Jamf Pro WATCH Dog: Monitor and self heal Jamf Pro enrolment if framework is removed from a client computer
Last tested with Jamf Pro 10.41.0-t1661887915 & macOS 12.6
Note: any User Initiated Enrollment devices re-enrolled via this method will NOT have user approved MDM (UAMDM) status automatically on macOS 10.15 or lower and will not have the MDM profile re-installed on macOS 11 or higher. For best results use on macOS devices enrolled via Automated Device Enrollment AKA DEP with MDM profile removal disabled.
Add the Install and Check script to your Jamf Pro Server and assign to polices as noted below
#Context: This should be a script in Jamf Pro assigned to/run via a Policy
#Purpose: Create and load the files needed to monitor and self heal Jamf Pro enrolment if framework is removed
#Policy Scope: All Computers & All Users (or just user/device groups where users have admin rights)
#Policy Site: None/All or inline with above
#Policy Frequency: Once Per Computer
#Policy Trigger: Check-In or Enrolment or Start-Up
- Jamf Pro URL
- Invitation ID
#Note: make sure to edit between the "" quotes. Leave all other formatting intact
#Include port number in URL and do not use ending slash as per examples in the script
#On any macOS device, use the Jamf Recon.app to generate a quick add package with the
#correct settings for enrolment including management account, SSH settings, etc
#Then, use composer or similar tool to extract the post-install script
#Near the end of the script will be a multi-use enrolment ID like the one seen below
#Replace the one below with your invitation ID from the QuickAdd package
#IMPORTANT: do not generate your QuickAdd package from the User Initiated Enrolment Page
#This will give you a one time enrolment ID which will not work for this use case
#Only use an ID found in a recon generated QuickAdd package
As Recon is being deprecated in a future release of Jamf Pro I now suggest to use the API to get the ID.
Head to https://yourJAMFPROserver/classicapi/doc/#/computerinvitations/findComputerInvitations and authenticate to the swagger UI.
Use the "Try It Out" feature to get a list of invitiations. Look for "invitation_type":"DEFAULT" and copy the long numeric "invitation" string before it.
#Context: This should be a script in Jamf Pro assigned to/run via a Policy
#Purpose: Verify a computer is communicating with the JSS correctly & quickly
#Policy Scope: All Computers & All Users
#Policy Site: None/All
#Policy Frequency: Ongoing
#Policy Custom Trigger: JamfWATCHCheck
#Example Command to Run on Client Machine:
# /usr/local/jamf/bin/jamf policy -event JamfWATCHCheck | grep "Script result" | awk '{print $3}'
Once the scripts and polices have been created in Jamf Pro, enrol a testing machine into your Jamf Pro Server, install JamfWATCH, and then run:
sudo jamf removeFramework
If JamfWATCH is installed correctly, the log at /var/log/JamfWATCH.log will start populating its activities immediately