Big Sur Beta 1 & Jamf Pro = Enrollment Problems + Workaround

MrMacintosh.com - Big Sur Beta 1 Jamf Enrollment Problems — The Jamf Enrollment process is having issues on macOS Big Sur Beta 1

Time to Start Testing Big Sur Beta Against Your MDM Workflows!

By now, you have already heard the news, the annual macOS release is here! The new OS is called Big Sur and is now macOS 11! That’s neat and all, but it’s time to start testing workflows. Time is of the essence, we only have about 10 or so beta releases before Big Sur is production ready.

Every year I put together a “Need to Know” article on all the latest macOS Beta changes. You can check out the post below, I will keep it updated new information comes out.

mrmacintosh.com/macos-big-sur-11-0-updated-index-of-need-to-know-changes-links/

Jamf Pro & Big Sur

Big Sur enrollment using Jamf Pro is currently Broken. If you attempt to take Big Sur Beta 1 through DEP/Automated Enrollment it will fail. Behind the scenes, the jamf binary is not installing properly. A quick workaround is to build out a 10.15.5 Mac, then enroll it in to Jamf Pro. Run the Big Sur Upgrade and your Mac will be fully working with Jamf Pro.

@franton gives a great overview of why Jamf Pro is having enrollment issues on Big Sur. jamf.com/jamf-nation/feature-requests/9531/jamf-enrollment-improvement-suggestion

As far as I can tell, the enrollment process is InstallApplication a zero payload pkg which then curls down the jamf binary. The binary is then trying to install the JSS communication certificate via the profiles command and this doesn’t work with Big Sur. The end result is I have a mac with the binary but no way for it to “phone home”.
franton

Fresh Big Sur Install Workaround

You just finished installing Big Sur, and don’t want to waste time erasing the drive + reinstalling the OS two times! There has to be a better way.

The workaround is pretty simple if your Mac serial number is in DEP.

1. Build out fresh Big Sur Beta 1 Mac
2. You are now at the Setup Assistant
2. Do not connect the Mac to WiFi or Ethernet
4. Create Local Account
5. Connect to network
6. Run sudo profiles renew -type enrollment
7. You will see an enrollment notification in the upper right corner.
8. The enrollment will fail.
9. Use Recon.app to create QuickAdd.pkg Or use the quickadd enrollment URL = https://your.jps.com/enroll?type=QuickAdd
10. Copy QuickAdd.pkg to Target Mac & Install Or run QuickAdd.pkg from downloads.

That’s it! You are now enrolled into Jamf Pro. Tomorrow I will try with the https://casperserverhere.domain.com:8443/enroll method to see if can figure out . This would be for any mac that is not enrolled into DEP.

Hat Tip goes out to MacAdmin @kennyb for testing this method. I was able to verify the method this afternoon.

Jamf fix Coming in the Next Beta Release

Jamf said just today, that they found the enrollment issue last week and a fix is coming in the next beta release!

Non DEP Mac Enrollment

MacAdmin @aaronpolley put together instructions for enrolling a device that is not in DEP. In his example, he is pulling directly from his Jamf Cloud instance and manually creating a Jamf configuration file.

Aaron’s instructions start below.

If anyone is testing macOS 11 Beta and using Jamf Pro as your MDM, the jamf binary fails to install and complete the enrolment (as some mentioned here already)I am putting together some notes to submit in the correct places….. however for the short term here are the steps to get the Binary installed and complete the enrolment (for either DEP or UIE)

sudo -i

mkdir -p /usr/local/bin/
mkdir -p /usr/local/jamf/bin/
cd /usr/local/jamf/bin/

rm ./jamf.gz

curl "https://yoururl.jamfcloud.com/bin/level1/jamf.gz" -o ./jamf.gz

rm ./jamf

gunzip ./jamf.gz

chmod 755 ./jamf

chown root:wheel ./jamf 

./jamf createConf -server https://yoururl.jamfcloud.com

defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url "https://yoururl.jamfcloud.com/"

defaults read /Library/Preferences/com.jamfsoftware.jamf.plist

ln -s /usr/local/jamf/bin/jamf /usr/local/bin/

./jamf enroll -prompt -verbose

You will need to trust the CA cert using your admin password via UI password prompt rather than it passing through via CLI when rootas in the pastAlso as shared previously this gives some greate debugging feedback WHILE the initial MDM enrolment is occuring, so best run whilst doing a DEP Nag enrolment (profiles renew -type enrollment) or via UIE:

log stream --info --debug --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"

NOTE: Please keep in mind, the instructions in this article are for testing only and are not for a production Mac

Big Sur Jamf Enrollment

Liked it? Take a second to support Mr. Macintosh on Patreon!

8 thoughts on “Big Sur Beta 1 & Jamf Pro = Enrollment Problems + Workaround”

Isaac says:

February 15, 2021 at 10:50 am

I came across this site, because my Big Sur on a MacMini7,1 can use the Cisco AnyConnect VPN and can connect to the company intranet, but I can’t see any profiles in settings. The machine was set-up under Catalina with JAMF and worked fine and I’ve upgraded via the usual system upgrade path in settings. By chance I found today that I can’t see any of the totally 25 profiles and even the profiles control panel is gone. What’s going on here?
1. Patrick Gallagher says:
  
  February 15, 2021 at 10:15 pm
  
  If the Profiles preference pane is missing, your IT admin probably removed MDM from your computer. You should reach out to them.
JeffS says:

August 9, 2020 at 10:32 pm

Thanks Mr. Macintosh & @aaronpolley, I managed to work my way through these terminal commands & successfully enroll my test MacBook running macOS Big Sur V11.0 Beta (20A5343i) into our JAMF UAT environment.
Thanks
Jeff
MvdBent says:

July 6, 2020 at 12:00 pm

After Automated Device Enrollment
Which didn’t completed you can enroll you device in Big Sur by going to https://your.jps.com/enroll/?type=QuickAdd
1. Mr. Macintosh says:
  
  July 8, 2020 at 2:14 pm
  
  Great tip MvdBent! I added it to the article.
  1. Patrick Gallagher says:
    
    August 12, 2020 at 8:25 am
    
    You have an extra “/” in that URL. Should be https://your.jps.com/enroll?type=QuickAdd
    1. Mr. Macintosh says:
      
      August 12, 2020 at 4:35 pm
      
      Fixed, thanks Patrick!
BeckF says:

July 1, 2020 at 6:50 pm

Have you seen this on 10.15.5? I am having the same issue on brand new MBA 13″ running 10.15.5. I have tried recreating PreStage, removing Custom DEP Package from PreStage, and Signing the QuickAdd in User-Initiated Enrollment.

2020-07-01 16:32:42-07 MacBook-Air package_script_service[605]: PackageKit: Executing script “postinstall” in /Library/InstallerSandboxes/.PKInstallSandboxManager/732C6A66-6734-40CE-A158-093BE56B56B6.activeSandbox/Scripts/com.jamfsoftware.osxenrollment.lbhu1L
2020-07-01 16:32:42-07 MacBook-Air package_script_service[605]: Set responsibility to pid: 568, responsible_path: /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
2020-07-01 16:32:42-07 MacBook-Air package_script_service[605]: postinstall: This is a lightweight package. Downloading jamf binary from https://deleted.name.org:8443/bin/level1/jamf.gz to /Library/Application Support/JAMF/tmp
2020-07-01 16:32:42-07 MacBook-Air package_script_service[605]: postinstall: Download failed
2020-07-01 16:32:42-07 MacBook-Air package_script_service[605]: Responsibility set back to self.

Comments are closed.