Help

Proper way to push these scripts out?

Go to solution
mrrobertbuss
Contributor

Posted on ‎08-14-2024 10:17 AM

Hello everyone,

I have received command entries from JAMF tech support to adjust our password policy that is reporting errors. I have been running these commands manually with a remote session with the user and it works. Is there a way to create Policies so that this will run without the user and myself involved? Reboot is not required but to run the commands requires user name and password in Terminal. 

  1. On the user's Mac in Terminal run  sudo jamf removeframework
  2. Once that completes stay in Terminal and  run  sudo profiles renew -type enrollment

Any help is much appreciated. 

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎08-15-2024 03:59 AM

If you remove the framework, you can never run the second command as the framework runs commands. There is no way to perform an enrollment without user interaction, there WILL be a popup from macOS and the user MUST DO THE THING manually.

 

As others have said, removing the framework is extreme for troubleshooting a PW issue. Have you tried running sudo jamf manage to update the framework instead?

View solution in original post

Reply
10 REPLIES 10

Go to solution
jamf-42
Valued Contributor II

Posted on ‎08-14-2024 10:31 AM

removing jamf framework and re-enrolling seems over the top for a password policy issue. 

Once you remove framework, the device is not longer managed.. you could possibly do this with a script sent to a background task.. but re-enrolling seems wrong.

 

Reply

Go to solution
mrrobertbuss
Contributor
In response to jamf-42

Posted on ‎08-14-2024 03:50 PM

I've added more details that should clear up what I'm trying to accomplish. I do appreciate the warning so I may have to do gthis manually on each device. Thoughts? 

0 Kudos
Reply

Go to solution
mrrobertbuss
Contributor

Posted on ‎08-14-2024 03:49 PM

I want to add more detail for clarification of what I'm trying to accomplish: 

PreStage Enrollments>Account Settings>Make the managed local administrator account for MDM-enabled was enabled by the previous manager from the set up process. I do not know why. This being turned on generated false reports to these Smart Groups: "the criteria is Password Type>is>Simple" and "Password Type>is>Alphanumeric". To push out the change for the passwords from Simple Type to Alphanumeric Type is the goal using the commands mentioned above. The Simple Type reports all staff have only 4 characters; the Alphanumeric shows only 14 staff members have 14 characters or more. 14 staff members is correct as these were manually completed by me.  We have a JAMF Password Policy that all staff must have 14 characters or more. Some users are showing up in both Smart Groups. I need all staff to switch to the new password policy which enables Simple type to Alphanumeric Type using the commands provided by JAMF. When it is all said and done, all staff will show up on the Alphanumeric Type Smart Group. This is the report I need to run in to Security for an audit. Trying to find a quicker was of doing this instead reaching out to each one and manually change this. 10 down, many to go. 

0 Kudos
Reply

Go to solution
jamf-42
Valued Contributor II
In response to mrrobertbuss

Posted on ‎08-15-2024 04:14 AM

scope out the managed admin account from the smart group if that is causing an issue.

if you apply the password payload config profile with revised setup, the user gets a popup telling them they need to log out and update their password to match the new requirements. (on macOS 14.. possibly on others) 

test test test.. 

 

 

Reply

Go to solution
AJPinto
Honored Contributor III

Posted on ‎08-15-2024 03:59 AM

If you remove the framework, you can never run the second command as the framework runs commands. There is no way to perform an enrollment without user interaction, there WILL be a popup from macOS and the user MUST DO THE THING manually.

 

As others have said, removing the framework is extreme for troubleshooting a PW issue. Have you tried running sudo jamf manage to update the framework instead?

Reply

Go to solution
mrrobertbuss
Contributor
In response to AJPinto

Posted on ‎08-15-2024 08:17 AM

So just by running sudo jamf manage this will aid in correcting the Pre-Stage Enrollment new setting? I wouldn't have to run those commands? This is the new setting I'm trying to apply to all devices. ss. The new setting is the unchecked "Make the managed local administrator account MDM-enabled".  Screenshot 2024-08-15 at 8.14.52 AM.png

0 Kudos
Reply

Go to solution
jamf-42
Valued Contributor II
In response to mrrobertbuss

Posted on ‎08-15-2024 08:23 AM

are you using Classes ?.. random info via googlfu.. maybe you need this? 

 

MDM-enabled local user accounts allow you to manage the following user-specific settings on computers:

0 Kudos
Reply

Go to solution
mrrobertbuss
Contributor
In response to jamf-42

Posted on ‎08-15-2024 04:15 PM

Using JAMF Pro

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III
In response to mrrobertbuss

Posted on ‎08-16-2024 12:45 PM

What is the purpose of making the accounts MDM enabled? As @jamf-42 pointed out, there is not a lot of reasons for having an MDM enabled account on macOS.

0 Kudos
Reply

Go to solution
mrrobertbuss
Contributor
In response to AJPinto

Posted on ‎08-16-2024 01:25 PM

I have no idea. Mine was checked by previous JAMF manager. 

0 Kudos
Reply