Jamf slays the dreaded enrollment race condition #kudos

donmontalvo
Esteemed Contributor III

If you're noticing your KEXT and/or TCC whitelist isn't working, well, we noticed that too.

We reported what we believed to be a race condition, causing KEXT dialog boxes for what we had already whitelisted.

Same for TCC, something seemed to be out of whack.

Confirmed, fixed in 10.9.0:

Hi Don, Yes, this is also the case for the certificate/profile enrollment workflow prior to version 10.9.0 that we just released. You can have race conditions with enrollment complete installations. However, we have eliminated that in 10.9.0 in this way: "Policies initiated by the enrollment complete trigger in Jamf Pro will now be run by the Jamf binary in the background instead of through the "enroll" script (an unsigned binary). The result of this change is to enable IT administrators with the ability to suppress TCC prompts on a managed Mac so Privacy Preference Policy Control payloads can be used to suppress prompts to end users that could occur as a result of custom scripts run at enrollment. As an IT administrator, I would like to manage Privacy Preferences Policies on managed computer to prevent users from seeing pop-ups when computer management tasks are running as a result of enrolling into Jamf Pro. Prior to Jamf Pro version 10.9.0, when a policy that would trigger a TCC user prompt is triggered by the enrollment complete trigger, there would be no way for a Jamf Pro administrator to whitelist the process because it was being run by an unsigned binary ‘enroll’ (in the Jamf binary). In Jamf Pro 10.9.0, we have made a change so that parent process of a script running as a result of an enrollmentComplete trigger is independent of the ‘enroll’ binary and runs in the background where the parent process is launchD." That was a statement from Dev on the change that was made. You can see that we focused on TCC or PPPC for this statement, but KEXT behaves pretty much the same way. I believe that if we move to version 10.9.0 and to the new certificate/profile enrollment workflow, we should no longer have this KEXT popup problem on machines. Regards, XXXXXXX Jamf Support
--
https://donmontalvo.com
2 REPLIES 2

DFree
New Contributor III

Thanks for posting this and just a note. This is all fine and dandy for DEP-enrolled machines which automatically kick off. My testing here agrees with your post.

As a note for non-DEP automatic enrollment mac's...I just created a new quickadd package in case 10.9.0 baked something else into the QuickAdd package to stop the race conditions or prompt the user to go to their MDM profile and click approve (and hold off running any other policies, etc until that is done), but sadly no change.

donmontalvo
Esteemed Contributor III

Speaking of race conditions...

--
https://donmontalvo.com