Skip to content

Jamf Pro WATCH Dog: Monitor and self heal Jamf Pro enrolment if framework is removed from a client computer

License

Notifications You must be signed in to change notification settings

dvasquezavant/JamfWATCH-Updated

 
 

Repository files navigation

JamfWATCH

Jamf Pro WATCH Dog: Monitor and self heal Jamf Pro enrolment if framework is removed from a client computer

Last tested with Jamf Pro 10.41.0-t1661887915 & macOS 12.6

Note: any User Initiated Enrollment devices re-enrolled via this method will NOT have user approved MDM (UAMDM) status automatically on macOS 10.15 or lower and will not have the MDM profile re-installed on macOS 11 or higher. For best results use on macOS devices enrolled via Automated Device Enrollment AKA DEP with MDM profile removal disabled.

//How To Install//

Add the Install and Check script to your Jamf Pro Server and assign to polices as noted below

//Install Script//


#Context: This should be a script in Jamf Pro assigned to/run via a Policy
#Purpose: Create and load the files needed to monitor and self heal Jamf Pro enrolment if framework is removed
#Policy Scope: All Computers & All Users (or just user/device groups where users have admin rights)
#Policy Site: None/All or inline with above
#Policy Frequency: Once Per Computer
#Policy Trigger: Check-In or Enrolment or Start-Up

Define Variables

  1. Jamf Pro URL
  2. Invitation ID


#Note: make sure to edit between the "" quotes. Leave all other formatting intact
#Include port number in URL and do not use ending slash as per examples in the script

How to get Invitation ID? OLD WAY


#On any macOS device, use the Jamf Recon.app to generate a quick add package with the
#correct settings for enrolment including management account, SSH settings, etc
#Then, use composer or similar tool to extract the post-install script
#Near the end of the script will be a multi-use enrolment ID like the one seen below
#Replace the one below with your invitation ID from the QuickAdd package
#IMPORTANT: do not generate your QuickAdd package from the User Initiated Enrolment Page
#This will give you a one time enrolment ID which will not work for this use case
#Only use an ID found in a recon generated QuickAdd package

How to get Invitation ID? NEW WAY


As Recon is being deprecated in a future release of Jamf Pro I now suggest to use the API to get the ID.
Head to https://yourJAMFPROserver/classicapi/doc/#/computerinvitations/findComputerInvitations and authenticate to the swagger UI.
Use the "Try It Out" feature to get a list of invitiations. Look for "invitation_type":"DEFAULT" and copy the long numeric "invitation" string before it.

//Check Script//


#Context: This should be a script in Jamf Pro assigned to/run via a Policy
#Purpose: Verify a computer is communicating with the JSS correctly & quickly
#Policy Scope: All Computers & All Users
#Policy Site: None/All
#Policy Frequency: Ongoing
#Policy Custom Trigger: JamfWATCHCheck
#Example Command to Run on Client Machine:
# /usr/local/jamf/bin/jamf policy -event JamfWATCHCheck | grep "Script result" | awk '{print $3}'

//Testing & Logs//

Once the scripts and polices have been created in Jamf Pro, enrol a testing machine into your Jamf Pro Server, install JamfWATCH, and then run:

sudo jamf removeFramework

If JamfWATCH is installed correctly, the log at /var/log/JamfWATCH.log will start populating its activities immediately

About

Jamf Pro WATCH Dog: Monitor and self heal Jamf Pro enrolment if framework is removed from a client computer

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%