This project automates the redeployment of the Jamf management framework to macOS devices using Jamf Pro’s APIs. It proactively remediates stale or broken clients without manual intervention, using GitHub Actions and optionally a FastAPI webhook adapter for real-time response.
"In some situations, a managed computer can enter a state where MDM commands process normally, but functionality that relies on the Jamf management framework is consistently failing. In this state, policies fail to execute and the Jamf Pro logs report "Device Signature" errors for the computer.
To restore management with the Jamf Pro server, the Jamf management framework should be reinstalled on the affected computer. As long as the MDM profile on the computer is still valid, you can use Jamf Pro to redeploy the Jamf management framework using the v1/jamf-management-framework/redeploy endpoint in the Jamf Pro API."
Learn how to deploy this project step-by-step, including the Jamf configuration, GitHub Actions setup, and optional real-time webhooks using FastAPI.
- What It Does
- Architecture
- Jamf Configuration
- Repository Setup
- Usage
- Advanced Setup
- Slack Notifications
- Notes
- Credit
- Identifies devices with a broken Jamf binary
- Triggers a
POST /v1/jamf-management-framework/redeploy/{id}API call - Uses MDM to silently reinstall the Jamf Framework via
QuickAdd.pkg - Confirms execution via returned
deviceIdandcommandUuid
- Create a configuration profile with no payloads (acts as a marker)
- Assign it to Smart Group A
com.jp-cpe.null<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>null</key>
<true/>
</dict>
</plist>- Group A:
Not Checked In (14+ Days) - Group B:
Not Checked In (14+ Days) + Null Profile Installed
Group A is used to scope the configuration profile. Group B is the target for the redeploy command.
- Create an API Role & API Client with these privileges:
Send Computer Remote Command to Install PackageRead Computer Check-InRead Smart Computer Groups
-
Clone or Template this Repository
-
Add Secrets to GitHub (
Settings > Secrets and Variables > Actions):GROUP_ID(the ID of Group B)JAMF_BASE_URL(the URL of your Jamf server: company.jamfcloud.com)JAMF_CLIENT_ID(the client ID of your API client)JAMF_CLIENT_SECRET(the client secret of your API client)
-
Remove the comment from the
schedule:section of the scheduled-redeploy-jamf-framework workflow YAML
Go to Actions → Scheduled Jamf Framework Redeploy → Run workflow
Runs every Monday at 2:00 AM UTC by default:
schedule:
- cron: '0 2 * * 1' # Sunday 7 PM PTTo disable, remove the schedule: section from the workflow YAML.
[
{ "deviceId": "000", "commandUuid": "9ee7f9a8-bf4f-4d0c-aa7e-38c983681c8a" },
{ "deviceId": "123", "commandUuid": "5e489e68-3704-40b9-b781-bdb04225f9eb" }
]Want real-time redeploys? Follow these steps to set up a webhook-driven FastAPI service on Fly.io.
Includes:
- Generating a webhook secret
- Creating a GitHub PAT
- Deploying FastAPI to Fly.io
- Configuring a Jamf webhook for Smart Group membership change
- Create a new app at https://api.slack.com/apps/
- Enable Incoming Webhooks
- Add a webhook to your desired channel
- Copy the webhook URL
- Add it to GitHub Secrets as
SLACK_WEBHOOK
- Framework redeploys silently via MDM “Install Enterprise Application” command
- Device enters
Enrollment Completestate and triggers re-enrollment workflows - Expect delayed or backlogged policy execution on heavily stale devices
- Built using Jamf Pro SDK for Python
- Inspired by Mann Consulting’s JNUC 2024 "Flawless MDM Communication"