I am having a weird issue with our quickadd.pkg (from our user initiated enrollment site) and was wondering if anyone came across this/found a solution.
The issue: Gatekeeper blocks quickadd.pkg ---- only once
Go to company.jamfcloud.com/enroll
Sign in with LDAP information.
When performing the steps above on 10.10.5 this issue does not occur leading me to believe it's something with system integrity protection?
Imaged using NetRestore on OS X Server Image was created with System Image Utility.
Image was built with 10.11.6 15G31
Rebuilt the image with a fresh download from the App Store.
@Taylor.curtis I've experienced the same thing using an on premise JSS. I don't have a solution though. I would suggest contacting your TAM to see if it's a know product issue or not. I don't normally use the user initiated enrollment so it wasn't worth it for me to contact my TAM and try and troubleshoot the issue.
I'm told the work around is to register as a apple developer so that you can add a code signing certificate so the quick add package is trusted.
Last time I went about doing this, Appel support stopped our request, because they felt it wasn't what we required. Facepalm.
@Malcolm That won't work because during user initiated enrollment where the user get the quickadd from the JSS, it is a one use only package that is generated as needed.
At least that is how it worked during training. I have not used the user initiated process recently.
@Malcolm there is a way to sign the User Initiated Enrollment. It's in Global Management -> User Initiated Enrollment -> Platforms down at the bottom. Mine is properly setup. What I was letting @Taylor.curtis know was that he wasn't alone in his observation about the user initiated enrollment QuickAdd package. I've seen the same thing even though I have everything setup correctly. I was assuming he does as well. I just wanted to say "me too" and suggest he talk with his TAM for some assistance. I never raised it with my TAM because we rarely use the user initiated enrollment QuickAdd package. We prefer to use the Recon created QuickAdd package when necessary.
@Malcolm @mpermann Thank you both for your responses. Unfortunately I do have a Dev cert added under global management. The issue also doesn't happen when I've installed OS X 10.11.6 from a USB installer. It happens only when I netrestore and I've now found if I image a machine using carbon copy cloner and target disk mode (thunderbolt cable) I get the same symptom. Some how the imaging process creates this issue.
Sadly I only got so far with looking into this my self. I'm probably going to revisit it at some stage.
Interesting, I'm wondering if the issue is more associated to updating JSS? Did it work with 10.11.5 and was that with the current JSS version your using now?
I've found in the past with a previous upgrade it has needed our ssl certificate re added, I wonder if perhaps this is a similar problem to this, and that all you need to do is reapply the developers cert into JSS?
Or perhaps the certificate has expired?
@Malcolm Turns out it was an issue with 10.11.6 AND the dev cert. I started by creating an image with 10.11.4 (couldn't find 10.11.5 for testing) and this installed and enrolled without any gatekeeper intervention. SUCESS!
Re-imaged with 10.11.6 and issue returned.. So I took your suggestion and re-added the cert and wah-lah I've imaged several computers now and confirmed the issue is resolved.
We just got JSS in the last couple of weeks.. So our instance was setup after the release of 10.11.6 so I had nothing to compare to.
@Taylor.curtis Awesome, glad to have helped, now you might be able to answer a question for me, was your dev cert an enterprise one or a general app store one?
When I tried to register our dev cert, the apple rep blocked out request, because they felt we only needed an enterprise one, and I wasn't sure at the time either, cause I had only had the OSX features of JSS for a few weeks also.
@Malcolm Sorry for the delay on this. I'm using a basic appstore dev account not the enterprise. I exported the installer cert from x-code. Interestingly enough the issue returned a couple of days later.. I think i'm going focus my efforts on enrolling with DEP versus user enrolled from the site.
@Taylor.curtis hmm I might have to revisit my attempt to get a dev cert.
From my dep tests, pushing large apps, e.g. Full adobe creative suite to the end user was difficult, not just the network transfer, but the 40min plus install afterwards... And having dep set ad user account also not entirely helpful when the first use of the dep device allowed creation of a local admin.
For that reason, I'm going to go with network deployment with a base image of creative cloud, java, flash, paper cut and office 2016. Just means I need more ethernet adapters, ill end up doing 23 at a time from a single 24port dumb switch.