One of the new features of Jamf Pro 11.1.x and later is macOS Onboarding, which is a Self Service-based feature which provides a way to run a setup policy or policies. Rob Potvin has a good write-up on it here, which I recommend checking out:

https://www.motionbug.com/jamf-pro-and-macos-onboarding/

One of the things to be aware of with the new macOS Onboarding feature is that once the feature has been enabled, macOS Onboarding will run its associated policies on all Macs which don’t have the following user-level preference set:

• Domain: com.jamfsoftware.selfservice.mac
• Key: com.jamfsoftware.selfservice.onboardingcomplete
• Value: Boolean (TRUE or FALSE)

Value set to FALSE (allowing macOS Onboarding to run):

Value set to TRUE (blocking macOS Onboarding from running):

Fortunately, it’s possible to add this setting with a value of TRUE to a macOS configuration profile and deploy the profile to all Macs that you don’t want to run macOS Onboarding on.

For those who would need this, I have an example macOS configuration profile with com.jamfsoftware.selfservice.onboardingcomplete set to TRUE available via the link below:

https://github.com/rtrouton/profiles/tree/main/JamfProSelfServiceOnboardingCompleted

As part of working on a task recently, I ran into an issue with Microsoft’s Enterprise SSO plug-in on macOS. This plug-in enables single sign-on for Entra ID accounts for applications which support it. In this case, the issue was the following:

Desired behavior:

1. Open application.
2. Click the login button.
3. Be prompted for the Entra ID user account to sign in with.
4. Log in with that user account.

Actual behavior:

1. Open application.
2. Click the login button.
3. Be automatically logged in as the Entra ID user registered for single sign-on.

Unfortunately for my use case, I really needed to have the application in question prompt the user for which account they needed to log in with because a user account other than the one registered for single sign-on needed to be able to sign in to the application in question.

After some discussion in the #jamf-intune-integration channel in the Mac Admins Slack, I was pointed towards a way to sign out the account which was enabled for single sign-on using Microsoft’s Company Portal application. With no account enabled for single sign-on, the application would now prompt for a user account to sign in with. For more details, please see below the jump.

To sign out the Entra ID account enabled for single sign-on using the Company Portal application, please use the procedure described below:

1. Open the Company Portal application.

2. Sign into the Company Portal application as the user of the computer.

3. Under the Company Portal menu in the menubar, select Settings…

4. In the Settings window, in the Single sign-on (SSO) section, click the Remove account from this device button.

Note: I’ve noticed that clicking the Remove account from this device button doesn’t make a noticeable change in the Settings window; the account still appears as enabled. However, clicking the button should do what’s needed and applications should now prompt for a user account.

As part of Jamf Pro 11.2.0 and later, Jamf has made a permissions change which affects enrollment. It is is mentioned in the 11.2.0 release notes in the Other Changes and Improvements section:

The Jamf Pro Server Action privilege, “Enroll Computers and Mobile Devices”, was split into two separate privileges.

What this means is that in Jamf Pro versions before 11.2.0, you had one permission:

• Enroll Computers and Mobile Devices

As of Jamf Pro 11.2.0, there are now two permissions:

• Enroll Computers
• Enroll Mobile Devices

The important thing to know is that as part of upgrading to Jamf Pro 11.2.0, the Enroll Computers and Mobile Devices permission is removed, but the following permissions are not selected automatically:

• Enroll Computers
• Enroll Mobile Devices

To address this issue, if needed go into the Jamf Pro admin console following the upgrade to Jamf Pro 11.2.0 and select the new separate Enroll Computers and Enroll Mobile Devices permissions.

Fraser Hess recently posted about automating the creation of Cisco Secure Client installers. Similar to my earlier post on using AutoPkg to build a Cisco AnyConnect installer, it’s possible to replicate this packaging workflow, including generating an installer choices XML file, using AutoPkg. For more details, please see below the jump.

In this example, there are going to be multiple AutoPkg recipes and support files referenced:

• CiscoSecureClient.download.recipe – Download recipe for the vendor-supplied Cisco Secure Client disk image with the vendor-supplied installer package stored inside.
• CiscoSecureClient.pkg.recipe – Package recipe for Cisco Secure Client, which generates an installer choices XML file and wraps both the installer choices XML file and the vendor-supplied installer package inside a separate installer package generated by AutoPkg
• Example.xml – Sample VPN profile for Cisco Secure Client’s VPN module
• CiscoSecureClient package recipe override – This is the AutoPkg recipe override where you’re defining how the installer choices file is configured and other information being supplied to the Cisco Secure Client installer by the AutoPkg package creation process.

Important information:

A. The recipes as written assume the following:

• You’re using the Cisco Secure Client Umbrella module.
• You’re adding the necessary configuration information for the Cisco Secure Client Umbrella module to the AutoPkg recipe override.
• You may be using the Cisco Secure Client VPN module.

B. You absolutely must create an AutoPkg override to work with these recipes. The download location, configuration for the installer choices XML file and other settings are not included in the AutoPkg recipes themselves and must be defined in the override.

C. The Cisco Secure Client disk image does not have a set address for download, so you will need to do one of the following:

• Download the disk image from Cisco and host it yourself somewhere.
• Change the download URL in the AutoPkg recipe override to match wherever you can currently download the Cisco Secure Client disk image from.

D. To configure the installer choices XML file, you must designate what modules you want to include using ones and zeros in the AutoPkg override. By default, the .pkg recipe is configured to install all modules:

To change this, change one to zero for the modules you don’t want to install. For example, the configuration below will configure the Secure Client installer to only install the Secure Client Umbrella module:

E. If you do not want to have the VPN module installed or enabled, you will need to set the CHOICE_VPN and DISABLE_VPN settings in the recipe override. Please see below for an example:

In this example, the CHOICE_VPN setting is set to zero and the DISABLE_VPN setting is set to true.

F. These recipes allow you to hide the Cisco-provided Secure Client installers, so that your users will not be able to see them in the Finder. Like the installer choices selection, this can be set using ones and zeros in the AutoPkg override.

To hide, set the HIDE_UNINSTALLERS setting to one:

To not hide the uninstallers, set the HIDE_UNINSTALLERS setting to zero:

G. It’s possible to disable the customer feedback functionality through the installer. To set this to be disabled, set the DISABLE_CUSTOMER_EXPERIENCE_FEEDBACK setting to true.

To leave the customer feedback functionality enabled, set the DISABLE_CUSTOMER_EXPERIENCE_FEEDBACK setting to false.

Please see below for the example .download and .pkg recipes, example VPN XML file and example .pkg recipe override:

Download recipe:

Package recipe:

Example VPN XML file:

Example .pkg recipe override: