Quickadd - 10.11.6

Taylor_curtis
New Contributor

Hello,

I am having a weird issue with our quickadd.pkg (from our user initiated enrollment site) and was wondering if anyone came across this/found a solution.

The issue: Gatekeeper blocks quickadd.pkg ---- only once

  • Go to company.jamfcloud.com/enroll

  • Sign in with LDAP information.

  • Select User
  • Quick add download is triggered
  • Double click quickadd.pkg
  • Gatekeeper blocks as a unsigned package
  • Quit prompt and open quickadd.pkg
  • Works normally and installs self service.

When performing the steps above on 10.10.5 this issue does not occur leading me to believe it's something with system integrity protection?

Additional information:
Imaged using NetRestore on OS X Server Image was created with System Image Utility.
Image was built with 10.11.6 15G31
Rebuilt the image with a fresh download from the App Store.

15 REPLIES 15

mpermann
Valued Contributor II

@Taylor.curtis I've experienced the same thing using an on premise JSS. I don't have a solution though. I would suggest contacting your TAM to see if it's a know product issue or not. I don't normally use the user initiated enrollment so it wasn't worth it for me to contact my TAM and try and troubleshoot the issue.

Malcolm
Contributor II

I'm told the work around is to register as a apple developer so that you can add a code signing certificate so the quick add package is trusted.

Last time I went about doing this, Appel support stopped our request, because they felt it wasn't what we required. Facepalm.

mpermann
Valued Contributor II

@Malcolm I have the appropriate Apple Developer ID certificate so that's not the issue at least for me. It's the same certificate I use to sign the QuickAdd package that the Recon application produces. I don't have this issue with the Recon created QuickAdd package.

Malcolm
Contributor II

@mpermann It might be a bit of a hack, but if you find where the enrolment is sourcing the quickadd package from you might be able to replace it and replace it with the recon version, it might work.

strider_knh
Contributor II

@Malcolm That won't work because during user initiated enrollment where the user get the quickadd from the JSS, it is a one use only package that is generated as needed.

At least that is how it worked during training. I have not used the user initiated process recently.

Malcolm
Contributor II

@mpermann all quick add packages I have ever used, have required the user to authenticate within the package.

Once on the enrol page, twice for computer permissions, and once within the app for JSS to assign the user.

mpermann
Valued Contributor II

@Malcolm the multi-use QuickAdd package you can create with the Recon application doesn't have the same requirements. Launch the Recon app and build one and you can see the differences for yourself.

Malcolm
Contributor II

I see.

Hmm I guess there needs to be the ability to sign the quickadd package for user enrollment.

mpermann
Valued Contributor II

@Malcolm there is a way to sign the User Initiated Enrollment. It's in Global Management -> User Initiated Enrollment -> Platforms down at the bottom. Mine is properly setup. What I was letting @Taylor.curtis know was that he wasn't alone in his observation about the user initiated enrollment QuickAdd package. I've seen the same thing even though I have everything setup correctly. I was assuming he does as well. I just wanted to say "me too" and suggest he talk with his TAM for some assistance. I never raised it with my TAM because we rarely use the user initiated enrollment QuickAdd package. We prefer to use the Recon created QuickAdd package when necessary.

Taylor_curtis
New Contributor

@Malcolm @mpermann Thank you both for your responses. Unfortunately I do have a Dev cert added under global management. The issue also doesn't happen when I've installed OS X 10.11.6 from a USB installer. It happens only when I netrestore and I've now found if I image a machine using carbon copy cloner and target disk mode (thunderbolt cable) I get the same symptom. Some how the imaging process creates this issue.

Malcolm
Contributor II

@Taylor.curtis Sadly I only got so far with looking into this my self. I'm probably going to revisit it at some stage.
Interesting, I'm wondering if the issue is more associated to updating JSS? Did it work with 10.11.5 and was that with the current JSS version your using now?

I've found in the past with a previous upgrade it has needed our ssl certificate re added, I wonder if perhaps this is a similar problem to this, and that all you need to do is reapply the developers cert into JSS?

Or perhaps the certificate has expired?

Taylor_curtis
New Contributor

@Malcolm Turns out it was an issue with 10.11.6 AND the dev cert. I started by creating an image with 10.11.4 (couldn't find 10.11.5 for testing) and this installed and enrolled without any gatekeeper intervention. SUCESS!

Re-imaged with 10.11.6 and issue returned.. So I took your suggestion and re-added the cert and wah-lah I've imaged several computers now and confirmed the issue is resolved.

We just got JSS in the last couple of weeks.. So our instance was setup after the release of 10.11.6 so I had nothing to compare to.

THANK YOU!

Malcolm
Contributor II

@Taylor.curtis Awesome, glad to have helped, now you might be able to answer a question for me, was your dev cert an enterprise one or a general app store one?

When I tried to register our dev cert, the apple rep blocked out request, because they felt we only needed an enterprise one, and I wasn't sure at the time either, cause I had only had the OSX features of JSS for a few weeks also.

Taylor_curtis
New Contributor

@Malcolm Sorry for the delay on this. I'm using a basic appstore dev account not the enterprise. I exported the installer cert from x-code. Interestingly enough the issue returned a couple of days later.. I think i'm going focus my efforts on enrolling with DEP versus user enrolled from the site.

Malcolm
Contributor II

@Taylor.curtis hmm I might have to revisit my attempt to get a dev cert.

From my dep tests, pushing large apps, e.g. Full adobe creative suite to the end user was difficult, not just the network transfer, but the 40min plus install afterwards... And having dep set ad user account also not entirely helpful when the first use of the dep device allowed creation of a local admin.

For that reason, I'm going to go with network deployment with a base image of creative cloud, java, flash, paper cut and office 2016. Just means I need more ethernet adapters, ill end up doing 23 at a time from a single 24port dumb switch.