Re-Enrollment Script Errors unable to re-enroll MDM profiles.

CorpIT_eB
Contributor II

Hello JAMF Nation,

I had a script that was working when I assigned certain machines to the scope, I had pulled it from here: macOS 10.13.2 and "User Approved MDM enrollment"

Basically this script used to Re-Enroll the device with all current MDM profiles. At this point I notice that it's picking up the the rest of them but not the main MDM profile that is given to the machine during the first out of the box Enrollment.

This Script now gives me two ERRORs. I apologize guys I am NEW to the admin world for macs coming from the Windows side of things and it't been a very hard transition as well as HUGE learning curve.

#!/bin/sh
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
adminneeded=`/usr/bin/dsmemberutil checkmembership -U "$user" -G admin`
DEPURL="https://companyname.jamfcloud.com"
DEPAssigned=`/usr/bin/profiles show -type enrollment | grep ConfigurationURL | cut -d '"' -f2`
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,5)}'`

#Temporarily Grant Admin Rights to Standard User for Enrollment
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
    if [[ "$OS" < "10.13" ]]; then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/libexec/mdmclient dep nag
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    elif [[ "$DEPAssigned" == "$DEPURL" ]];then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/bin/profiles -N
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    else
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/bin/osascript -e 'tell application "Finder"
            activate
            open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
        end tell'
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    fi
fi

#Leave Admin rights in Tact if account is already elevated
if [[ "$adminneeded" != *not* ]]; then
    if [[ "$OS" < "10.13" ]]; then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/libexec/mdmclient dep nag
    elif [[ "$DEPAssigned" == "$DEPURL" ]];then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/bin/profiles -N
    else
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/bin/osascript -e 'tell application "Finder"
            activate
            open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
        end tell'
    fi
fi

Errors Read:

Script result: Downloading required CA Certificate(s)...
An error occurred while enrolling computer: Permission Error - The user specified does not have permission to perform the action.
Restoring JAMF.keychain since an error occurred.
An error occurred while sending enrollment information to Jamf Pro: Security Error - A security error has occurred.
Device Signature Error - A valid device signature is required to perform the action.
Checking in the background for policies that use the Enrollment Complete trigger
Enroll return code: 70
Getting management framework from the JSS...
Enabling MDM at the user level...
To have full MDM Management functionality, the MDM Profile must be manually approved in System Preferences > Profiles.
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/93C89CC2-E1B3-420D-AD25-40A83B1AA542.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Downloading required CA Certificate(s)...
Retrying the user level mdm profile install.
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/C0C1A375-FD1A-49FA-A40F-8C7FF0129286.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Problem installing MDM profile.

If anyone has an easier way of enrolling a machine with a lost MDM profile and would be willing to have the patience to explain their workflow and how I can compile it I would be eternally grateful.

These thing is driving me up the wall and all I want to do is re-enroll machines that have lost a MDM profile in some way or another.

Thanks in advance.

0 REPLIES 0