Posted on 07-18-2019 12:11 PM
When installing Jamf binaries via QuickAdd, we are having to manually go into System Prefs > Profiles and approve the MDM Profile.
Is there any way to generate a prompt for this? Perhaps a post-flight script in the QuickAdd package?
I know we can't script approval of the MDM profile, but It is an easy thing to forget if you're not made aware the MDM needs approval.
We're on 10.12.0 and are NOT utilizing Self-Service at this time.
This article helps but requires Self-Service:
Posted on 07-18-2019 12:52 PM
You could create a postflight script with a dialogue box if you want to, but self-service is the easiest way to do it. you can enable self-service, have it pop up to notify the user, but not make any policies available in it. Not a perfect solution by any mean, but I find it the most easiest.
Alternatively, if you have SMTP set up, you can create a smart group scoped to devices that do not have an approved profile. Then set up a custom search for that group, hit action and send email to everyone in the group.
Posted on 07-18-2019 01:28 PM
We use the method posted by @AHolmdahl in this thread to nag the user once a day to approve MDM. My hunch is it could work in your situation if you made enrollment the trigger for the policy.
Posted on 07-19-2019 06:07 AM
@kevin.v you can create an arduino script with a rasberry pi to automate the approval actions - the rasberry pi is seen as a keyboard by the computer so it thinks its being "manually approved"
check out Two Canoes Mac Deploy Stick They have an All In One Software Hardware Combination you can utilize as well.
I use the Adafruit ItsyBitsy & deploy the script to it with Arduinos IDE - here is a link to a script I made to to automate the process. You will have to play with it and customize it to your setup but it gives you a good idea - https://github.com/Hugonauts/Arduino/blob/master/MDS-UAMDM%20AIO - used with MDS to install OS & Quickadd Package. Also, I use it to deploy 2 scripts to the machine. Script 1 (API) adds the computer to a Static Group that is excluded from All Configuration Profiles. Only the MDM profile can be located in the profiles pane in order to automate with Rasberry Pi. Script 2(API) runs afterward & removes the computer from the first Static Group & Adds it to a 2nd Static Group that is Nested inside the main Smart Group for our Full Configuration & All Profiles, Applications, etc.
I'm on Slack if you have any questions.