Jamf Nation Community

lisanelson2 · ‎07-27-2021

Have been using High Sierra, starting the process of figuring out how to migrate to Catalina, having many adventures along the way. Our JAMF is currently 10.21.0.

When a computer with High Sierra is upgraded in place to Catalina, any user who logs in gets zillions of messages from the JAMF binary: "JAMF" can't be opened because Apple cannot check it for malicious software. In System Preferences, there is a slightly more useful message: "JAMF" was blocked from use because it is not from an identified developer.

I have seen that there are command lines I can run to tell Catalina that the JAMF binary can be run anyway (and indeed these work). But I cannot automate my way out of this hole, because anything I would use to deliver such a command line (e.g. policy) has to be run by the JAMF binary, which won't run.

How can I PREVENT this? Since I can't fix it automatically once it has happened.

Is JAMF *really* not an identified developer? That seems hard to believe.

Thanks,
Lisa.

dvasquez · ‎07-27-2021

Jamf is a trusted and identified developer... When Jamf installs there is a valid certificate and a prompt to trust with user enrollment and with Prestage and DEP this is auto-trusted as the devices are supervised. Let me look into this and get back but I am sure someone else in this community has solved this. I will say I have not seen what your exactly saying with the update to macOS.

jtrant · ‎07-28-2021

Over the years we've gone from El Capitan to Sierra, High Sierra, Mojave, Catalina and Big Sur. I have never seen an unidentified developer message relating to Jamf.

This is probably specific to your environment, but High Sierra has also been EOL for quite a while so it's possible that the certificate chains relating to Developer IDs and GateKeeper have expired or the OS predates the current ones?

If you have an AppleCare Enterprise support agreement it would be worth creating a ticket with Apple, referencing your Jamf support case so they can tie it together.

lisanelson2 · ‎07-28-2021

It's happening on Catalina, not High Sierra. The only reason I mention High Sierra is that they are upgraded from it. But in any case, surely whether JAMF is an identified developer is down to materials installed by JAMF, not something that comes with the operating system? So since JAMF effectively puts the client on by itself, replacing older versions of the client as necessary, I don't see how it could have put itself on there and forgotten to include whatever makes it an identified developer.

dvasquez · ‎07-28-2021

@jtrant jtrant, good mention on High Sierra being EOL.

talkingmoose · ‎07-31-2021

I'm wondering if this is due to the very old version of Jamf Pro you're running. Version 10.21 is now 10 versions behind and about 1-1/2 years old.

macOS Catalina has stricter security requirements than High Sierra and may not tolerate the older Jamf software, like the jamf binary, that you're deploying.

The jamf binary is code signed. What information do you get back when you run this on one of your Catalina Macs where you're seeing the unidentified developer message?

codesign -dv --verbose=4 /usr/local/jamf/bin/jamf

Also, can you post a screenshot of the message you're receiving. It may be more revealing as to what's happening.

lisanelson2 · ‎07-31-2021

Indeed it is, but it is considerably newer than Catalina! At least, it was 2 years ago that we first played with Catalina. I can't go any newer, because I still have to support my estate of High Sierra computers which are installed via imaging, and I have read in multiple places that JAMF imaging stops working in 10.22 or 10.23.

Is it the code signing that determines whether they are an identified developer? I'll try that command and post screenshots of the message on Monday. Thanks for the thoughts.

lisanelson2 · ‎07-31-2021

(My comment about Catalina being older than this version of JAMF was because it will, at some point, have been the cutting edge new version while Catalina was the current version of OS X. People will not have had any newer versions of JAMF they could turn to. So if this was a problem with the JAMF version, I would have expected to find everybody trying to implement Catalina complaining about having problems like this back then. I don't find anybody.)

lisanelson2 · ‎08-02-2021

Well, this was unexpected.

On Friday, I did a clean install of Catalina (rather than upgrading High Sierra). This morning, I don't have the problem. So whatever it is, it has to do with coming from High Sierra. So I guess I'll table this for the time being. (Not least because I now can't test the codesign command because my test machine doesn't have the problem right now)

Thanks to everyone who replied.