones
New Contributor II

I'd like to simply provide new Mac users with our enrollment URL and have everything happen automagically from there. However I'm running into several issues that make it a less than smooth user experience. I wonder if anyone else has encountered these and found a solution?

1) at the enrollment webpage, after inputting the supplied credentials for a enrollment only user, a box appears "Assign to User". No input is required here, simply to click "Enroll", but this will definitely confuse users.

2) when trying to open the QuickAdd package, you, get the "unidentified developer" warning. To bypass this, the file must be opened by right clicking and choosing "Open".

3) the Mac is enrolled, but the QuickAdd installer hangs and must be force quit.

15 REPLIES 15

rdwhitt
Contributor II

What version of the JSS are you on and what OS are the clients on?

1) From my testing in 9.72, the "Assign to User" only appears if the user logging in has the ability to edit computer records in the JSS.
2) In "Global Management->User-Initiated Enrollment" you need to add a signing certificate to "Sign QuickAdd Package".
3) I've had the QuickAdd fail plenty of times while completing enrollment, but have not had to force quit (yet).

mpermann
Valued Contributor II

@gajones if you get an Apple Developer Signing certificate you can sign your QuickAdd Package which will fix the second issue. You might also consider using the Recon application to make a QuickAdd Package that you can use to enroll your computers. When we enrolled our computers we made the QuickAdd package available to our users. We had very few people that had any problems getting it installed. But your mileage will very depending upon the comfort level your users have with installing software. Of course they will need admin credentials to install the QuickAdd package made from the Recon app.

gajones
New Contributor II

@rdwhitt @mpermann thanks.

9.8 / 10.10.5

1) I'm looking on the Privileges page, but I don't see a "Computer Records" object. Is that the same as "Computers"?

2) will try

3) happens every time. I wonder if adding the signing certificate helps?

mpermann
Valued Contributor II

@gajones I've never tried the QuickAdd package that you download from the enrollment website, but maybe it is different from the one the Recon app makes. You might consider giving the Recon version of the QuickAdd package a try to see if it helps problem 3 or not. You can do this without a signing certificate. You will just have to use the right-click Open trick to get past the unidentified developer warning.

rdwhitt
Contributor II

My apologies, by computer record I just meant when viewing a computer in inventory, someone that can click on "Edit" and update things like user location, computer, name, etc. The actual privilege <I think> would be "JSS Objects->Computers", but don't quote me on that.

As long as the users who will be using the enrollment URL are not in a group that allows them to log into the JSS and view/edit computer inventory, then they won't see the "Assign to User".

rdwhitt
Contributor II

@mpermann The only real difference between the QuickAdd package from Recon and the enrollment URL is that the enrollment URL one uses the same management account for all computers as defined by the admin in User-Initiated enrollment.

Doesn't the quickAdd package from Recon also give the "unidentified developer" message unless signed when creating the package?

gajones
New Contributor II

I tried the package from Recon, and it has the same behaviour. Hangs but the Mac is enrolled.

rdwhitt
Contributor II

What does /var/log/jamf.log show on the device after running the package?

Is there anything generated in Console when the hang occurs?

mpermann
Valued Contributor II

@gajones is there anything in the /var/log/install.log that might give a clue as to what is happening? When running the QuickAdd package can you look at Activity Monitor to see if there are any processes running at very high utilization? We've had an issue on some computers where when it is running the recon it kicks off the software update process to look for OS updates it also kicks off a printer PPD process to check for newer printer drivers and that process (I can't remember the name of it right now) will peg at nearly 100% causing the system to get very slow and the recon process will not finish. I think it's being caused by some specific printer drivers we have but I haven't been able to track down the cause. If I kill that process or remove all the printers before starting a recon the recon process will finish up and send the log to the JSS.

gajones
New Contributor II

@mpermann thanks, it was exactly that. Once I removed the printer, the QuickAdd completed successfully.

Sep 30 15:13:47 testuser.local installd[4011]: ./postinstall: Locating hardware information (Mac OS X 10.10.5)...
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: 10.10.5
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:Xerox WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Printer Xerox_Uni does not require an update.
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:Xerox WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Printer Xerox_Uni does not require an update.
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:Xerox WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Printer Xerox_Uni does not require an update.
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Connected printer: MANUFACTURER:Xerox;MODEL:Xerox WC 7530
Sep 30 15:13:59 testuser.local softwareupdated[275]: JS: Printer Xerox_Uni does not require an update.

mpermann
Valued Contributor II

@rdwhitt you are correct. The QuickAdd package made with the Recon app will give the same unidentified developer message as the one downloaded from the enrollment page if you don't have an Apple Developer Signing certificate. I thought the QuickAdd Package from the enrollment page was also a one-time use package as well. But maybe I am wrong on that.

mpermann
Valued Contributor II

@gajones I'm glad that solved it for you. I'd love to find out why this is happening, but I haven't had time to contact Support for assistance on this. If you contact them and they give you an answer, please post back.

rdwhitt
Contributor II

@mpermann Now that you mention it, I think you are right about it being a limited use as well.

scottb
Honored Contributor

@rdwhitt - the QuickAdd from Recon can be used on any Macs (ARD, etc.) whereas the one downloaded via the URL will only be good for the client that downloaded it on that Mac.

rdwhitt
Contributor II

@scottb Thanks for the clarification!