Run policies on enrollment, AFTER user logs in

Are you able to set the trigger to be on "login" instead? That's what we do for our initial enrollment.

This is tricky.
Something that should be noted. I don't think it's best practice to use the Enrollment Complete trigger to install applications.
--EDIT-- I don't think it's best practice to install more than 1 or 2 applications during Enrollment Complete. --EDIT--

I'm not sure if you're binding to the domain or not, but that shouldn't matter.

My recommendation would be to write a pkg that installs a LaunchDaemon and then in the postinstall of the pkg - load it.

Use the LaunchDameon to run a script to call individual policies from jamfPro. Make sure that it waits until "Finder" is running.

That should accomplish what you're trying to do.

Regards,
TJ

What @tthurman mentioned is probably the most fool-proof method for making something run at enrollment after logging in. I use DEPNotify for our DEP machines and that was the only way I could get consistent results.

I make a package that drops the app, scripts, and a launch daemon to run the scripts at login (after a few checks). My package has a post install script that activates the launch daemon and when the user logs in it makes sure it’s not the _mbsetup user, and the finder and dock are both active. After that it runs.

It’s worked 100% of the time for me so far!

Hi,
We do something similar to what @tthurman does, but it's just a bash script that's run by a policy triggered with Enrollment complete:

#!/bin/bash

# Get the currently logged in user
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
log "Current user is $loggedInUser"

# get UID for current User
currentUID=$(dscl . -list /Users UniqueID | grep $loggedInUser | awk '{print $2;}')
log "$loggedInUser UID is $currentUID"

# Check and see if we're currently running as the user we want to setup - pause and wait if not
while [ $currentUID -ne 502 ] && [ $currentUID -ne 501 ]; do
    log "Currently logged in user is NOT the 501 or 502 user. Waiting."
    sleep 2
    loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
    currentUID=$(dscl . -list /Users UniqueID | grep $loggedInUser | awk '{print $2;}')
    log "Current user is $loggedInUser with UID $currentUID"
done

# Now that we have the correct user logged in - need to wait for the login to complete so we don't start too early
dockStatus=$(pgrep -x Dock)
log "Waiting for Desktop"
while [ "$dockStatus" == "" ]; do
  log "Desktop is not loaded. Waiting."
  sleep 2
  dockStatus=$(pgrep -x Dock)
done

# Start the imaging process since we're now running as the correct user.
log "501 or 502 user is now logged in, continuing setup."
jamf policy -event firstRun

exit 0

Edit as necessary for your situation. :)

Good luck!

Thanks everyone! Some great ideas. I think I'll use the script from @mbezzo and instead of waiting for the 501 or 502 user, I will write it to look for any username that is NOT "_mbsetupuser". Might even do a check to see if the finder and dock are up. Hopefully running this on enrollment will work consistently. If it doesn't I can try what @jmahlman and @tthurman say to do.

@mbezzo Are all of your other install policies then set to run at enrollment complete as well or just at login?

Hi @joshuaw I only trigger one policy with enrollment complete, which kicks off a policy that starts a script that calls the policies in our preferred order (amongst other things). Technically, this shouldn't be necessary - but I like the regularity of knowing each and every computer will have things installed in the same order.

Good luck!

@mbezzo What script do you use to call policies in a certain order? Would like to try that

Hi @Geant-IT The script is super simple - just a bunch of:

#!/bin/sh
jamf policy -event customTriggerNameHere1
jamf policy -event customTriggerNameHere2

So you just need to set a custom trigger for the policies in question, then just use the script to call them in the order you'd like.

Thanks!
Matt

@Geant-IT You should look at the combination of DEPNotify and DEPNotify-Starter to automate your enrollment process. You can use it even if you're not currently using DEP/ADE (and if you aren't it'll make things even easier when you make that switch).

I run into this same issue, it installs crashplan as mpb user vs the actual user. So delaying the app installs would be great.

Have a look on that. This should help and i am using it for my enrollments.
A simple launchdaemon that checks some parameters before you go one with any installation.
https://github.com/Yohan460/JAMF-Enrollment-Kickstart

I'm not familiar with DEPNotify, though I did just read the DEPNotify readme file.

It's not clear to me how DEPNotify can solve this problem. If there's a feature in DEPNotify to run a script/package/whatever after the user is logged in, I'm not seeing it.

@stevenjklein The combination of DEPNotify and Jamf's DEPNotify-Starter script can be used to trigger as many policies as you want/need once the Setup Assistant completes if you set up a policy to run the DEPNotify-Starter script on the Enrollment Complete trigger