jamf
diff --git a/‎ChangeLog.md‎
Lines changed: 146 additions & 0 deletions b/‎ChangeLog.md‎
Lines changed: 146 additions & 0 deletions
diff --git a/‎ConfigurationProfile.md‎
Lines changed: 122 additions & 11 deletions b/‎ConfigurationProfile.md‎
Lines changed: 122 additions & 11 deletions
@@ -1,5 +1,151 @@
 #  Setup Manager - Change Log
 
+## 1.3
+(2025-07-08)
+
+Notes added since 1.3beta are marked with '(release)'
+
+### New Features
+- Logging
+    - log output format has been cleaned up
+    - Install log and Jamf Pro log (when available) can now be viewed in the Log window (#78, #130)
+    - now also logs to macOS unified logging
+    - new top-level default key to control action output logging
+- Network Monitoring
+    - changes to network interfaces are now logged, see the Notes section for details (#15)
+    - network status can be shown in the top-right corner of the Setup Manager window
+- new flag file `/private/var/db/.JamfSetupStarted`, which is created when Setup Manager starts. You can use this to scope Mac App Store apps and Jamf App Installers, which prevents these apps from installing early in the enrollment, slowing down the Jamf Pro configuration
+- added [a specific webhook to send a message to Slack](Docs/WebHooks.md#Slack) (#104)
+- two new defaults keys `finishedScript` and `finishedTrigger` allow to run custom behavior when Setup Manager has finished
+- new option `none` for `finalAction` (#115)
+- (release) Polish localization (Thanks to @bsojka)
+
+### Fixes and Improvements
+- Jamf Pro: improved monitoring for Jamf Pro to complete its setup after enrollment
+- webhook log entries correctly show status
+- added `-skipAppUpdates` option to list of options for Jamf Pro policy actions, this should avoid some false "error 57" reports
+- Jamf Pro policy will trigger 'Recurring Check-in' policies on empty string value
+- (release) added name for macOS Tahoe 26
+- (release) minor localization and UI fixes
+- (release) disabled some undesirable keyboard shortcuts (#125)
+- (release) arguments in `installomator` actions are now processed correctly
+- (release) output to log is flushed immediately to avoid truncation on restart/shutdown (#129)
+- (release) MDM Server address shown in extended "About this Mac" (#127)
+
+### Deprecations and Removals
+- (1.3) the minimum macOS requirement for Setup Manager is now macOS 13.5
+- (1.2) `showBothButtons` option removed and non-functional, there will always be just one final action button displayed
+- the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the [new dictionary-based solution](ConfigurationProfile.md#localization)
+
+### Notes
+
+#### Logging
+
+The format of the Setup Manager log file (in `/Library/Logs/Setup Manager.log`) has changed. The new format should be easier to read and parse with other tools. There are four columns:
+
+- timestamp (in ISO8601)
+- log level (default, error or fault)
+- category (general, install, network, jamfpro)
+- message
+
+Setup Manager 1.3 also logs to the macOS unified system log. The subsystem is `com.jamf.setupmanager`. You can use the `log` command line tool to read the log.
+
+For example:
+
+```
+sudo log show --last 30m --predicate 'subsystem="com.jamf.setupmanager"'
+```
+
+To clean up the log a little, Setup Manager 1.3 will only write the output of actions to the Setup Manager log file when an error occurred. You can control this behavior with a new top-level preference key `actionOutputLogging`.
+
+#### Installation and Jamf Pro logs and summaries
+
+The Log window (open with command-L) gained a new "Install" tab, which shows the system's installation log file (`/var/log/install.log`). When enrolling with Jamf Pro, there is another new "Jamf" tab, which shows the Jamf log (`/var/log/jamf.log`). By default, the Log window will be summarized to events relevant to the enrollment workflow. You can see the full log content by unchecking the 'Summarize' option.
+
+Note that both logs will show events that were not initiated by Setup Manager. Nevertheless, these events may be relevant to your enrollment workflow.
+
+These summarized events will also appear in the Setup Manager log tab and file, as well as the universal log entries. Having these events in context at the time they occur in the Setup Manager log is very helpful when trouble-shooting enrollment workflows.
+
+#### Network change logging
+
+Setup Manager 1.3 adds logging for changes to network interfaces. It is possible that there will multiple entries in the log with regards to the same network change. Most changes logged will be neutral and should not affect your deployment negatively.
+
+However, it is possible that changes to the network configuration of a device can influence the deployment workflow. For example, when a configuration profile with the access information for a secure corporate Wifi is installed on the device, then the download access to  required resources might change. Another example are security tools that might lead to restricted access for downloads (Installomator uses `curl` to download data, which might trigger security tools.) 
+
+Checking the log for network changes or outages during enrollment can be useful for troubleshooting.
+
+#### Network Status icon/menu
+
+Network status can also show with a new icon in the top-right corner of the Setup Manager window.  
+ 
+Note that Network Relay will only protect traffic to certain configured servers and services, not all traffic.
+
+By default, the network icon will _not_ be shown. You can activate it manually with the command-N keystroke.
+
+When you click on the Network status icon, a popup will show:
+ - the current active network interface
+ - IPv4 and IPv6 addresses
+ - download and upload bandwidth (will take a while to appear)
+ - Network Relay hosts (when network relay profile is present)
+ - list of additional custom hosts, configured in the profile
+
+Note that the connectivity check is quite basic and might not catch all functionality that is required for a service to work. It should provide an indication whether a service is reachable, but deeper trouble-shooting and monitoring might be required for reliable diagnostics.
+
+Seen["Network Connectivity"](https://github.com/jamf/Setup-Manager/Docs/Network.md) for more detail.
+
+#### Finished Script and Trigger
+
+Setup Manager now includes functionality to launch a script or Jamf Pro custom policy trigger in a separate process when the main Setup Manager process is finished. This is useful for installations that might unexpectedly restart the computer or the context that Setup Manager is running in (most commonly, Setup Manager is running at login window, which the Jamf Connect installer will kill).
+
+There are two keys relevant for this: `finishedScript` and `finishedTrigger`. 
+
+See ["Running Scripts and Policies when Setup Manager finishes"](https://github.com/jamf/Setup-Manager/Docs/Extras.md#running-scripts-and-policies-when-setup-manager-finishes) for detail.
+
+## v1.3beta
+(2025-05-27)
+
+### New Features
+- Logging
+    - log output format has been cleaned up
+    - Install log and Jamf Pro log (when available) can now be viewed in the Log window (#78)
+    - now also logs to macOS unified logging
+    - new top-level default key to control action output logging
+- Network Monitoring
+    - changes to network interfaces are now logged, see the Notes section for details (#15)
+    - network status can be shown in the top-right corner of the Setup Manager window
+- new flag file `/private/var/db/.JamfSetupStarted`, which is created when Setup Manager starts
+- added [a specific webhook to send a message to Slack](Docs/WebHooks.md#Slack) (#104)
+- two new defaults keys `finishedScript` and `finishedTrigger` allow to run custom behavior when Setup Manager has finished
+- new option `none` for `finalAction` (#115)
+
+### Fixes and Improvements
+- Jamf Pro: improved monitoring for Jamf Pro to complete its setup after enrollment
+- webhook log entries correctly show status
+- added `-skipAppUpdates` option to list of options for Jamf Pro policy actions
+- Jamf Pro policy will trigger 'Recurring Check-in' policies on empty string value
+
+### Deprecations and Removals
+- (1.3) the minimum macOS requirement for Setup Manager is now macOS 13.5
+- (1.2) `showBothButtons` option removed and non-functional, there will always be just one final action button displayed
+- the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the [new dictionary-based solution](ConfigurationProfile.md#localization)
+
+## v1.2.2
+(2025-04-17)
+- signed a helper script that could lead to unexpected background item prompts
+- disabled command-W keystroke
+- fixed a stall in `waitForUserEntry` with Jamf School
+- fixed link to computer record in Teams message (#110)
+- minor documentation fixes
+
+## v1.2.1
+(2025-04-02)
+
+- updated included Installomator script to [v10.8](https://github.com/Installomator/Installomator/releases/tag/v10.8)
+- now tries for 15 seconds to reload local `background` image file (#105), this should help in situations where the image file is installed after Setup Manager
+- improved monitoring of Jamf Pro enrollment process and completion during the "Getting Ready" phase
+- minor documentation fixes (#106)
+
+
 ## v1.2.2
 (2025-04-17)
 - signed a helper script that could lead to unexpected background item prompts
 
