Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Self Service work offline

I'd like for cached policies and software installs to be available in Self Service with offline option. That way users can still perform tasks without being on network.

Comment
Order by:
JAMFBadge

Posted: by john.miller

Hey acostj,

Outside of maintenance tasks (fix permissions, etc), what types of workflows and support would be helpful for end users on an ongoing basis? We're making sure to understand the issue/workflows before looking at how we may be able to help.

Thanks

Like

Posted: by acostj

John,

Would like to be able to use offline policies and have Self Service display those deemed offline and for Self Service to display and run. Basically like having Self Service run from an offline cache.

Thanks,
Jose

Like

Posted: by bentoms

Jose,

By offline do you mean completely offline with no Internet connectivity.

If you mean offline from your WAN, but on the Internet... They we so this already.

We've clustered our JSS so it's externally accessible. We've then scoped polices to a network segment like 1.1.1.1 > 255.255.255.255.

If that's ok for you, the only bit I'd say you'd need to add is a description to the policies or a category.

Like

Posted: by easyedc

Is there a chance to get this Bumped and re-reviewed? To run policies from self service when users are in a position that they can't access the internet but could fix themselves with a published policy would be a huge help.

Like

Posted: by yr_joelbruner

Indeed! Had a user who was offline over the holiday and needed to clean out System and Adobe font caches because of an Adobe Creative Suite font issue. I have a few scripts in Self Service that do this in one-click, it would have been a great help.

"Make Available Offline" is very misleading and the documentation does not make it clear that this will not truly make your policy available offline via Self Service. Pretty disappointed.

Like

Posted: by bentoms

@yr_joelbruner, cluster your JSS with a limited access cloud accessible front end.

Then SelfService will work as long as your online.

Like

Posted: by tkimpton

please JAMF i want this!

Like

Posted: by PeterClarke

The PENALTY cost of this \- would be that the relevant packages would have to be pre-downloaded and cached locally
\- even though they have NOT yet been chosen to be installed.

Unless this feature was implemented via some cloud storage (which would require an on-line connection) \- so then not strictly off-line..

However if you want this \- loot at making a policy available as "Self-Service", "On-Going"
and tick "Make available off-line"..

I have not actually tried that combination myself... But it would seem to be offering what you want..
Penality cost, is primarily disk space consumed by cached installers..

I would be interested to know if that combo actually works on not..
-- Certainly worth a try..

The combo is available in Casper Vn 8.73 (Version I am using), I expect it's also available in later versions, and might also be available in some earlier...

Like

Posted: by mm2270

@PeterClarke \- unfortunately the nature of the Self Service application is such that it will not work at all unless it can hit your JSS, as it loads up a webpage inside the app hosted from your JSS. So even if policies are cached for offline use and also set up for Self Service, you can't run them. You just receive an error in the SS app if isn't able to load the page from the JSS.
That's the whole point of this request. If a policy is marked for offline use, its not really able to be used offline. The only thing it means is that the trigger associated with the policy gets cached locally so even if the Mac can't communicate with the jSS, the policy still runs at the appointed time, trigger or on check-in.

Like

Posted: by PeterClarke

I did wonder if that might be the case.

So to implement this feature the Self Service app \- would need to be modified \- to ALSO work with a local cached 'section' \- independent of the standard on-line categories'

i.e. Another orthogonal grouping kind, that a policy could be a member of \- such that, this type then shows up off-line.
(subject to required data elements also having been already cached).

And any chosen install, would then have to be retrospectively confirmed to the JSS.

The main question is is this really worth it ? \- Since this is just one step away from pre-installing the items normally..
-- before you go off-line.

I can see some point to offering this to our Laptop users.
A problem we have with them is choosing 'when' to install items, currently we use almost 100% self-service for Laptop Users, but many fail to install items.

We have pushed some security updates. My main approach going froward is to implement a notification system, to encourage Laptop Users to use Self-Service more frequently.

That should improve the situation \- But that does not really resolve the off-line issue.

So I voted this one up..

Like

Posted: by mm2270

Agreed that it may not be worth implementing this given the niche uses for such a feature, not to mention the fact that the Self Service application model would need to be reworked, probably in a not insignificant way.
As @bentoms][/url][/url detailed, we also have our JSS clustered to allow a Limited Access JSS to live in the DMZ and it pretty much takes care of this capability.
Users no longer receive an error in Self Service if they aren't connected to the internal network in some way.

I can still see some small uses for this, but again, most would be better served by simply clustering and allowing DMZ access to their JSS. Along with that though one needs to make sure a DP (with all pkgs, scripts, etc synced regularly to it) is also available in the DMZ or almost any Self Service policy won't work.

As for your thoughts on notifying users of items in Self Service, it also presents a challenge for us. I'd imagine you'll get a different answer from almost anyone you ask as there are lots of ways to address this. Casper Suite 9.x also has some additional capability in this area.
We're using a custom built version of terminal-notifier, so its appropriately branded, to send up Notification Center messages to users about important new items in Self Service. You could similarly use jamfHelper, cocoaDialog, AppleScript and a couple of other tools to do similar things.

Like

Posted: by seanbalsiger

I have a number of users that have an ongoing issue where they can't get an IP address when they're at home. We've found that following the instructions in the link below to delete some files out of /Library/Preferences/SystemConfiguration fixed it but I don't understand why they fix it. I made a script that will do that and would like to find a way that users can run that as root without giving them admin access. Obviously, they are completely offline when this happens.

http://osxdaily.com/2012/11/30/resolving-stubborn-wi-fi-connection-problems-in-mac-os-x/

Like

Posted: by jjones

Has there been any headway with this? It would be a nice touch to add for users that take their system home from work and hit an issue that could be easily fixed with SS.

Like

Posted: by yr_joelbruner

What @bentoms said -- ever since we got a JSS that is externally accessible, this has fallen of the radar (although I get alerts on this thread still :) anyway - it'd be such a headache to know what policies are offline and what are offline. Just get a limited access outward facing instance and be done with it. Give your network admins their favorite beer, cookies or whatever and get a VM or box that is outward facing. You will be SO happy you did.

Like

Posted: by bentoms

@yr_joelbruner whoa.. Fun getting mentioned in a thread from a comment made way back!

Like

Posted: by Nigelmcgrath

I feel that this feature would benefit greatly as I have found that pupils in my school have dropped off the network. if there was some sort of local storage on the iPad where you can make a policy offline and installable would be great, we use WIFI policies to connect to the school network. It saves the hassle of children coming to get the wifi password.

If this could be re-reviewed would be great.

Like

Posted: by Sterritt

I agree there are enough edge cases where this would be highly useful - perhaps as a different setting to make this Self Service element available offline. It's all about enabling the edge cases with as much automation possible, because that's where a majority of effort ends up being applied. The scenario is that a user is unable to get online because of restricted permissions preventing them from changing network configurations. It happens often enough in academic or highly secure environments, that it should be implemented with big red warnings for us Jamf admins that it can cause problems if you're caching things like Creative Cloud.

Like

Posted: by jtarantino

The cache feature would also be helpful when implementing a 'Open URL' or 'Send Mail' item in SelfService.

Currently those actions produce a 10-15s delay while SelfService contact JSS and perform policy checks. User experience is awful and most of them click multiple time not understanding why the link is not handled instantly.

Like

Posted: by PUmacTool

For my needs, having a cached policy available offline would be a huge boost to Self Service usage. We currently discourage permanent local admin rights, but it's a battle that we loose politically. I'm currently working on a mechanism to grant users admin rights for 30 minutes which would cut the admin right arguments from our users down quite a bit. The last argument is when mobile users have no connection to the internet. There have been more than a few cases of our users attending conferences where software was distributed to them, but they couldn't install because they were unable to get administrative privileges. We have Avecto's Instant Authorize on the Windows machines, but I'd rather avoid the expense of buying clients for Macs.

Like

Posted: by Jookyseacap

We would also find the ability to load Self Service and utilize offline policies extremely helpful. We have recently removed administrator rights from computers, and being able to put some policies in self service for the users to run when offline (such as a offline policy to run networksetup allowing users to enter in a new wifi key for and existing SSID) would be quite helpful

Like

Posted: by Malcolm

Id like the ability to have script based policies to be cached.

Presently with Jamf 10.16.2. you simply cant load self-service while there's no network connection, script based policies are low in file size and could help elevate a number of self-repair based processes, if they were available offline.

As well as the ability to launch maintenance based policies.

E.g. executing disk first aid.
deleting the networkinterfaces.plist and rebooting.
forcing a time server update.

Looks like this suggestion has been sitting in a under review for sometime.

@melissaantoine

Like

Posted: by diradmin

@john.miller We also would like to see this reviewed by Jamf, as the ability for our users to leverage the elevated privileges available from running tasks per Self Service while offline (no or limited network connectivity) would be of great value.

The use case would involve the ability to execute remedial tasks through Self Service in response to a failed "posture check" of the machine for VPN connectivity. While the machine is in this quarantined state, network connectivity is restricted.

Our use of Jamf is to a large extent centered around the Self Service "end-user" experience. This capability would greatly enhance that experience and allow us to continue to take full advantage of Self Service as a one-stop-shop, top to bottom.

Like

Posted: by bmagistro

Similar to others here, our most recent use case it so make it easy for folks to restart the VPN client. We've experienced issues when switching networks, where the client may hang and not reconnect. Being able to cache (could even package the script) and allow them the ability to run this while completely disconnected (no internet + no jss connection) via self service would be convenient.

Like

Posted: by Fiktif

I've been circling back to this post for a while now and is still wondering WHY Jamf hasn't done ANYTHING yet!
The issue is obvious. It totally take out the sole purpose of why we're using this management tool.
It needs to be able to run (at least) at bare minimum level without an internet connection.
@john.miller Is there a way to submit a request to have this look into?

Like

Posted: by ladygreyjedi

I'm amazed this isn't already an option. There is obviously already a way to cache packages and policies offline. The Self Service apps updates every launch, which is likely to cache the list of Policies and Apps. Self service just needs to show its offline, and have a refresh button.

This could be utilized in so many different ways:
Certificate updates
VPN software (that I user broke)
Policies to fix connection issues such as temporary wireless connection
When Self Service won't connect to JSS, but the jss framework can reach it without issue

Like