CasperCheck & enrollmentComplete Jamf Policies

This post covers how to configure CasperCheck in order to avoid potential issues rerunning policies you may have configured in your JSS / jamf pro with the enrollmentComplete policy trigger.

Know that I do not cover all the ins and outs of configuring CasperCheck here.  Go on over to the CasperCheck Github repo for that.

I welcome your comments and feedback, so if this guide helped you or you’re having issues, feel free to post a comment.  You can also hit me up on the MacAdmins Slack group.  If you’re not already a member, you can sign up here.

The Problem

CasperCheck requires a QuickAdd package in order to automatically reenroll a Mac that either no longer has the jamf binary or can no longer run policies.

In our environment we utilize the enrollmentComplete policy trigger to run several policies post-enrollment that install our local admin account, run a script, install our Wi-Fi profile, and a few other things we need to configure.

The problem arises with the default QuickAdd package postinstall script, as it runs the below command:

########################################
## Run enroll
####################################################
$jamfCLIPath enroll -invitation XXXXXXXXXXXXXXXXXXXXXXXXXX

This reenrolls the Mac with the invitation (which does not expire) and checks for polices with the enrollmentComplete trigger.  If you have policies that use this trigger and computers are still in the scope, this will cause them to rerun when CasperCheck reenrolls them using the standard QuickAdd package, potentially producing issues you would really like to avoid.

The Solution

Edit your QuickAdd package’s postinstall script for use with CasperCheck by including the -noPolicy flag to the enroll command to prevent triggering your enrollmentComplete policies.

See more details below.

What is & Why Use CasperCheck?

If you use the Casper Suite (now jamf pro), CasperCheck is an excellent automation tool for ensuring your enrolled Macs stay enrolled and under management.

Whether the jamf binary (/usr/local/jamf/bin/jamf) no longer exists, say a user manually runs jamf removeFramework, or is just having issues running policies, CasperCheck can automatically reenroll the machine to resolve the issue without you needing to physically touch the machine or manually intervene.

Head over to Rich Trouton’s blog for more details on how CasperCheck works and how you might deploy it in your environment.

You can find CasperCheck – the script, LaunchDaemon, and CasperCheck policy – on Github – https://github.com/rtrouton/CasperCheck

About jamf enroll

On a machine enrolled with your JSS, run jamf help enroll in Terminal.app.  This will reveal additional flags you can specify with the enroll command.  You can run jamf help <command> to get more information on other jamf binary commands as well.

At the bottom of the list, you should notice the -noPolicy flag:

-noPolicy      Stops enroll from checking for enrollment policies.

This is the flag you want to add to your QuickAdd package postinstall script to prevent your enrollmentComplete policies from running with CasperCheck.

The CasperCheck QuickAdd Package

As part of the CasperCheck configuration, you need to create a QuickAdd package which will be cached on every managed Mac that has CasperCheck.  This is what the CasperCheck script will use to reenroll the computer.

To create your QuickAdd package you’ll need to have the Recon.app installed on your machine.  In the Recon.app, select QuickAdd Package from the left sidebar and enter your JSS Management Account info.  You’ll want to makes sure to create the management account if it doesn’t exist.  Choose any of the additional checkboxes & settings as needed by your environment.

An important note here – if you use a specific password for your JSS Management Account which changes every year for example, you will have to create a new QuickAdd package with these updated credentials for CasperCheck as well as complete the steps below.

Screen Shot 2017-05-03 at 11.49.43 AM.png

When you click Create this will build your QuickAdd package.  If you use a tool like Suspicious Package you can take a peek inside and see what’s up.  You’ll find that the PKG installs a GZip archive file with the necessary jamf binaries and then a postinstall script moves the binaries in place and enrolls the machine with your JSS.

Screen Shot 2017-05-03 at 11.55.22 AM.png

Now that you have a QuickAdd package, you’ll want to open the Composer.app and drag it into the left sidebar.  Select it and click Convert to Source.  This will unpack your package so you can make changes to it.

Screen Shot 2017-05-03 at 12.18.04 PM.png

Once unpacked, navigate to the Scripts folder within the QuickAdd source by clicking the dropdown arrows and selecting the postinstall script to reveal its contents.  Under the Run enroll section, add the -noPolicy flag after the invitation number string (highlighted below).  Adding this flag will stop the enroll command from checking for enrollmentComplete​ policies.

Screen Shot 2017-05-03 at 12.21.26 PM.png

Once you’ve saved your postinstall script, select your QuickAdd source from the left sidebar and select the Build as PKG button to build your new QuickAdd package.

Now you have a QuickAdd package which will not trigger your enrollmentComplete policies when used by CasperCheck!

Vote Up the Jamfnation Feature Request

Back in 2016 I submitted a feature request on Jamfnation to have the Recon.app include the option when building QuickAdd packages to prevent triggering enrollmentComplete policies as a checkbox right in the app.

If the process outlined here is something you’d prefer not to have to do manually, please take a moment to up-vote it!

https://www.jamf.com/jamf-nation/feature-requests/4937/add-quickadd-pkg-ability-to-prevent-triggering-enrollmentcomplete-policies

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s