@@ -5,6 +5,7 @@ The project some sample files to get you started:
 - [sample plist](Examples/sample-waitForUserEntry.plist) for Jamf Pro with [two phase workflow](Docs/JamfPro-TwoPhase.md)
 - [configuration profile](Examples/sample-jamfschool.mobileconfig) for Jamf School
 
+**Important:** all keys and values are **case-senstive**.
 
 ## Top-level keys
 
@@ -74,6 +75,20 @@ Example:
 
 `Please be patient.` will be bold. More detail on [Markdown here](#markdown).
 
+During the "Getting Ready" phase up to three lines of text will be shown. When the action icon progress list is shown, text will be truncated to a single line.
+
+Use actual line breaks in the XML for line breaks in this text. (`\n` escape sequence will _not_ work in XML)
+
+Example:
+
+```xml
+<key>message</key>
+<string>Please be patient…
+
+This line of text will be truncated when the action icon list is shown.</string>
+```
+
+
 #### `background`
 
 (String, optional, localized, dark mode)
@@ -84,11 +99,9 @@ When this key is set, Setup Manager treats it as an image/[icon source](#icon-so
 
 (String, optional, default: `enrollment`)
 
-**Beta:** We believe the run at login window feature may require more testing, especially in some edge cases. When, after thorough testing, you believe this works in your workflow, feel free to deploy it, and please let us know about your success or any issues you might encounter.
+This value determines when Setup Manager should launch. There are two values: `enrollment` (default) and `loginwindow`. When set to `enrollment` Setup Manager will launch immediately when its installation package is installed. This is the setting to use for automated device enrollment (without Auto Advance) and user-initiated enrollment.
 
-This value determines when Setup Manager should launch. There are two values: `enrollment` (default) and `loginwindow`. When set to `enrollment` Setup Manager will launch immediately when the pkg is installed. This is the setting to use for automated device enrollment (without Auto Advance) and user-initiated enrollment.
-
-When the `runAt` value is set to `loginwindow` Setup Manager will launch only when the login window is shown. This is useful for fully automated enrollments using Auto Advance.
+When the `runAt` value is set to `loginwindow` Setup Manager will launch only when the login window is shown. This is useful for fully automated enrollments using Auto Advance and some workflows involving Jamf Connect or similar tools.
 
 A setting of `loginwindow` will only work with enrollment setups that eventually end on the login window (i.e. a user has to be created automatically, the device is bound to a directory, etc).
 
@@ -170,13 +183,16 @@ Disable the countdown:
 
 This key sets the action and label for the button shown when Setup Manger has completed. 
 
-There are three options:
+There are four options:
 - `continue`: (default) merely quits Setup Manager and allows the user to continue (probably Setup Assistant or login window)
 - `restart`: restarts the Mac
 - `shutdown`: (no space!) shuts down the Mac
+- `none`: no button shown. (see note below)
 
 **Warning:** `restart` and `shutdown` options will force their action immediately. If a user is logged in (after user-initiated enrollment), they may lose data from open, unsaved documents.
 
+**Note on `none`:** the `none` option exists for workflows where the restart or continue is controlled by a process other than Setup Manager. For example, when installing additional software with a `finishedScript` or `finishedTrigger` which forces a restart. Having a `continue` or `restart` button would be confusing and might interrupt the installation in the finished process. However, having no button to end Setup Manager at all, might leave the user 'stuck' there, so be sure to always restart or kill Setup Manager. You can always use the keyboard shortcut `shift-control-command-E` to quit Setup Manager.
+
 This is also the action that is performed when the `finalCountdown` timer runs out.
 
 When the `DEBUG` preference is set, `shutdown` or `restart` will merely quit/continue.
@@ -188,11 +204,48 @@ Example:
 <string>shutdown</string>
 ```
 
+#### `finishedScript`
+
+(String, optional)
+
+A full path to a script file which will be executed _after_ Setup Manager has finished its workflow. This process runs independently of Setup Manager, so it can run installers or scripts that affect Setup Manager.
+
+The script has to fulfill these criteria to be executed:
+
+- owner: `root`, group: `wheel`
+- executable bit set
+- not writable for group or other (file mode `755` or `555`)
+- no quarantine flag attached
+
+The output of the finished script and trigger will be logged to `/private/var/log/setupManagerFinished.log`.
+
+Example:
+
+```xml
+<key>finishedScript</key>
+<string>/Library/Management/finishedScript.sh</string>
+```
+
+#### `finishedTrigger`
+
+(String, optional, Jamf Pro only)
+
+A custom policy trigger which will be executed _after_ Setup Manager has finished its workflow. This process runs independently of Setup Manager, so it can run installers or scripts that affect Setup Manager.
+
+The output of the finished script and trigger will be logged to `/private/var/log/setupManagerFinished.log`.
+
+Example:
+
+```xml
+<key>finishedTrigger</key>
+<string>setup_manager_finished</string>
+```
+
 #### `totalDownloadBytes`
 
-(Integer, opitonal, default: 1000000000 or 1GB, v0.8)
+(Integer, optional, default: 1000000000 or 1GB, v0.8)
 
-Use this value to provide an estimate for the total size of all items that will be downloaded. Setup Manager will display and estimated download time for this sum in the "About this Mac..." popup window.
+Use this value to provide an estimate for the total size of all items that will be downloaded. Setup Manager will display an estimated download time for this sum in the "About this Mac..." popup window.
 
 Example:
 
@@ -291,6 +344,26 @@ Example:
 
 When debug mode is enabled, you can set the `simulateMDM` preference key to `Jamf Pro` or `Jamf School`. This allows you to do test runs on un-enrolled Macs.
 
+#### `actionOutputLogging`
+
+(string, optional, default: `error`)
+
+This key controls whether the output of actions is written to the Setup Manager log file.
+
+There are three options:
+- `always`: output and exit code are always written to the log file
+- `error`: (default) output and exit code are only written on errors
+- `never`: output and exit are never written to the log file
+
+Setup Manager's log window will always show the output, regardless of this setting.
+
+Example:
+
+```xml
+<key>actionOutputLogging</key>
+<string>always</string>
+```
+
 ## Actions
 
 All actions should have these keys:
@@ -358,7 +431,7 @@ Example:
 This will run the Jamf Pro policy or polices with the given trigger name. This is the equivalent of running 
 
