Jamf Nation Community

jared_f · ‎12-09-2016

Hi All!

In my quest to automate everything I decided to roll out a script that checks if the user is enrolled with out MDM and if they are not, go to our backup profile that is saved in the library and install it. I was testing it by running it, and it seems that it doesn't see our MDM Profile and still wants to install the new one. I think it has something to do with how I have it exit, but I cannot figure it out.

#!/bin/bash

if sudo profiles -P | egrep -q ': com.YOUR IDENTIFIER$'; then
  exit 0
else
  profiles -I -F /Library/Sandbox/MDM Profile.mobileconfig

fi

Thanks for any help,
Jared

adamcodega · ‎12-10-2016

-I Install a configuration profile for a particular user from a profile file. -i Install a provisioning profile from a profile file.

You may want to use a lowercase i, also you might like to check out two open source projects. CasperCheck and Deadpool.

CasperCheck will reinstall the Jamf agent and MDM profile by downloading and running a QuickAdd if it finds the agent is not installed anymore or there's any communication issues contacting the Jamf server.

Deadpool is similar, it also improves Jamf's logging but it won't reinstall if Jamf was removed by a user.

Also, it's worth bringing up that if people are unenrolling themselves or have issues with device management you should be transparent and talk to them about their concerns and maybe even find that Jamf is causing an issue somehow. It will help IT more in the long run to work with them instead of forcing things "because we said so".

There's several good 2013, 2015, and 2016 JNUC talks on this topic from Facebook, Tumblr, and Spotify.

View solution in original post

bentoms · ‎12-11-2016

+1 to CasperCheck, this post also has a method to check the MDM profile.

View solution in original post

jared_f · ‎12-09-2016

If you want to know why I am doing this, it is because some people like to remove out profiles because they don't understand what it does. So, in my goal to automate, I decided to add this function to check ever time the user triggers a login. Yes, I can lock it out, but I cannot because that is how the Apple TV networks are installed for airplay mirroring. Again, thanks for any help.

donmontalvo · ‎12-10-2016

Wait...you're installing "MDM Profile.mobileconfig" manually?

Pretty sure THAT profile has to be installed by the MDM server, no?

Am I missing something? :)

--
https://donmontalvo.com

jared_f · ‎12-10-2016

@donmontalvo Yes, it is installed in a "manual" type of way, but once it is installed it communicates with the server to finish enrollment. We have our "MDM Profile.mobileconfig" set to add itself to /Sandbox during our "Starter.pkg" install and we use a command (see above) that automatically installs the profile for the user (it is a post install script). When that profile is added, it communicates with our server and enrolls itself. It is no different than using the command line to install any other ".mobileconfig".

The issue we are having:
Some of our users like to delete our MDM Profile because they are admins. I am aware that I can block out Profiles, but I cannot because sometimes users have to install them. My idea is to have a login script (above) that will check to see if our Management Profile is installed, if it is the script will just end and if it is not, the command

profiles -I -F /Library/Sandbox/MDM Profile.mobileconfig

will run and it will go to /Sandbox and reinstall the MDM Profile. The issue I am having it that the command to install seems to execute even though I have the MDM Profile on the system. I think it is the way I have it scripted.

jared_f · ‎12-10-2016

I think I may have found out why it is trying to reinstall it...

MDM Profile's are installed under "Device Profiles" while every other profile installed under "User Profiles". Does anybody know how I can make it look under "Device Profiles" and reinstall it under device profiles?

Thanks.

adamcodega · ‎12-10-2016

-I Install a configuration profile for a particular user from a profile file. -i Install a provisioning profile from a profile file.

You may want to use a lowercase i, also you might like to check out two open source projects. CasperCheck and Deadpool.

CasperCheck will reinstall the Jamf agent and MDM profile by downloading and running a QuickAdd if it finds the agent is not installed anymore or there's any communication issues contacting the Jamf server.

Deadpool is similar, it also improves Jamf's logging but it won't reinstall if Jamf was removed by a user.

Also, it's worth bringing up that if people are unenrolling themselves or have issues with device management you should be transparent and talk to them about their concerns and maybe even find that Jamf is causing an issue somehow. It will help IT more in the long run to work with them instead of forcing things "because we said so".

There's several good 2013, 2015, and 2016 JNUC talks on this topic from Facebook, Tumblr, and Spotify.

bentoms · ‎12-11-2016

+1 to CasperCheck, this post also has a method to check the MDM profile.

jared_f · ‎12-11-2016

@adamcodega @bentoms Thank you to all of you for the help. Lowering the "I" did fix my issue. I will take a look into the other options you guys brought up.

Thanks!
Jared

jared_f · ‎12-11-2016

@adamcodega The lower case "i" does not actually work. It is funny because we use the same command (the uppercase "I" install) and the MDM Profile seems to install under computer settings, but, when using a script it installs under user profiles.

Jamf Nation Community

Check for MDM Profile