Jamf Nation Community

I'm told the work around is to register as a apple developer so that you can add a code signing certificate so the quick add package is trusted.

Last time I went about doing this, Appel support stopped our request, because they felt it wasn't what we required. Facepalm.

@Malcolm I have the appropriate Apple Developer ID certificate so that's not the issue at least for me. It's the same certificate I use to sign the QuickAdd package that the Recon application produces. I don't have this issue with the Recon created QuickAdd package.

@mpermann It might be a bit of a hack, but if you find where the enrolment is sourcing the quickadd package from you might be able to replace it and replace it with the recon version, it might work.

@Malcolm That won't work because during user initiated enrollment where the user get the quickadd from the JSS, it is a one use only package that is generated as needed.

At least that is how it worked during training. I have not used the user initiated process recently.

@mpermann all quick add packages I have ever used, have required the user to authenticate within the package.

Once on the enrol page, twice for computer permissions, and once within the app for JSS to assign the user.

@Malcolm the multi-use QuickAdd package you can create with the Recon application doesn't have the same requirements. Launch the Recon app and build one and you can see the differences for yourself.

I see.

Hmm I guess there needs to be the ability to sign the quickadd package for user enrollment.

@Malcolm there is a way to sign the User Initiated Enrollment. It's in Global Management -> User Initiated Enrollment -> Platforms down at the bottom. Mine is properly setup. What I was letting @Taylor.curtis know was that he wasn't alone in his observation about the user initiated enrollment QuickAdd package. I've seen the same thing even though I have everything setup correctly. I was assuming he does as well. I just wanted to say "me too" and suggest he talk with his TAM for some assistance. I never raised it with my TAM because we rarely use the user initiated enrollment QuickAdd package. We prefer to use the Recon created QuickAdd package when necessary.

@Malcolm @mpermann Thank you both for your responses. Unfortunately I do have a Dev cert added under global management. The issue also doesn't happen when I've installed OS X 10.11.6 from a USB installer. It happens only when I netrestore and I've now found if I image a machine using carbon copy cloner and target disk mode (thunderbolt cable) I get the same symptom. Some how the imaging process creates this issue.

@Taylor.curtis Sadly I only got so far with looking into this my self. I'm probably going to revisit it at some stage.
Interesting, I'm wondering if the issue is more associated to updating JSS? Did it work with 10.11.5 and was that with the current JSS version your using now?

I've found in the past with a previous upgrade it has needed our ssl certificate re added, I wonder if perhaps this is a similar problem to this, and that all you need to do is reapply the developers cert into JSS?

Or perhaps the certificate has expired?

@Malcolm Turns out it was an issue with 10.11.6 AND the dev cert. I started by creating an image with 10.11.4 (couldn't find 10.11.5 for testing) and this installed and enrolled without any gatekeeper intervention. SUCESS!

Re-imaged with 10.11.6 and issue returned.. So I took your suggestion and re-added the cert and wah-lah I've imaged several computers now and confirmed the issue is resolved.

We just got JSS in the last couple of weeks.. So our instance was setup after the release of 10.11.6 so I had nothing to compare to.

THANK YOU!

@Taylor.curtis Awesome, glad to have helped, now you might be able to answer a question for me, was your dev cert an enterprise one or a general app store one?

When I tried to register our dev cert, the apple rep blocked out request, because they felt we only needed an enterprise one, and I wasn't sure at the time either, cause I had only had the OSX features of JSS for a few weeks also.

@Malcolm Sorry for the delay on this. I'm using a basic appstore dev account not the enterprise. I exported the installer cert from x-code. Interestingly enough the issue returned a couple of days later.. I think i'm going focus my efforts on enrolling with DEP versus user enrolled from the site.

@Taylor.curtis hmm I might have to revisit my attempt to get a dev cert.

From my dep tests, pushing large apps, e.g. Full adobe creative suite to the end user was difficult, not just the network transfer, but the 40min plus install afterwards... And having dep set ad user account also not entirely helpful when the first use of the dep device allowed creation of a local admin.

For that reason, I'm going to go with network deployment with a base image of creative cloud, java, flash, paper cut and office 2016. Just means I need more ethernet adapters, ill end up doing 23 at a time from a single 24port dumb switch.