Automating Jamf Infrastructure Manager setups on Red Hat Enterprise Linux

As part of a project, I needed to build an automated setup process for a Jamf Infrastructure Manager (JIM). Thanks to the help of some folks at Jamf, I have a process which runs non-interactively and which does the following on Red Hat Enterprise Linux 7.x:

1. Installs the JIM software
2. Enrolls the JIM with a Jamf Pro server

For more details, please see below the jump.

The key information I needed from Jamf was how to run an non-interactive enrollment of the JIM with a Jamf Pro server. This can be done with the following command:

/path/to/jamf-im enroll --hostname jim_hostname_goes_here --jss-url https://jamf.pro.server.here --password jamf_pro_account_password_goes_here --username jamf_pro_account_username_goes_here

This does require placing a password in the clear, so I recommend setting up an account on your Jamf Pro server which only has the required rights to enroll a JIM.

Once you’ve enrolled, you should be able to check /var/log/jamf-im.log and verify that enrollment has been successful. If it was successful, you should see log entries similar to what’s shown below:

	2018-06-22 22:27:18,005 WARN jsam-core [[iPOJO] pool-1-thread-1] [WARNING] com.jamfsoftware.jsam.core.jss.JssCheckinManager : No service interface found in the class hierarchy, use the implementation class
	2018-06-22 22:27:18,276 INFO c.j.j.c.u.PaxLoggingStartupListener [[iPOJO] pool-1-thread-1] Waiting for OSGI Log Service
	2018-06-22 22:27:19,286 INFO c.j.j.c.u.PaxLoggingStartupListener [[iPOJO] pool-1-thread-1] OSGI Log Service is initialized
	2018-06-22 22:27:19,291 INFO c.j.j.c.j.JssCommunicationServiceImpl [[iPOJO] pool-1-thread-1] Beginning enrollment process
	2018-06-22 22:27:19,373 INFO c.j.j.c.k.p.JsamPermissionEnforcer [[iPOJO] pool-1-thread-1] Enforcing permissions for /etc/jamf-im/jsam/.jsam_encrypted_keys.properties. Only process owner should be allowed to read and write this file.
	2018-06-22 22:27:19,698 INFO c.j.j.c.k.p.JsamPermissionEnforcer [[iPOJO] pool-1-thread-1] Enforcing permissions for /etc/jamf-im/jsam/keystore.jks. Only process owner should be allowed to read and write this file.
	2018-06-22 22:27:20,452 INFO c.j.j.c.j.JssCommunicationServiceImpl [[iPOJO] pool-1-thread-1] Enrollment successful
	2018-06-22 22:27:20,466 INFO c.j.j.c.s.i.JsamStartLevelServiceImpl [[iPOJO] pool-1-thread-1] Infrastructure Manager will start managed bundles.
	2018-06-22 22:27:20,472 INFO c.j.j.c.j.JssCheckinManager [pool-4-thread-1] Initiating checkin to JSS
	2018-06-22 22:27:20,571 INFO c.j.j.c.u.PaxLoggingStartupListener [LPS Bundle Startup] Waiting for OSGI Log Service
	2018-06-22 22:27:20,619 INFO c.j.j.c.j.JssCheckinManager [pool-4-thread-1] Checkin complete, next checkin in [30] seconds
	2018-06-22 22:27:21,573 INFO c.j.j.c.u.PaxLoggingStartupListener [LPS Bundle Startup] OSGI Log Service is initialized
	2018-06-22 22:27:21,573 INFO c.j.j.l.LpsBundleActivator [LPS Bundle Startup] Initiating server startup
	2018-06-22 22:27:21,574 INFO c.j.j.l.LpsSettingsRepository [LPS Bundle Startup] Settings file [/etc/jamf-im/ldap-proxy/lpsServerSettings.json] does not exist – running with default settings
	2018-06-22 22:27:21,576 INFO c.j.j.l.b.LpsControlServiceImpl [LPS Bundle Startup] ServiceTracker addingService. reference: [com.jamfsoftware.jsam.core.bundleservices.JsamKeyStoreService]
	2018-06-22 22:27:21,577 INFO c.j.j.l.LpsServer [LPS Bundle Startup] LDAP Proxy – version (1.3.1), build (SA-LNU53-RLI-3)
	2018-06-22 22:27:21,578 INFO c.j.j.l.LpsServer [LPS Bundle Startup] Server starting using settings: LpsServerConfiguration{, version=-1, connections=[], serverStartTimeoutSeconds=30, serverShutdownTimeoutSeconds=30, transferThreadStartTimeoutSeconds=30, transferThreadShutdownTimeoutSeconds=30}
	2018-06-22 22:27:21,581 INFO c.j.j.l.LpsServer [LPS Bundle Startup] Server successfully started
	2018-06-22 22:27:21,581 INFO c.j.j.l.LpsBundleActivator [LPS Bundle Startup] Successfully completed server startup
	2018-06-22 22:27:21,583 INFO c.j.j.c.j.JssCheckinManager [pool-4-thread-1] Initiating checkin to JSS
	2018-06-22 22:27:21,583 INFO c.j.j.l.LpsSettingsRepository [pool-4-thread-1] Settings file [/etc/jamf-im/ldap-proxy/lpsServerSettings.json] does not exist – running with default settings
	2018-06-22 22:27:21,645 INFO c.j.j.c.j.JssCheckinManager [pool-4-thread-1] Checkin complete, next checkin in [30] seconds

view raw

gistfile1.txt

hosted with ❤ by GitHub

You should also see the new JIM appear listed in your Jamf Pro server. To check this, use the following process:

1. Log into the Jamf Pro server using an admin account.
2. Go to Management: Server Infrastructure and select Infrastructure Managers.

3. You should see the new JIM listed there.

 

To help automate the process, I’ve written a script for CentOS 7.x / RedHat Enterprise Linux 7.x which does the following:

1. Checks to see if Java is installed and installs OpenJDK 8.x if it isn’t.
2. Checks for the JIM installer at a defined location
3. If the JIM installer is available, installs the JIM software.
4. Verifies that the JIM software has been installed.
5. Enrolls the JIM with a specified Jamf Pro server, using credentials provided in the script.

Pre-requisites

• A JIM installer .rpm file for CentOS / RedHat Enterprise Linux stored in the location defined in the script.
• Credentials for the specified Jamf Pro server

When successfully run, the output of the script should appear similar to that shown below:

The script is available below, and also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/jamf_infrastructure_manager_automated_setup

	#!/bin/bash
	# This script is designed to install a Jamf Infrastructure Manager (JIM)
	# on the following OSs:
	#
	# CentOS 7.x
	# Red Hat Enterprise Linux 7.x
	#
	# Following installation, the JIM is enrolled with a specified Jamf Pro
	# server, using credentials provided in the script.
	# Set Jamf Pro URL, username and password for the JIM enrollment process
	jamfProURL="https://jamf.pro.server.here:8443"
	jamfProUsername="jamf_pro_account_username_goes_here"
	jamfProPassword="jamf_pro_account_password_goes_here"
	# Set the Jamf Infrastructure Manager hostname for the JIM enrollment process
	# This should be the external hostname which the Jamf Pro server will be
	# connecting to the JIM through. For example, if you have a load balancer sitting
	# in front of the JIM, the load balancer is going to be the JIM's hostname.
	#
	# Note: The hostname of the machine must resolve both for the machine
	# hosting the JIM and for the remote Jamf Pro server, so there can’t be
	# mismatches like having the JIM server itself think its hostname is
	# blahblah.int.company.com and the remote Jamf Pro server think the JIM's
	# hostname is blehbleh.ext.company.com.
	#
	# If necessary, set an entry into the /etc/hosts file on your
	# JIM server similar to what's shown below so that your JIM server's
	# IP address maps to the hostname you're using for the JIM's hostname.
	#
	# ip.address.goes.here blehbleh.ext.company.com
	jimHostname="jim_hostname_goes_here"
	# If the JIM hostname, Jamf Pro URL, the account username or the account password aren't available
	# otherwise, you will be prompted to enter the requested hostname, URL or account credentials.
	if [[ -z "$jamfProURL" ]]; then
	read -p "Please enter your Jamf Pro server URL : " jamfProURL
	fi
	if [[ -z "$jimHostname" ]]; then
	read -p "Please enter the hostname of your Jamf Infrastructure Manager: " jimHostname
	fi
	if [[ -z "$jamfProUsername" ]]; then
	read -p "Please enter your Jamf Pro user account : " jamfProUsername
	fi
	if [[ -z "$jamfProPassword" ]]; then
	read -p "Please enter the password for the $jamfProUsername account: " -s jamfProPassword
	fi
	echo ""
	# Set directory to store the JIM software installer
	jamfinfrastructuremanager_installer_directory="/path/to/installer_directory"
	function checkJava() {
	# Check to see if Java is installed. If
	# Java isn't installed, install OpenJDK 8.x
	java -version &> /dev/null
	if [[ $? -eq 0 ]]; then
	echo "Java is installed."
	echo "$(java -version)"
	else
	echo "Java not installed. Installing OpenJDK 8.x."
	/usr/bin/yum -y install java-1.8.0-openjdk
	echo ""
	echo "Installed Java:"
	echo "$(java -version)"
	fi
	}
	# Check to see if Java is already installed and install OpenJDK 8.x
	# if Java is not installed.
	checkJava
	# Locate the Jamf Infrastructure Manager installer .rpm file.
	# To assist with this, make sure the JIM installer .rpm file
	# has "jamf-im" (no quotes) as part of the rpm's filename.
	if [[ -e "$(/usr/bin/find $jamfinfrastructuremanager_installer_directory -maxdepth 3 \( -iname \*jamf-im*\.rpm \))" ]]; then
	installer_path="$(/usr/bin/find $jamfinfrastructuremanager_installer_directory -maxdepth 3 \( -iname \*jamf-im*\.rpm \))"
	fi
	# Install Jamf Infrastructure Manager
	if [[ ! -z "$installer_path" ]]; then
	echo "Jamf Infrastructure Manager installer .rpm file located at $installer_path. Installing."
	rpm -i "$installer_path"
	if [[ $? -ne 0 ]]; then
	echo "Jamf Infrastructure Manager installation failed."
	exit 1
	else
	echo "Jamf Infrastructure Manager installation succeeded."
	fi
	fi
	# Verify that the /etc/jamf-im/ directory exists. If the directory exists,
	# the JIM software is installed and can be enrolled.
	if [[ -d "/etc/jamf-im" ]]; then
	echo "Jamf Infrastructure Manager installation verified. Enrolling with the following Jamf Pro server: $jamfProURL"
	# Enroll Jamf Infrastructure Manager into Jamf Pro
	jamf-im enroll –hostname ${jimHostname} –jss-url ${jamfProURL} –password ${jamfProPassword} –username ${jamfProUsername}
	if [[ $? -ne 0 ]]; then
	echo "Enrollment failed. Please recheck settings and retry enrollment."
	exit 1
	else
	echo "Enrollment succeeded."
	fi
	fi

view raw

jamf_infrastructure_manager_automated_setup.sh

hosted with ❤ by GitHub