Jamf Nation Community

The QuickAdd...

(1) installs the /usr/local/sbin/jamf binary (used to be /usr/sbin/jamf):

(2) runs a postflight script that creates the plist to point the binary to JSS, sets SSH, and then runs the enrollment command (enforce management framework, including creating the management account, login/logout hooks, etc., etc.).

If QuickAdd fails, its usually because the postflight script fails.

Confirm that the binary installed:

$ which jamf
/usr/local/sbin/jamf

^^^ If this comes back with /usr/sbin/jamf, your QuickAdd is old.

Once confirmed, you can manually enroll the Mac using the sudo jamf enroll -prompt command.

The first prompt is asking you to authenticate the sudo command. The next two prompts are for your JSS account name/password. Your account will need rights to enroll computers (there may be a few more rights checkboxes needed).

$ sudo jamf enroll -prompt
Password: <your-admin-password>
JSS Username: <your-jss-username>
JSS Password: <your-jss-password>
SSH Username: <your-jss-username>
SSH Password: <your-jss-password>
Downloading required CA Certificate(s)...
This computer was successfully enrolled to the JSS with the following device certificate: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX"
Retrieving inventory preferences from https://server.domain.com:8443/...
Finding extension attributes...
Locating applications...
...[snip]...
...[snip]...
...[snip]...
Submitting data to https://server.domain.com:8443/...
<computer_id>XXXXX</computer_id>
Getting management framework from the JSS...
Enforcing management framework...
Checking availability of https://server.domain.com:8443/...
The JSS is available.
Enforcing login/logout hooks...
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...
Checking availability of https://server.domain.com:8443/...
The JSS is available.
Checking for policies triggered by enrollmentComplete

NOTE: When you use your JSS credentials for both items in the above command, your JSS username becomes the management account for that Mac. Might want to spin up a policy that checks management account name, so if it isn't the right account, the policy corrects it.

For more info:

$ jamf -help enroll

Usage:   jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]


     -prompt         Prompts for JSS and SSH credentials.

     -invitation         Uses an invitation ID for credentials instead of a user name and password.

     -noRecon        Stops enroll from acquiring inventory.

     -noManage       Stops enroll from enforcing the management framework.

     -noPolicy       Stops enroll from checking for enrollment policies.
$

Thanks @donmontalvo ... the office is an hour away, I might have to go down and try this down there. It seems odd that it works properly here in my office location, but in another office it errors.

@Bhughes - If it errors out in one location and not another, sounds like a DNS or communications issue to me. Something is blocked or unknown.

@donmontalvo - Best explanation of the quickadd ever!

Its odd that 99% of the process works ok (especially config profiles), that would indicate that the connection to the JSS is working at some stage and is able to enrol with the MDM.

If its location specific I would look at something firewall / DNS related. Do you have a web filter that might be blocking something towards the end of the process?

@donmontalvo Great explanation, thanks!

Thanks @pblake and @davidacland it does appear to be pointing to something network related. I think I might have to take a trip to that office.

We see QuickAdd fail mostly over Wi-Fi or where client is many hops away from the JSS (latency?). Manual enroll to the rescue. :) Maybe you can SSH over to the Mac to manually enroll, to save time/gas.

Nothing firewall/DNS related... no web filters in that office ...(from what I am told). These devices are all wired.

Enrollment has completed, I am just worried that it's presenting the user with "installation failed"

I took a look at the /var/log/jamf.log ...shows everything completing there too.

Thu Aug 27 11:10:39 XXXXXMacBook Air jamf[439]: Creating user casperadmin...
Thu Aug 27 11:10:43 XXXXXMacBook Air jamf[439]: Enforcing management framework...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Enforcing scheduled tasks...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Adding launchd task com.jamfsoftware.task.1...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Creating launch daemon...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Downloading the agent...
Thu Aug 27 11:10:47 XXXXXMacBook Air jamf[439]: Creating launch agent...
Thu Aug 27 11:10:47 XXXXXMacBook Air jamf[525]: Informing the JSS about login for user xxxx
Thu Aug 27 11:10:48 XXXXXMacBook Air jamf[525]: Informing the JSS about login for user xxxx
Thu Aug 27 11:10:49 XXXXXMacBook Air jamf[538]: Checking for policies triggered by "enrollmentComplete"...
Thu Aug 27 11:10:50 XXXXXMacBook Air jamf[538]: Upgrading jamfHelper.app...
Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading JAMF notification service...
Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading Self Service.app...
Thu Aug 27 11:10:53 XXXXXMacBook Air jamf[538]: Executing Policy 1 Computer Name...
Thu Aug 27 11:10:54 XXXXXMacBook Air jamf[525]: Network state changed, checking for policies...
Thu Aug 27 11:10:54 XXXXXMacBook Air jamf[525]: Network state changed, checking for policies...
Thu Aug 27 11:10:55 Computer name        jamf[654]: Checking for policies triggered by "adbind"...
Thu Aug 27 11:10:55 Computer name        jamf[650]: Checking for policies triggered by "networkStateChange"...
Thu Aug 27 11:10:58 Computer name        jamf[654]: Executing Policy 2 Bind to AD...
Thu Aug 27 11:10:58 Computer name        jamf[654]:     Binding "computername to mycompany.ad.com".
Thu Aug 27 11:11:14 Computer name        jamf[654]:     Bound to Active Directory (ad.com)
Thu Aug 27 11:11:14 XXXXXMacBook Air jamf[538]: Executing Policy 4 Security Settings...
Thu Aug 27 11:11:17 XXXXXMacBook Air jamf[538]:     Verifying package integrity...
Thu Aug 27 11:11:18 XXXXXMacBook Air jamf[538]:     Installing SEPRemote.pkg...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]:     Successfully installed SEPRemote.pkg.
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]: Executing Policy 5 Bomgar...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]:     Verifying package integrity...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]:     Installing Bomgar.pkg.zip...
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]:     Successfully installed Bomgar.pkg.zip.
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]: Executing Policy 6 Junos Pulse VPN Client...
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]:     Verifying package integrity...
Thu Aug 27 11:12:21 XXXXXMacBook Air jamf[538]:     Installing JunosPulse.pkg...
Thu Aug 27 11:12:27 XXXXXMacBook Air jamf[538]:     Successfully installed JunosPulse.pkg.
Thu Aug 27 11:12:27 XXXXXMacBook Air jamf[538]: Executing Policy 7  Local Admin Account...
Thu Aug 27 11:12:28 Computer name        jamf[538]: Creating user LocalSupport...
Thu Aug 27 11:12:32 XXXXXMacBook Air jamf[538]: Executing Policy 8 Configure Proxy...
Thu Aug 27 11:12:33 XXXXXMacBook Air jamf[538]: Executing Policy 9 Add Dock Items and Run Recon...
Thu Aug 27 11:12:47 XXXXXMacBook Air jamf[538]: Executing Policy Disable Password Change Prompt...
Thu Aug 27 11:12:47 XXXXXMacBook Air jamf[538]: Executing Policy Set Search Domains...

------This is where enrollment completes -------

Thu Aug 27 11:19:45 xxxxxxxx jamf[1978]: Checking for policy ID 8...
Thu Aug 27 11:19:47 xxxxxxxx jamf[1978]: Executing Policy Microsoft Office 2011...
Thu Aug 27 11:19:49 xxxxxxxx jamf[1978]:    Verifying package integrity...
Thu Aug 27 11:20:59 xxxxxxxx jamf[1978]:    Installing Office Installer.pkg...
Thu Aug 27 11:22:34 xxxxxxxx jamf[1978]:    Successfully installed Office Installer.pkg.

As far as the enrollment goes, the last step will be:

Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading Self Service.app...

After that its just policies kicking in.

It doesn't look like its breaking anything, although it could be worth testing with a Mac that doesn't run any policies after enrollment.

Thanks. I also tried running

sudo jamf enroll -prompt -verbose

and found no errors.

Is there any logging anywhere else that I could check?

There are logs on the server (JAMFSoftwareServer.log) that might have some more information. The possibilities I'm currently thinking are:

• Network related issue, if one of the same "affected" Macs works at another site, this confirms its not a device issue
• A device / build issue, are the Macs at that site installed from a different OS build that could be causing the error?

Just out of interest, are you using a web based self enrollment from https://your.jss.com:8443/enroll or a recon generated quickadd.pkg?

If time permits, I would probably pick the quickadd.pkg apart, manually deploy the files in the payload and then step through the postinstall script step by step in the terminal. That usually tells you what line it is failing on.

Could also be worth asking JAMF support in case they have any other secret methods for troubleshooting.