 ```
-jamf policy -event <triggername> -verbose -forceNoRecon -doNotRestart -noInteraction
+jamf policy -event <triggername> -verbose -forceNoRecon -doNotRestart -noInteraction -skipAppUpdates
 ```
 
 Note: Jamf Pro policies can do a lot of different things and fail in many different ways. Setup Manager does _not_ check for all possible failure modes. It only checks for failed installer pkgs and policy scripts that return non-zero exit codes, which should cover most uses of policies for initial deployment.
@@ -376,6 +449,20 @@ Example:
 </dict>
 ```
 
+Note: You can trigger policies attached to "Recurring Check-in" by leaving the string value empty:
+
+
+```xml
+<dict>
+  <key>icon</key>
+  <string>symbol:arrow.trianglehead.2.clockwise.rotate.90</string>
+  <key>label</key>
+  <string>Check-in</string>
+  <key>policy</key>
+  <string/>
+</dict>
+```
+
 ### Watch Path
 
 #### `watchPath`
@@ -476,9 +563,9 @@ Example:
 
 ### Installomator
 
-This will run [Installomator](https://github.com/Installomator/Installomator) to install a given label.
+Setup Manager includes the [Installomator](https://github.com/Installomator/Installomator) script to simplify installations. This action will run [Installomator](https://github.com/Installomator/Installomator) to install a given label.
 
-Note: by default, Setup manager will add `NOTIFY=silent` to the arguments to suppress notifications. You can override this in the `arguments`.
+Note: by default, Setup manager will add `NOTIFY=silent` to the arguments to suppress notifications. You can override these variables and add more with the `arguments` key.
 
 #### `installomator`
 
@@ -505,6 +592,21 @@ Example:
 </dict>
 ```
 
+with arguments: 
+
+```xml
+<dict>
+  <key>label</key>
+  <string>Example App</string>
+  <key>installomator</key>
+  <string>example</string>
+  <key>arguments</key>
+  <array>
+    <string>downloadURL=https://example.com/alternativeURL</string>
+  </array>
+</dict>
+```
+
 
 ## Icon Sources
 
@@ -824,6 +926,10 @@ Example:
 
 Setup Manager can send web hooks to servers and services to trigger workflows there. You can read [details on how to configure and use WebHooks here](Docs/Webhooks.md).
 
+## Network Connectivity
+
+Setup Manager can check and display the network status and connectivity to a list of hosts. You can read [the details on how to configure this here](Docs/Network.md).
+
 ## Localization
 
 The app will pick up the user choice of the UI language for the interface elements. (Table of currently available languages below.) The app will fall back to English for other language choices.
@@ -886,6 +992,10 @@ The following keys can be localized:
 - `message`
 - `url`
 
+### Network Check
+
+- `label`
+
 Use these two-letter codes for these languages:
 
 | Language           | two-letter code |
@@ -894,9 +1004,10 @@ Use these two-letter codes for these languages:
 | Dutch (Nederlands) | nl              |
 | French             | fr              |
 | German             | de              |
-| Italian            | it              |
 | Hebrew             | he              |
+| Italian            | it              |
 | Norwegian          | nb              |
+| Polish             | pl              |
 | Spanish            | es              |
 | Swedish            | sv              |