Home > Casper, Mac administration, Mac OS X, Scripting > Migrating OS X Macs from one Apple push notification certificate to another using Casper

Migrating OS X Macs from one Apple push notification certificate to another using Casper

As mentioned previously, I needed to migrate my Casper server from using the Apple Push Notification Service (APNS) certificate generated by one Apple ID to now using another APNS certificate generated by another Apple ID.

This project is fairly straightforward, thanks to a couple of factors:

  1. The Casper server in question is managing only OS X devices.
  2. I have a way to identify via a Casper Extension Attribute which Macs have MDM profiles associated with the APNS certificate which is no longer active.

I was able to set up a Casper smart group to look for machines that fit the following criteria:

  • Criteria: Extension Attribute name (In this case, the EA is named Apple Push Notification Service certificate identifier.)
  • Operator: Like
  • Value: com.apple.mgmt.External.uuid_of_former_apns_certificate_goes_here

Screen Shot 2016 04 27 at 11 10 04 AM

Screen Shot 2016 04 27 at 11 20 45 AM

Screen Shot 2016 04 27 at 11 21 59 AM

From there, I set up a policy that is scoped to run on the members of that smart group. For more details, see below the jump.

The policy I set up runs the script shown below to perform the following tasks:

  1. Remove the existing MDM profiles
  2. Download and install a fresh set of MDM profiles (this new set of profiles will use the new APNS certificate.)
  3. Run a recon to update inventory.

The inventory update should then take the machine out of the smart group.

#!/bin/bash
# This script fixes the MDM computer-level profile for Casper
CheckBinary (){
# Identify location of jamf binary.
jamf_binary=`/usr/bin/which jamf`
if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/sbin/jamf"
elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/local/bin/jamf"
elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/local/bin/jamf"
fi
}
# Run the CheckBinary function to identify the location
# of the jamf binary for the jamf_binary variable.
CheckBinary
# Remove the existing Casper MDM profile
$jamf_binary removeMdmProfile -verbose
# Request a new MDM profile from the Casper server
$jamf_binary mdm -verbose

view raw
gistfile1.txt
hosted with ❤ by GitHub

Here’s how the policy I set up looks in Casper 9.x:

  • Frequency: Ongoing
  • Trigger: Check-In
  • Actions:
    • Run script
    • Update Inventory

 Screen Shot 2016 04 27 at 9 17 26 AM

Screen Shot 2016 04 27 at 9 17 30 AM

Screen Shot 2016 04 27 at 9 17 37 AM

The script looks like this in Casper:

Screen Shot 2016 04 27 at 9 18 04 AM

Screen Shot 2016 04 27 at 9 18 18 AM

  1. Paul Hons
    August 1, 2019 at 9:01 pm

    Having issues with the script (in Mojave), it runs then says that the MDM profile must be manually approved:
    Script result: verbose: Removing MDM Profile
    Getting management framework from the JSS…
    Enabling MDM…
    To have full MDM Management functionality, the MDM Profile must be manually approved in System Preferences > Profiles.
    verbose: Attempting to install the mdm profile at the computer level.
    Error installing the computer level mdm profile: profiles install for file:’/Library/Application Support/JAMF/tmp/mdm.mobileconfig’ and user:’root’ returned -1 (The operation couldn’t be completed. (MDMResponseStatus error -1.))
    Problem installing MDM profile.
    Problem detecting MDM profile after installation.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: