Automatically fixing Casper Mac MDM enrollment
While I was working on a new laptop this afternoon, I noticed that the Profiles icon was missing from System Preferences.
This system was managed by our Casper server and we’re using both certificate-based communication and an APN certificate, so it should have been there. Moreover, when I ran profiles -P, I saw that no profiles were installed.
Running jamf mdm -verbose fixed the issue by installing the MDM certificate, but I wanted to ensure that any other machines with the same issue were found and then automatically fixed by Casper. After a little research, I have a process that does this. See below the jump for details.
Update – 9-8-2013: It looks like Casper 9.x handles MDM certificate re-enrollment differently than Casper 8.x does. To avoid any confusion, I’m removing the Casper 9.x information from this post. Once I’ve got the right method, I plan a follow-up post covering how to do this with Casper 9.x.
JAMF provides three extension attributes with your Casper JSS server to help you identify machines with either problematic SSL certificates or missing MDM certificates.
JSS Certificate Validation
Verify Certificate Based Communication
Verify MDM Enrollment
All can be installed from the JAMF Software category of your JSS server’s Extension Attribute Templates.
From there, you can set up a Smart Group to look for machines that fit the following criteria:
JSS Certificate Validation – Success
Verify Certificate Based Communication – Enabled
Verify MDM Enrollment – Not Enrolled
It should also currently be scoped to look for Macs running 10.7.x or higher, as earlier OSs won’t be enrolled in MDM.
Here’s how the smart group I set up looks in Casper 8.x:
From there, set up a policy that is scoped to run on members of that smart group. The policy I set up will run the jamf mdm -verbose command to install the MDM certificate on the Mac, then run a new inventory. The inventory update process should then allow the JSS to detect that the MDM certificate has been installed and take the machine out of the smart group.
Here’s how the policy I set up looks in Casper 8.x: