Jamf Connect Login Deployment

[scriptingosx]

Jamf Connect Login Deployment with Setup Manager

Deploying and configuring Jamf Connect Login with Setup Manager poses some challenges. There are several solutions, but they all require a bit more involved setup.

The Challenges

Since Jamf Connect Login's purpose is to configure the first user login and account creation, it needs to be setup, configured and loaded early in the deployment process. It also has to insert itself in the system authorization database and login window process. This may interfere with Setup Manager's workflow.

When Setup Manager launches right after automated enrollment (the runAt key is not present or set to enrollment), it will run in or above the user interface context created for the Setup Assistant app. As long as Setup Assistant remains running (behind Setup Manager), Setup Manager can perform its workflow and present its progress.

The Prestage enrollment options allow admins to skip most or all of the standard Setup Assistant panes. No matter how many panes an admin chooses to skip, Setup Assistant will show the macOS user creation dialog. This works fine for Setup Manager.

However, when you configure Jamf Connect Login for more advanced user account creation workflows, Setup Assistant may not display any panes and the system will is not supposed to show the standard macOS user account creation workflow. In fact, Setup Assistant might launch and quit very quickly, taking its and Setup Manager's user interface context right with it.

Traditionally, we have recommended to leave at least one Setup Assistant pane that appears before user creation enabled in the Prestage, so that Setup Assistant persists while Setup Manager does its workflow. We have commonly recommended the "Location Services" pane, but the "Terms & Conditions" pane was also suitable. (other panes appear after user creation)

However, future versions of macOS might change or re-arrange the order of Setup Assistant panes, rendering this strategy broken or at least fragile.

To successfully and reliably configure Jamf Connect Login with Setup Manager, different workflows are required.

Login Window Workflows

Rather than relying on certain Setup Assistant panes to appear at the right time to run Setup Manager, the solution is to run Setup Manager over login window, then configure Jamf Connect Login and then reboot the Mac to launch into the Jamf Connect Login interface. This is a bit more involved, but more reliable.

You can tell Setup Manager to run over login by setting the runAt key in the Setup Manager profile to loginwindow.

There is another major challenge here, though: Jamf Connect Login needs to insert itself into the authorization database so that it can launch and present its interface in place of the macOS login window. To finish this configuration it needs to quit the loginwindow process to reload the new configuration. When Setup Manager is running over loginwindow, restarting loginwindow will also abort the Setup Manager process. Setup Manager cannot finish cleanly and will restart the next time login window appears, reinstall Jamf Connect which will restart loginwindow, and so on...

Solution 0: Don't Skip T&Cs

As a quick fix for the changes to the Setup Assistant workflow in macOS 15.4 (the Location Services/Timezone pane has moved to after user creation) you can enable/unskip the T&Cs pane in Setup Assistant, which (for now, still appears before user creation.

See addendum for a different macOS bug you might run into here.

Solution 1: Defer Jamf Connect Login Configuration (Jamf Pro)

Update: upon further testing and review, this solution is not feasible, we are working on other solutions, but for now, use solution 2.

Solution 2: Run at Login Window with SetupManagerFinished Trigger (Jamf School and Jamf Pro)

The first solution works well with Jamf Pro, but not so well with Jamf School as updating the smart groups for Jamf School can take a long time. We need a more immediate solution here.

You need to ensure that Jamf Connect is not installed through other means, such as Jamf App Installers or the Jamf Connect section in the Settings. We cannot control when these installations occur, and they will disrupt Setup Manager when they happen too early in the process.

Follow the instructions in this post to create to a installer package with a LaunchDaemon that triggers a script when the Setup Manager flag file is created. Modify the script to trigger Installomator or a Jamf Pro policy to install JamfConnect.

To install Jamf Connect with Installomator, you can use the Installomator script in the Setup Manager bundle:

/Applications/Utilities/Setup Manager.app/Contents/Resources/Installomator.sh jamfconnect NOTIFY=silent

Then set Setup Manager to runAt loginwindow and configure the Prestage to skip user account creation.

The workflow is like this:

• Automated Device Enrollment (Prestage) installs Setup Manager, its profile and the Jamf Connect Login profile
• System reaches login window, which triggers Setup Manager to launch
• Setup Manager runs its workflow, install the SetupManagerFinished LaunchDaemon
• When Setup Manager finishes, it creates the flag file which triggers the SetupManagerFinshed script, which installs Jamf Connect
• Jamf Connect "sees" its configuration profile and restarts loginwindow to insert itself into the login window process. This might also quit Setup Manager, should it still be running, but it doesn't matter since it has completed its workflow.
• User can log in with Jamf Connect Login

This workflow is a bit more elaborate, but it also allows to run other, commands, scripts or policies immediately when Setup Manager is finished, without affecting the Setup Manager workflow. You could use a tool such as swiftDialog to prompt for more input (like a Jamf Pro Site), or use information from the Setup Manager user entry file for more configuration.

If you want a SetupManagerFinished trigger and/or script to be part of Setup Manager without requiring an extra installation, please create an issue/feature request in the repo.

This workflow also provides the option of using it together with AutoAdvance, which allows for a completely hands-free enrollment workflow when the device is connected to ethernet before enrollment.

Options

These workflows work with user- and tech-driven enrollment workflows. You can optionally choose to prompt for a user ID in the Setup Manager user entry to (re-)assign a device to a user.

[markkenny]

Just a typo, shouldn't the Installomator path be...

/Applications/Utilities/Setup Manager.app/Contents/Resources/Installomator.sh jamfconnect NOTIFY=silent

Just got it running, using JC 2.45.0 and SetupManager 1.2 beta 3. Downloads profiles, SetupManager launches and then drops to Apple login. Apps install in backgroound, last app being Jamf Connect, then the login screen changes to Jamf Connect.

I'm not getting why SetupManager is being replaced by Jamf Login if I've haven't install Jamf Connect yet? Still checking the rest of my provisioning setup.

Thanks fella!

[scriptingosx]

thank you, fixed in post

[scriptingosx]

Addendum:

When showing the T&C pane, there is a chance of running into another issue in macOS 15.4. When you choose restart or shut down as the finalAction in Setup Manager, the T&Cs will never be accepted. This upsets macOS and leads to a boot loop.

Three possible solutions:

1. Use continue as the final action, let the tech or user accept T&Cs
2. Switch to login window workflow
3. Add an action to Setup Manager that removes /private/var/db/.AppleSetupTermsOfService

The shell action looks like this:

<dict>
	<key>arguments</key>
	<array>
		<string>-f</string>
		<string>/private/var/db/.AppleSetupTermsOfService</string>
	</array>
	<key>icon</key>
	<string>symbol:signature</string>
	<key>label</key>
	<dict>
		<key>de</key>
		<string>Nutzungsbedingungen</string>
		<key>en</key>
		<string>Terms &amp; Conditions</string>
		<key>es</key>
		<string>Términos y condiciones</string>
		<key>fr</key>
		<string>Conditions générales</string>
		<key>it</key>
		<string>Termini e condizioni</string>
		<key>nl</key>
		<string>Algemene voorwaarden</string>
	</dict>
	<key>requiresRoot</key>
	<true/>
	<key>shell</key>
	<string>/bin/rm</string>
</dict>