macOS onboarding Jamf Pro 11.1
With the release of Jamf Pro 11.1 there is a cool new feature called macOS Onboarding, but wanting to limit to newly enrolled computers requires a bit of a workaround.
With the release of Jamf Pro 11.1 there is a cool new feature called macOS Onboarding
This is a great evolution of Self Service. This application is designed for users to easily access what they need โ it's something I actively encourage them to utilise. A perfect way to introduce a new user to their Mac is by starting with Self Service. Once they are onboarded, Self Service stays open allowing them to install other optional apps conveniently.
The problem is...
When you begin reading the documentation on the setup and enabling of macOS Onboarding, the is a not so helpful yellow box that says:
You can exclude computers from the workflow before enabling macOS Onboarding in Jamf Pro.
The documentation for the feature has been updated on 5th of December, the page titled macOS Onboarding [link] has a new section on Excluding Computers from macOS Onboarding, including a script and some scoping.
It is a solution, but before we have a look, we should learn on how macOS Onboarding is working.
How it works
With macOS Onboarding, this feature has a new key:
com.jamfsoftware.selfservice.onboardingcomplete
Location
~/Library/Preferences/com.jamfsoftware.selfservice.mac.plist and is a TRUE or FALSE (boolean) value.
If set this value to TRUE then the macOS Onboarding is set to complete and will not start.
<key>com.jamfsoftware.selfservice.onboardingcomplete</key>
<true/>You can test this out on a mac now, if macOS onboarding is complete run the following command:
defaults write ~/Library/Preferences/com.jamfsoftware.selfservice.mac.plist com.jamfsoftware.selfservice.onboardingcomplete -bool false
This will have Self Service run macOS Onboarding again. Before you begin you will have to flush policy history if you want a device to run through all the polices again.
sudo jamf flushPolicyHistory
Open Self Service, the macOS Onboarding process will start again.
I can see a problem
Does that mean if a new account is created or someone new logs in, macOS Onboarding will run again?
Now that we understand the process, revisiting the documentation, specifically the 'Excluding Computers from macOS Onboarding' section, reveals instructions for creating the appropriate smart groups and deploying the provided script. This is a solution, but I want to share another solution without scripting.
Stop macOS Onboarding running on currently enrolled macs
To stop macOS Onboarding from running on currently enrolled macs, we can create a simple configuration profile.
We can then scope this profile to all computers and exclude any new enrolments.
Self Service will read the whole property list in all domains.
I scoped this profile to all computers but excluded the smart group called New Enrolments
For New Enrolments smart group, I used the following criteria:
- Last Enrolment after (yyyy-mmโdd) and the date when new devices will start the macOS Onboarding.
So, a simple solution that can solve macOS Onboarding from deploying on all enrolled devices.
You can do some more advanced scoping to take this to the next level, for example, add to a policy within the macOS Onboarding process a command that tags the device complete and then move that device to the smart group that scopes the Smart Group with the right extension attribute.
Add this command to the last policy within your onboarding workflow:
touch /Library/Application Support/JAMF/.onboardingcomplete
Now that we have a tag on the device, we can use an extension attribute to check on devices
#!/bin/bash
if [[ -f '/Library/Application Support/JAMF/.onboardingcomplete' ]]; then
onboarding="complete"
else
onboarding=""
fi
echo "<result>$onboarding</result>"
exit 0
