Using JSM with UIE in Jamf Pro - Getting JSM to launch.

[rseide]

Hi, I work for the Federal Government at an agency with an on-prem Jamf Pro server. We have to use UIE for right now and I have been able to set up the JSM workflow using the required configuration profile and JSM app and they work fine once the JSM app installs and opens after the config profile installs.

The problem I have is once the Mac is enrolled and has the JSM config profile installed, the policy to install the JSM app does not run. The trigger I have set to install the JSM app is set to either during check-in or enrollment complete. I have tried 2 different smart groups: "Enrolled via User Initiated Enrollment Less Than One Day Ago" and "Enrolled via UIE Less Than One Day Ago and Has Jamf Setup Manager CP" - this second one I created because there was one test where the JSM app got installed and opened before the JSM config profile got installed first, so my thinking was to make sure the CP was installed before the app did. I hope all of this make sense.

TL;DR - For Jamf Pro UIE, how can I trigger the policy to install the Jamf Setup Manger app on newly enrolled Macs via UIE after the JSM config profile is installed? What I've tried doesn't seem to really work.

If anyone can share their workflows with JSM and UIE that's been working, please do! I would greatly appreciate it.

Thanks and if any of this is unclear, please let me know.

[scriptingosx]

The data in the computer record for Jamf Pro, is added and entered when the client runs a recon/Update Inventory. (With the introduction of DDM, there are some fields that are updated using the DDM channel, which happens on a different schedule, but the fields you mentioned aren’t among them, so we can ignore that for now.) The Jamf Pro enrollment process does _not_ automatically run a recon/Update Inventory on enrollment. So the data to fill the smart groups you mentioned doesn’t exist yet, and the freshly enrolled device will not be a member of smart group, even though it should. You will have to wait for at least two check-in cycles. During the first, the default “once a day/week” recon will run and populate the data, which recalculates the smart groups correctly. A policy scoped to a smart group won’t trigger until the _next_ check-in though. At this time Setup Manager would be installed correctly. But since this will take 10-20minutes on the highest configurable check-in frequency, I don’t blame you for not hanging around for that. (Note that Setup Manager runs a recon/Update Inventory before and after it runs through the actions, to ensure the data in Jamf Pro and smart groups are up to date.) To get Setup Manager to install reliably at enrollment, you should scope it as simply as possible. Scope it to “All Computers.” And trigger at ‘enrollmentComplete’ since that is the first trigger run after UIE. When using this workflow, you will need to prevent Setup Manager from launching on Macs that are already enrolled. First, the `enrollmentComplete` trigger should not be fired on these, at least not during normal day-to-day business. There are some edge cases, when forcing an enrollment profile refresh with with the `profiles` command that _may_ re-trigger `enrollmentComplete`. You can avoid Setup Manager re-launching on these Macs by _excluding_ a smart group of already enrolled devices in the policy installing Setup Manager. (You could also create the Setup Manager flag file on the already enrolled clients. The presence of this file will prevent Setup Manager from launching.) Regarding the timing of Setup Manager installation and its profile: during UIE, profiles should come down before the enrollmentComplete trigger is called, unless you have either a really large number of profiles, or you have similar scoping applied to the configuration profile that defers its installation. If you have a large number of profiles that get installed immediately, you may want to defer all but the most essential until after Setup Manager is done. You can use a smart group checking for the presence of the flag file.

[rseide]

Hi, thanks so much! I did what you suggested: I scoped the policy to install JSM like you recommended but I created a Smart Group to grab all of the Macs that were enrolled more than 1 day ago (which are all of them) and excluded that Smart Group in the policy. I tested it this morning and JSM installed and kicked off within a few minutes. Thanks again!