Help

User initiated enrollment behind corporate proxy

mnickels
New Contributor III

Posted on ‎06-14-2018 10:18 AM

Hello everyone,

I am new to jamf, and I am seeing an issue during the user enrollment process for macOS. I am using the hosted version of jamf.

When I am outside of my corporate network, enrollment works fine, and the jamf binary gets installed.
When I am inside of my corporate network, I get to the screen that says "enrollment complete", but the jamf binary is not installed.

In talking with my firewall guys, it appears that the user initiated enrollment sends a command to download and install the jamf binary. However, this command seems to be ignoring my system proxy settings and trying to take a direct route to the download, which is blocked by our firewall. My security team is not going to open their firewall to all of AWS to get this to work (although we temporarily tested it, and it did work).

Is there a secret to getting the agent to download through the proxy so that on-premise enrollments can complete successfully?

Labels:
0 Kudos
5 REPLIES 5

e_altbart
New Contributor

Posted on ‎01-10-2019 08:04 AM

Seeing the same issue here, no resolution yet. We have an open case on that matter - if anything pops up. I´ll post it here.

0 Kudos

MTFIDjamf
Contributor II

Posted on ‎01-10-2019 08:28 AM

@mnickels Are you using Auto Proxy settings with a pac file on the Macs?

Asking because we do. And with Mojave, it does not work for enrollment through the enrollment URL or QuickAdd. We have had to set the HTTP/HTTPS as the default proxy settings with url and port, no account authentication. With those both set, and Auto Proxy disabled, enrollment then works.

Our Jamf instance is on-prem. We have proxy settings to allow the servers and clients to talk out to APNS. We only enroll devices within the corporate network.

I know that it is not exactly what you are seeing but seems similar.

We have cases opened with Apple and Jamf on this as El Cap/High Sierra did not exhibit this behavior.

0 Kudos

e_altbart
New Contributor

Posted on ‎01-16-2019 08:39 AM

Yes we do as well. Are you saying, that the Jamf agent is able to "read" http-proxy settings correctly ? Thanks for the hint - we´ll give it a try and see what happens - will post update if there is a change ...

0 Kudos

scheb
New Contributor III

Posted on ‎10-30-2019 10:07 AM

The solution here is to set proxies for curl, before you begin the enrollment. I set it explicitly in .curlrc (as the root user), but you can use environment variables as well.

My solution for Catalina and older versions of macOS
create file called /var/root/.curlrc
contents of file are: proxy = proxyservername:port
example: proxy = proxy.company.com:8080

That's all you need from the hidden perspective. Don't forget to also set proxies in network properties!

0 Kudos

scheb
New Contributor III

Posted on ‎04-06-2021 11:09 AM

I stumbled into this again with Big Sur. After MUCH testing, i figured out that enrollment (called the quickadd lightweight package) is now executed by the _appstore user and not root.

My solution for Big Sur and newer versions of macOS
create file called /var/db/appstore/.curlrc
change owner/group of file to _appstore:_appstore
contents of file are: proxy = proxyservername:port
example: proxy = proxy.company.com:8080