Update – CasperCheck & enrollmentComplete Jamf Policies

In a previous post I went through my process for editing the postinstall script of a Jamf QuickAdd package for use with Rich Trouton’s CasperCheck tool so that it does not trigger any enrollmentComplete policies you may have.

Recently I completed an upgrade of our production JSS (Jamf Pro) and found that since version 9.82 Jamf has changed this postinstall script slightly.  The process itself hasn’t changed, but the line in the script you comment out to prevent enrollmentComplete policies from running is different.

Screen Shot 2017-07-21 at 8.47.17 AM.png

Notice now that the enroll -invitation command in line 40 now by default includes the -noPolicy flag.  Only after confirming that this enroll command completes successfully does it run a policy -event enrollmentComplete.

The only other notable change is line 30 where it creates the jamf config file (/Library/Preferences/com.jamfsoftware.jamf.plist).  You’ll notice the new -verifySSLCert flag.  This is what determines whether or not the client will verify the SSL certificate on the JSS.  There are 3 options here:

  • always (default) – this should be used unless you are using a cert using the built-in Certificate Authority.
  • always_except_during_enrollment – this is the option we use, and is recommended for those using the built-in Certificate Authority in your JSS.
  • never – does not check the certificate on the JSS.

Make sure then that you build your QuickAdd package after you configure this on your JSS to ensure the proper value is applied to your machines should CasperCheck run.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s